Cybersecurity, Drone Hijacking, and Liability for Damage

Drone hacking is a real security risk that can fundamentally endanger your company, sensitive data, and financial stability. If your company’s drone falls into an attacker’s hands, Czech law holds you liable for the damage it causes under the principle of strict liability (objective liability). This article explains how drones are hacked, what penalties may apply, and how to ensure the Czech legal system protects you.

Quick summary

• Drone hacking via GPS spoofing, signal jamming, or direct intrusion into software is a growing threat exploited by cyber groups as well as state actors focused on industrial espionage.
• The drone operator is liable for damage under the principle of strict (objective) liability under Czech law. You are required to compensate for damage caused by the operation regardless of whether the drone was hacked.
• You may face fines in the millions of Czech crowns, criminal prosecution, and liability for personal injury.
• The new Cybersecurity Act (implementation of the NIS2 Directive in the Czech Republic) significantly tightens obligations. It introduces mandatory incident reporting and personal liability of company management, which may be enforced against their personal assets.
• Without adequate technical safeguards and robust contractual arrangements with suppliers, you cannot demonstrate that you acted with due managerial care under the Czech legal system. The attorneys at ARROWS advokátní kancelář deal with these issues daily and know what Czech regulators require.

Drone hacking is a real threat, not a theoretical scenario

This is not a myth or exaggerated fear of the future. In practice, dozens of attempts to take control of unmanned aircraft systems (UAS) are recorded each year. Hackers differ from those employed by state agencies only in the intensity and sophistication of their methods. Commercial drones are not outside their interest, because they are often used to map infrastructure and collect data on technologies.

If you operate drones as part of your business—whether for construction monitoring, real estate surveys, or photogrammetry—you must realise that your drone is a potential target. An incident in which an attacker takes over a drone remotely does not only cause a loss of control; it poses an existential threat to your company. A hacked drone turns from a device you control into a dangerous object that can endanger the lives, health, and property of third parties.

When speaking with clients, the team at ARROWS advokátní kancelář often finds that companies operating drones are not aware of the legal risks under Czech law. They believe it is enough to buy a drone, register it, and fly. However, the moment an incident occurs, you become a target of supervisory authorities and injured parties, and the argument that hackers were behind the incident will not release you from liability in the Czech Republic.

How are drones hacked? Specific attacker techniques

Attackers do not proceed randomly. Their methods are proven and increasingly sophisticated. Understanding these methods is key to setting up both legal and technical defences under Czech legislation.

GPS spoofing – feeding false location data

GPS spoofing is one of the most dangerous methods. An attacker transmits fake GNSS signals that convince your drone it is in a different place than where it actually is. The drone then follows its program, but based on incorrect coordinates. The result is that the drone moves beyond your control, may collide with obstacles, or fly into a restricted zone—for which you, as the operator, are liable under Czech law.

Jamming – disrupting the control signal

Jamming involves flooding communication frequencies with noise, thereby cutting the connection between the controller and the drone. In such a situation, the drone usually switches to so-called fail-safe mode, but its behaviour may be unpredictable, especially if it lacks visual sensors or if the GPS signal is jammed at the same time. If an accident occurs during this manoeuvre, liability rests with the operator in the Czech Republic.

Direct software intrusion and takeover

The most dangerous method is hacking the communication protocol, for example via Wi‑Fi or radio link. If an attacker finds a vulnerability in the protocol between the controller and the drone, they can take full control or steal the drone. Hackers exploit known vulnerabilities in outdated firmware. If such a vulnerability was publicly known and you did not update, this will be treated as your failure.

Related questions on cyber risks for drones

1. What are the most common entry points for hackers?
The most common are outdated drone firmware, weak passwords for flight-management accounts, unencrypted transmission of video and telemetry, and vulnerabilities on the manufacturer’s cloud storage side.

2. Can an ordinary commercial drone be hacked?
Yes. Drones from brands such as DJI, Autel, or Parrot are common targets for researchers and hackers alike. If a drone communicates wirelessly, it is a potential target.

3. What is the difference between hacking at home and in commercial operations?
While a hobby pilot may “only” face the loss of the drone or minor damage, in commercial operations an attacker may obtain sensitive data and trade secrets. This often has devastating legal and financial consequences.

Legal liability for a hacked drone – who bears the burden?

Czech legislation is uncompromising: as the operator, you bear primary responsibility for operating your drone. The fact that a third party interfered with control does not automatically exonerate you.

The attacker’s criminal liability vs. your reality

Criminal liability falls on the attacker, as hacking a drone meets the elements of the criminal offence of unauthorised access to a computer system under Czech criminal law. The perpetrator faces imprisonment, which increases depending on the damage caused or intent.

The problem is enforceability: before the police identify the hacker, you must deal with the immediate consequences and claims from injured parties. In these situations, the attorneys at ARROWS advokátní kancelář provide crisis management and representation before the relevant Czech authorities to minimise the impact on the client while the perpetrator remains unknown.

Civil liability – a strict (objective) principle

Under Section 2927 et seq. of the Czech Civil Code, the operator of transport is liable for damage caused by the specific nature of the operation. This is so-called strict (objective) liability, meaning you are liable for the outcome regardless of fault. Even if the drone was hacked without your knowledge, the injured party will seek compensation from you.

You can be released from liability only in very narrow cases where the damage could not have been prevented even with all efforts. However, if you do not have evidence of top-tier security—such as updates, encryption, and an audit—a Czech court is unlikely to accept your defence.

Administrative liability – fines from regulators

The Civil Aviation Authority (ÚCL) oversees flight safety in the Czech Republic. If a hacked drone breaches flight rules, the ÚCL will initiate administrative proceedings against the operator. Fines for legal entities and self-employed individuals may, under the Civil Aviation Act, reach up to CZK 5,000,000.

In addition, sanctions may be imposed by other authorities such as NÚKIB and the Czech Data Protection Authority (ÚOOÚ). The accumulation of fines can be fatal for a company.

Can your employee also be liable?

An employee’s liability is limited under the Labour Code to four and a half times their average monthly earnings, unless the damage was caused intentionally. The remaining damage—which can run into millions—is borne by the employer. If the company fails to prove that it had appropriate preventive measures in place, liability may be fully transferred to the statutory bodies for breach of the duty of due managerial care under Czech law.

Related questions on the legal aspects of liability

1. Do I face personal liability as an executive director?
Yes. If, as an executive director, you fail to ensure compliance with legal regulations and the company suffers damage, you may be liable with all your assets for breach of the duty of due managerial care under Czech law.

2. What if the drone was hacked by a competitor?
Towards injured third parties, you are still liable as the operator. You may then pursue a recourse claim against the attacker if their fault can be proven.

3. If the drone crashed and no one was injured, do I have to report it?
Aviation accidents and incidents must be reported to the Air Accident Investigation Institute (ÚZPLN) in the Czech Republic. If it is a cybersecurity incident and you are a regulated entity under the Cybersecurity Act, you must also report it to NÚKIB.

GDPR and data protection – another layer of risk

If the drone is equipped with a camera or another sensor capable of capturing personal data, you become a personal data controller and are subject to the GDPR.

Obligations when processing data via a drone

You must have a legal basis, such as legitimate interest or performance of a contract, because you cannot broadly monitor public spaces without justification. The key principle is data minimisation.

Under Article 32 GDPR, you must ensure the security of processing, which includes data encryption, access management, and the ability to restore data availability. The argument “we were hacked” is not a defence if you did not have appropriate security measures in place. The Czech Data Protection Authority (ÚOOÚ) will assess whether you did everything possible to prevent the breach.

How high can GDPR penalties be?

The ÚOOÚ may impose a fine of up to EUR 20 million or 4% of worldwide annual turnover. Even in the Czech Republic, fines in the hundreds of thousands to millions of Czech crowns are imposed, especially where there is a large-scale leak or sensitive data is involved.

Related questions on GDPR and drones

1. If a drone records public space, does GDPR apply to me?
Yes, if specific individuals can be identified in the footage (face, vehicle registration plates, distinctive features), this constitutes processing of personal data.

2. What measures do I need to implement?
From a technical perspective, encryption of communications, securing storage, and regular deletion of unnecessary data are required. Organisationally, you should keep records of processing activities and have internal guidelines for pilots.

What you may face and how ARROWS advokátní kancelář can help

Cybersecurity in practice – what you need to do

To minimise risks and strengthen your legal position, specific steps must be taken.

Technical measures – the necessary minimum

• Use drones that support robust transmission encryption (e.g., AES-256).
• Data on SD cards in the drone should be encrypted so that it is unreadable to anyone who finds it.
• Strong passwords and multi-factor authentication (MFA) for the manufacturer’s cloud services are essential.
• Regular firmware and software updates patch known security vulnerabilities.

Supply chain and contracts

If you use external suppliers, such as servicing or drone rental, you still remain responsible for security as the controller. Supplier contracts must include guarantees of compliance with security standards and an obligation to report incidents.

The attorneys at ARROWS advokátní kancelář draft contracts so that they allow recourse recovery of damages from the supplier in the event of their failure. The contracts should also include the right to conduct an audit of the supplier.

Related practical questions

1. Is security mandatory for everyone?
The general duty to prevent damage under the Czech Civil Code applies to everyone. Specific obligations under the GDPR and the Cybersecurity Act apply to data controllers and regulated entities.

2. Who is responsible for security in a company?
The statutory body—i.e., the executive director or the board of directors. Tasks may be delegated to a CISO or IT manager, but responsibility for oversight remains at the top.

Registration, insurance, and legal obligations

Most drone operators must register with the Civil Aviation Authority (ÚCL) in the Czech Republic via the DronView portal. After registration, you will receive an operator number, which you must use to label all your drones.

Mandatory insurance

Under Regulation (EC) No 785/2004 and applicable Czech legislation, liability insurance is mandatory for every unmanned aircraft system operator who is required to register. Insurance coverage covers damage caused to third parties. For commercial operators, hull insurance for the drone and additional cyber risk insurance are also advisable.

The new Cybersecurity Act (NIS2) and its impacts

The upcoming new Cybersecurity Act, which will transpose the European NIS2 Directive into Czech law, fundamentally changes the rules of the game.

Who does it apply to?

The Act will affect a much broader range of companies than before—for example in energy, transport, digital infrastructure, and also manufacturing. If you operate drones in these sectors in the Czech Republic, pay close attention.

Key obligations and sanctions

Obligations include reporting a significant incident to NÚKIB (the Czech National Cyber and Information Security Agency) within 24 hours and implementing security measures, including a risk analysis. Top management bears personal responsibility for overseeing the measures, with fines of up to EUR 10 million or 2% of turnover. If you are unsure whether you fall under the new regulation in the Czech Republic, contact ARROWS, a Prague-based law firm, to carry out an assessment.

How to protect yourself – a practical plan

1. Risk analysis: Map what drones you have, what data they collect, and where the weak points are.
2. Technical audit: Ensure encryption, updates, and the physical security of the equipment.
3. Legal audit: Check registration, insurance, and GDPR compliance.
4. Contracts: Review contracts with suppliers and employees.
5. Compliance: Set internal policies and processes for incident response.

Conclusion

Drone cybersecurity is a complex legal and technical issue, and ignoring it can lead to crippling fines. The legal framework in the Czech Republic is tightening, and responsibility is shifting directly to company management.

ARROWS’ Prague-based attorneys have experience in IT law, aviation, and crisis management. We will help you set up processes so that you meet statutory requirements under Czech legislation and are protected in the event of an incident.

If you are dealing with drone security, NIS2 implementation, or an incident, do not hesitate to contact us. Reach us at office@arws.cz.

FAQ – Most common legal questions

1. What should I do immediately after discovering that a drone has been hacked?
Ensure safety, document the incident, and if data has been leaked, report the incident to the relevant authorities within the statutory deadlines (ÚOOÚ – the Czech Data Protection Authority, NÚKIB, ÚZPLN). Contact legal counsel.

2. What are the reporting deadlines?
Under the GDPR, you must report to ÚOOÚ within 72 hours. Under the new Cybersecurity Act in the Czech Republic, an early warning to NÚKIB within 24 hours is required.

3. Is liability insurance sufficient?
Insurance covers financial damage to third parties, but it does not relieve you of criminal liability, administrative fines, or reputational harm. It is only one piece of the puzzle.

4. What if I do not implement measures under NIS2?
You expose yourself to the risk of high fines, a ban on activity, and personal liability of members of statutory bodies.

Notice: The information contained in this article is of a general informational nature only and is intended for basic orientation in the topic. Although we take maximum care to ensure accuracy, legal regulations and their interpretation evolve over time. To verify the current wording of the regulations and their application to your specific situation in the Czech Republic, it is therefore necessary to contact ARROWS, a Prague-based law firm, directly (office@arws.cz). We accept no liability for any damages or complications arising from the independent use of the information in this article without our prior individual legal consultation and professional assessment. Each case requires a tailored solution, so please do not hesitate to reach out to us.

Read also:

• Cybersecurity and Drone Hijacking Threats:
• Compliance audits: How to conduct an internal audit before the authorities arrive:
• GDPR inspections in practice: how investigations by the Office for Personal Data Protection are conducted:
• NBÚ and security clearances in companies: what could be a problem:
• Operating Without a Licence in the Czech Republic: Legal Consequences Explained: