Phishing Under the New Cybersecurity Act: Managers’ Personal Liability

20.4.2026 | ARROWS law firm

Phishing is no longer just an IT issue. The new Cybersecurity Act (effective from November 2025) shifts personal responsibility for a company’s security to managers and the company’s leadership. If a company loses money due to phishing and adequate security measures were not implemented, managers may face sanctions of up to CZK 20 million, fines for the company, and potentially further legal consequences, including a ban on holding office. The key is active management of cyber risks.

In the image, we see a lawyer discussing the topic of managers’ personal liability.

What crisis are we dealing with: Phishing and Business Email Compromise
Legal reality: A new act shifts responsibility to management
How to defend yourself: Preventive measures and compliance
Final summary
FAQ: Additional questions about phishing attacks

Phishing attacks are hitting companies in the Czech Republic more and more—current statistics show a significant increase in attacks in the recent period, with the average company facing thousands of attacks per week.
The new Cybersecurity Act (transposition of the NIS2 Directive) has shifted responsibility from IT specialists directly to managers; neglecting security obligations creates direct personal and civil liability of management for the damage caused.
If management fails to ensure minimum security standards (e.g., multi-factor authentication, employee training, incident detection), it faces not only corporate fines (up to 2% of annual turnover), but also personal financial liability and, in serious cases, the possibility of a ban on holding office in related proceedings.
Attorneys from ARROWS advokátní kancelář can assist with preparing a compliance program, defending against fines, and negotiating with regulators, so that company management can avoid these catastrophic scenarios.

What crisis are we dealing with: Phishing and Business Email Compromise

Phishing ranks among the most dangerous cyberattacks precisely because it targets the human factor, not a technical weakness. Typically, it is an email that appears to have been sent by a bank, a company executive, or a business partner. The victim—often an employee—clicks a suspicious link, enters login credentials, or authorizes a payment they believe is legitimate. Within seconds, the money is gone.

In the Czech Republic, the situation has deteriorated significantly in recent months. Current data from last year shows that the number of cyberattacks in the country increased by tens of percent, meaning that the average company is targeted by thousands of attacks per week. Globally, so-called Business Email Compromise (BEC) scams—where an attacker impersonates company management and requests a transfer of funds—have caused losses exceeding tens of billions of dollars over the past ten years.

In the Czech Republic, we most often encounter these phishing variants: traditional email phishing, where an email is sent in bulk to thousands of random addresses; spear phishing, a targeted attack in which the attacker prepares an extensive profile of the victim and tailors the message specifically to them; and CEO fraud, i.e., an executive-impersonation scam, where a hacker poses as the CEO or owner and instructs junior employees to transfer money. The most dangerous variant in terms of financial losses is CEO fraud and Business Email Compromise, because it targets people in positions authorized to execute financial transactions and persuades them through psychological manipulation (manufactured urgency, feigned authority).

When a loss actually occurs, the problems begin. The company—or more precisely its management—suddenly finds itself in a situation where it must face several legal fronts at once: potential criminal proceedings, sanctions from regulators, civil lawsuits, and internal processes as well.

Legal reality: A new act shifts responsibility to management

For many years, it was common practice that responsibility for cybersecurity rested with the IT department. The CEO or managing director focused on financial results and sales, while the IT manager handled network security. That model has explicitly changed with the arrival of new legislation.

New Cybersecurity Act (NIS2)

The new Cybersecurity Act, which will take effect on 1 November 2025, transposes the European NIS2 Directive into the Czech legal system. This legislation has changed the rules of the game in a fundamental way: it defines cybersecurity as an inseparable part of the duty of due managerial care, a legal concept referring to the obligation that all managers and company owners have in relation to the company’s assets and operations (see, e.g., Section 52 et seq. of Act No. 90/2012 Coll., on Business Corporations and Cooperatives, for business corporations, and Section 159 of Act No. 89/2012 Coll., the Civil Code, for the general principle).

The Act applies to specifically defined entities—legal persons providing critical services (energy, transport, healthcare, water management, etc.), as well as providers of digital services and other entities subject to the regulation. Estimates suggest that in the Czech Republic this affects several thousand entities.

The key change is that the Act explicitly provides that the ultimate and non-transferable responsibility for cybersecurity lies with the statutory body—i.e., managing directors, members of the board of directors, and other individuals at the top of the organization. This responsibility cannot be contractually transferred to an external IT supplier, an IT specialist (CISO—Chief Information Security Officer), or an employee. You can delegate individual tasks and their performance, but legal responsibility remains with the manager.

Direct liability of statutory bodies

What does this mean in practice? Company management must actively approve security policies, oversee their implementation, participate in cybersecurity training, and ensure that adequate human and financial resources are allocated to security.

A passive approach is not enough—for example, when a manager merely “takes note” of a report from the IT department on the current security status. The Act requires an active, informed, and defensible approach. If management later fails to secure data, know-how, or IT infrastructure and a cyber incident occurs (including a phishing attack), the National Cyber and Information Security Agency (NÚKIB) may impose administrative sanctions. At the same time, statutory bodies may become the target of claims for damages brought by the company if they breached the duty of due managerial care.

Corporate criminal liability in the Czech Republic is regulated separately by Act No. 418/2011 Coll., on the Criminal Liability of Legal Persons and Proceedings Against Them. Companies are liable for almost all criminal offences listed in the Criminal Code if they are committed in their interest and if not all steps were taken that could fairly be required of them to prevent the commission of the criminal offence.

If, during the investigation, it were proven that management could have prevented the incident (for example, by implementing appropriate technical measures or training employees) and its omission led to the commission of a criminal offence, the company may incur criminal liability, and specific managers may also incur personal criminal liability—for example, for the offence of breach of duty in the administration of another’s property under Section 220 of the Criminal Code.

When is management personally liable for damages?

In the event of a phishing attack, managers’ legal liability may manifest on several levels. Let’s go through them specifically.

Criminal liability

If, as a result of inadequate corporate cybersecurity, a criminal offence occurs (e.g., fraud, unauthorised access to a computer system, unlawful handling of personal data, money laundering), the public prosecutor may prosecute both natural persons (the attackers) and the legal entity (the company) under the Act on Criminal Liability of Legal Entities.

The key question is: Could the company’s management say, “this is beyond our control”? Under Czech law, no. If a criminal offence is committed in the company’s interest and management neglected security-related duties, the company may be criminally liable. At the same time, managers may incur personal criminal liability, typically for the offence of breach of duty in the administration of another’s property under Section 220 of the Czech Criminal Code, if their serious failure to exercise due care caused the company significant damage. Such misconduct may result in imprisonment or financial penalties.

Civil liability

At the civil level—i.e., in a private dispute—the company or other injured parties (e.g., business partners whose data the company failed to protect) may sue individual managers for damages. The legal entity (the company) may claim damages from members of management if they breached their duty to act with due managerial care and failed to ensure adequate security in line with applicable laws and standards.

The key principle here is: if it is proven that an executive director or a member of the board of directors did not implement minimum security measures (e.g., multi-factor authentication, regular employee training, data backups, or monitoring of security threats) and these failures directly led to a phishing attack and a loss, then they bear liability for that damage.

Attorneys at ARROWS, a Prague-based law firm, encounter these situations: companies approach them with the question of whether they can recover money from their management if management neglected security obligations and the company consequently lost data or funds. The answer often depends on whether management had insurance in place and what exactly was (or was not) agreed.

Administrative fines

At the regulator level—NÚKIB (the Czech National Cyber and Information Security Agency)—the company and its management face administrative sanctions. For entities subject to the higher-obligation regime, the fine is up to 2% of worldwide annual turnover; for other entities, up to 1.4%. For large corporations, this means sanctions in the tens or hundreds of millions of Czech crowns.

In addition, the new act also introduces non-financial sanctions: authorities may suspend or revoke European security certifications (e.g., ISO 27001, NIST, TISAX), which can cause serious issues in meeting contractual obligations towards business partners and lead to the loss of contracts and market share.

And—the most significant new development—NÚKIB may, in serious cases, impose a fine directly on members of the statutory body of up to CZK 20 million.

When all these lines of liability are added up, it becomes clear that company management in the Czech Republic faces, without exaggeration, a catastrophic range of risks: a fine for the company, a fine for an individual manager, a civil claim by the company against the manager, criminal prosecution by the state, and reputational harm. A ban on holding office may then be a consequence of a serious breach of duties, rather than a direct sanction imposed by NÚKIB.

Practical examples: What happens in real-life situations?

To make it clear what we are talking about, let’s go through a few typical real-world scenarios.

Case 1: CEO fraud in an industrial company

A business employing 500 people receives an email from the “CEO” addressed to the head of the finance department. In the email, the CEO writes: “We are in negotiations to acquire company XY; we must keep the operation confidential. I need you to transfer CZK 50 million to this account by tomorrow morning: [fake account]. Thank you, Martin Novotný, CEO.” The email looks legitimate—the logic is sound, the tone is appropriate, and the email address differs by only one character from the correct address (domain spoofing—technically easy to do).

The head of the finance department decides to verify by phone. They call the CEO. The person who answers says: “Yes, that’s correct, it’s super urgent, please do it now.” (In reality, it is a hacker who connected via a similar number or rented a SIM card with digits close to the CEO’s number.) The head of the finance department transfers the money.

The next day, it is discovered that CZK 60 million has ended up in an account of a criminal network in Asia and is practically untraceable.

What happens legally? The company files a criminal complaint. The police open an investigation (with minimal hope of recovering the money). The cyber risk insurer refuses to pay, arguing that the loss arose due to the “gross negligence” of the head of the finance department (who should not have verified the instruction only by that means). But—and this is where things get complicated—NÚKIB or the chair of the board of directors (if different from the CEO) asks: Why did the company not have multi-factor authentication in place for authorising transfers of such large amounts?

Why was there no four-eyes principle? Why did management not provide employee training on phishing?

The company’s management finds itself in a situation where it faces not only the loss of money, but also a regulator investigation, civil lawsuits, and potentially criminal prosecution for neglecting duties under the new act.

Case 2: Spear phishing in a real estate development company

A development company receives an email from its bank offering “financing optimisation”. The email contains personal details about the CEO and the company’s current projects (data obtained from LinkedIn and public sources). The CEO—an experienced person—notices that the email is not entirely standard, but the text sounds credible.

They click a link that takes them to a convincing-looking replica of the bank’s website. They enter their login credentials. The attacker then logs into the real online banking using those credentials, activates a new authorisation device, and transfers CZK 2 million.

A question for management: Why was multi-factor authentication not implemented? Management’s answer: “We had too few people in IT; it was a low-cost approach to security.”

Legal consequence: NÚKIB carries out an inspection and finds that management breached the law by failing to ensure basic security measures. The fine for the company may be up to 1.4% of annual turnover. If the company’s annual turnover were CZK 2 billion, the fine could reach up to CZK 28 million. In addition, management becomes individually liable for compensation of the damage (CZK 2 million) and faces a personal fine of up to CZK 20 million from NÚKIB if it is proven that they were aware of the risk.

Case 3: Employee phishing and company liability

An employee receives an email that appears to be from the IT department: “Due to a security threat, please reset your SSH key at: [suspicious link].” The employee clicks and enters their credentials. The attacker gains access to the company’s internal server and steals trade secrets, which they later sell to a competitor.

The competitor thereby gains insight into the upcoming product and development. The company loses its market advantage and loses contracts. The loss is quantified at CZK 50 million.

Under Czech criminal law, a legal entity (a company) may also be criminally prosecuted if it is proven that management failed in supervision and prevention, thereby enabling the commission of a criminal offence (e.g., unauthorized access to a computer system and data storage medium). Management then faces the risk of personal criminal liability, for example for the offence of breach of duty in the administration of another’s property under Section 220 of the Criminal Code, if its omission directly led to substantial damage.

In these situations, attorneys from ARROWS, a Prague-based law firm, typically assist with defending against fines and sanctions imposed by regulators, liaising with NÚKIB (the Czech National Cyber and Information Security Agency), and also assessing whether it is possible to seek recourse against individual managers who neglected security obligations.

How to defend yourself: Preventive measures and compliance

Once management understands that it faces personal liability, the question is: How do you defend yourself? The answer rests on three pillars: technical measures, organisational measures, and ongoing documentation.

Technical measures

Multi-factor authentication (MFA) must be the standard. This means that every employee who logs into something important (email, online banking, cloud applications) must enter not only a password, but also a one-time code from an app or SMS. The reason: even if an attacker obtains the password, they do not automatically gain access.

Access management based on the principle of least privilege means that an employee has access only to the systems and data they genuinely need for their work. A finance employee therefore does not have access to all projects and strategic data.

Detection of security threats and incidents should be automated – i.e., systems that continuously monitor the network and alert on suspicious activity. When something suspicious is happening, the system records it and notifies the relevant persons.

Backups and a recovery plan are critical: if an attack occurs, the company should be able to restore operations without losing critical data. This requires management to ensure regular backups and testing of the recovery plan.

Software updates are fundamental – when a security patch is released for software, the company should deploy it within a reasonable time. Neglecting updates is one of the most common reasons why cyberattacks succeed.

Organisational measures

Employee training must be regular and specific. If management implements a compliance programme in which employees learn to recognise phishing emails, report them, and where management praises those who do not dismiss a suspicious message, a culture of accountability and security is created. This significantly reduces the likelihood of a successful phishing attack.

The security policy must be written, clear, and accessible to all employees. It should contain specific rules: what to do when you receive a suspicious email, how to handle passwords, what the procedures are in the event of suspected security incidents, etc.

Appointing persons responsible for cybersecurity – for example a Chief Information Security Officer (CISO) or a security manager – facilitates communication and ensures that security topics are addressed systematically. However, it is crucial that these persons have direct access to management and can inform management about the security status without unnecessary filters.

An incident response plan – a plan for what to do when a security incident occurs – must be pre-written and tested. This means: who is contacted, how procedures are followed, what the phases are (detection, isolation, recovery, communication, etc.). When an incident actually occurs, there is no time for improvisation – teams must know what to do. This also minimises the time during which the company is exposed and minimises damage.

Documentation and audit

Here is the most important point for management: the new law requires not only security, but also proof of security. This means that management must have demonstrable records showing that it: approved the security policy, attended training, carried out an audit of security measures, and that all selected measures actually work.

During an inspection by NÚKIB, nice documents on paper will not be enough – the regulator will want to see and verify that the systems actually work. Typically, this is done through third-party audits that verify the effectiveness of security measures and produce independent reports on compliance with the law.

Attorneys from ARROWS, a Prague-based law firm, encounter situations where company management does not take documentation obligations seriously enough, and then, when the regulator arrives, it turns out that without evidence of approval and monitoring of security measures, management is an easy target for sanctions. We therefore recommend preparing a compliance programme that will include technical and organisational measures as well as a set of procedures and records that demonstrate management’s activity (office@arws.cz).

What to do when it is already too late? Crisis management after a phishing attack

If a company discovers that it has been the victim of a phishing attack and has lost money, time is critical. The first 24–48 hours are crucial in terms of how quickly damage can be minimised.

Immediate steps (hours 0–4 after detection)

The immediate priority is technical stabilisation: the compromised systems must be isolated from the internet and the internal network (without shutting them down, so as not to destroy traces in RAM). Recording all steps—a detailed, time-stamped log of all decisions and instructions—must begin immediately, because this will later be key evidence for NÚKIB or a court that management sought to minimise the damage.

Contacting the cyber risk insurer (if the company has taken out such insurance) is important within the relevant time window—policies often contain deadlines by which the incident must be reported. Missing the deadline may lead to a denial of coverage.

ARROWS, a Prague-based law firm, encounters situations where company management tries to handle the incident on its own and, without legal assistance, makes mistakes that later worsen the company’s position. We therefore recommend that companies contact an attorney as soon as possible after detecting an incident—the attorney can then coordinate steps with crisis management specialists, IT forensics experts, and communications with the authorities.

Reporting to the relevant authorities

Under the GDPR (Regulation (EU) 2016/679)—if a phishing attack results in a personal data breach—the incident must be reported to the Office for Personal Data Protection (ÚOOÚ, the Czech data protection authority) without undue delay and no later than 72 hours after becoming aware of it (Article 33 GDPR).

The new Cybersecurity Act additionally requires certain incidents to be reported to NÚKIB, in particular if they concern entities subject to higher or basic obligations or are of a serious nature.

Reporting to the police is also not automatic, but where a criminal offence is involved (fraud, unauthorised access to a system), it is recommended, because it not only protects the company itself but also other potential victims if the police subsequently pursue the perpetrator.

Communication with the public and clients

When employees, clients, or business partners learn about the incident, how should it be communicated? Here it is important to be timely, honest, and to clearly communicate what steps are being taken to remedy the situation. Silence or insufficient information leads to a faster loss of trust.

It is recommended to prepare a communication plan—who communicates with whom, in what order, and what information is shared. This should include communication with employees, clients, business partners, and also the media, if it is a serious case that will be made public.

ARROWS, a Prague-based law firm, can assist with preparing a communication strategy that minimises reputational harm and complies with legal obligations, in particular notification obligations under the GDPR and the Cybersecurity Act.

Future litigation and investigations

After an incident is identified, company management often faces several processes running in parallel: an investigation by NÚKIB, an investigation by the police, claims for compensation from affected third parties, as well as internal processes within the company itself. Each of these processes has its own deadlines, procedures, and risks.

ARROWS, a Prague-based law firm, can represent the company and its management throughout all these stages—from initial communication with regulators to defence against fines and sanctions. ARROWS’ professional liability insurance of up to CZK 400 million provides clients with additional comfort that, when matters become serious, the firm has the resources for a robust defence.

Potential issues	How ARROWS helps (office@arws.cz)
Company management does not know what security obligations are imposed by the new Cybersecurity Act and what its personal liability is.	ARROWS, a Prague-based law firm, will prepare a legal opinion with a precise list of obligations under the Act and current standards, and will define what management must actively ensure in order to avoid fines and personal liability.
The company is undergoing an inspection by NÚKIB or another regulator and wants to defend itself against suspicion that security measures were insufficient.	ARROWS, a Prague-based law firm, will provide legal representation in dealings with regulators, prepare evidentiary materials (audit, certifications, records of approvals of measures), and defend the company and its management against imposed fines.
After a phishing attack that resulted in a loss of money, management faces the threat of criminal prosecution and civil lawsuits from clients or partners.	ARROWS, a Prague-based law firm, represents management and the company in criminal proceedings (coordination with the prosecutor, public prosecutor) as well as in civil disputes, seeking to minimise liability and achieve the best possible outcome.
Management wants to prepare a compliance programme to avoid security incidents in the future and meet statutory obligations.	ARROWS, a Prague-based law firm, works with IT specialists to create a compliance programme that includes technical measures, employee training, security policies, and a documentation and audit system, so that management can demonstrate active management of cyber risks.
The company wants to recover damages from an employee who caused damage due to phishing, or wants to understand its obligations towards the insurer.	ARROWS, a Prague-based law firm, will analyse the specific situation, employment-law limitations on employee liability, insurance terms, and current case law, and propose steps to proceed in compliance with the law without unnecessarily jeopardising the company’s position.

Final summary

When a company encounters a phishing attack that leads to a loss of money, the reality has changed significantly in recent months due to the entry into force of the new Cybersecurity Act. Responsibility no longer rests solely with the IT department—it is transferred directly to company management. Managing directors and members of the board of directors are now personally liable for ensuring that their company implements adequate security measures, oversees compliance with them, and maintains documentation of its active approach to managing cyber risks.

This legal shift has a profound practical impact. Management that previously considered cybersecurity a marginal technical matter now finds itself under pressure from regulators, facing potential sanctions of tens or hundreds of millions of Czech crowns for the company and up to CZK 20 million for an individual manager, as well as pressure from civil lawsuits by affected third parties. At the same time, management faces reputational harm—when clients or the public learn about a security incident, trust in the company may be seriously damaged and sometimes may not be restored.

We therefore recommend addressing this topic without delay. The first step is to secure a legal analysis that specifies your company’s concrete obligations under the new Act. The second step is to develop and implement a compliance programme that will include technical measures (MFA, access management, threat detection), organisational measures (employee training, security policies, incident response plan), and evidentiary records (documentation of management decisions, audit reports, certifications).

If your company manages to minimise the risks of security incidents, it can save tens of millions of Czech crowns. However, if an incident still occurs and management suspects it could have been better prepared, the attorneys at ARROWS, a Prague-based law firm, can assist with defending against regulatory fines, handling criminal proceedings, and minimising civil liability. Contact ARROWS, a Prague-based law firm, if you would like a legal opinion prepared or if you are facing a security incident and need legal support (office@arws.cz).

FAQ: Questions about phishing attacks

1. When is money lost through a phishing attack truly irrecoverable, and is there any legal remedy to get it back?

In the vast majority of cases, money transferred by attackers through a phishing attack is practically untraceable. Because the funds are forwarded through multiple accounts and financial networks (often via cryptocurrencies), the police and financial institutions are unable to secure them. From a legal perspective, the affected company essentially has three options: request a refund from the bank (the bank typically refuses on the grounds that the transaction was authorised), seek compensation from the insurer (if the company has taken out insurance), and consider whether compensation can be pursued against the company’s management if it is proven that management breached statutory security obligations. The attorneys at ARROWS, a Prague-based law firm, can negotiate with the bank and the insurer and protect the company’s rights using the available legal remedies (office@arws.cz).

2. What if an employee claims they did not want to verify the email because they were in a hurry and under pressure from a superior?

The fact that an employee was under pressure is not a legally acceptable excuse. Every employee should follow security procedures regardless of time pressure. This is not a matter of court or legal mediation—it is a societal standard. If management wants to defend itself against a regulator’s fine by pointing to an “individual employee’s failure”, it usually does not work. NÚKIB (the Czech National Cyber and Information Security Agency) will argue that management should have ensured better processes (four-eyes principle, automated checks, etc.) to prevent a single employee from causing such significant damage. The attorneys at ARROWS, a Prague-based law firm, encounter these situations and know the arguments NÚKIB typically uses—so they can help prepare a defence that is credible and lawful (office@arws.cz).

3. What is the deadline by which management must report a security incident to regulators?

If a security incident involves a personal data breach, it must be reported to the Office for Personal Data Protection (ÚOOÚ) without undue delay and no later than 72 hours after becoming aware of it (Art. 33 GDPR). The new Cybersecurity Act then requires certain serious incidents to be reported to NÚKIB also within a time window, generally without undue delay, while specifying concrete deadlines for individual phases of reporting. Failure to meet these deadlines in itself may lead to an additional fine.The attorneys at ARROWS, a Prague-based law firm, can help coordinate all of these notifications and ensure they are made correctly and on time (office@arws.cz).

4. Can company management be shielded from liability by insurance that covers cyber risk?

Cyber risk insurance can significantly reduce the financial impact of a security incident—if the company has taken out the policy and if the policy covers the specific situation. However, insurance does not protect management from having to comply with statutory security obligations. This means that insurance does not relieve management of the duty to implement measures required by law. If NÚKIB finds that management has completely neglected its security obligations, the regulator will insist on a fine despite the existence of insurance.The attorneys at ARROWS, a Prague-based law firm, recommend insurance as part of a comprehensive risk management approach, but not as a substitute for active security management (office@arws.cz).

5. What if the company operates in a global market and is also subject to US or European regulation outside the Czech Republic?

If a company operates in the USA, it is also subject to US data protection and cybersecurity laws (e.g., CCPA, HIPAA, various state laws). In the EU, rules similar to NIS2 are gradually being implemented in individual Member States, and related regulations such as DORA for the financial sector. This means that company management faces a mosaic of regulatory obligations across different jurisdictions. This increases complexity and the risk of non-compliance. The attorneys at ARROWS, a Prague-based law firm, through the international ARROWS International network, can participate in coordinating legal strategy and defence across different countries to ensure a consistent and effective approach (office@arws.cz).

Disclaimer: The information contained in this article is for general informational purposes only and serves as a basic guide to the issue as of 2026. Although we strive for maximum accuracy, laws and their interpretation evolve over time. We are ARROWS Law Firm, a member of the Czech Bar Association (our supervisory authority), and for the maximum security of our clients, we are insured for professional liability with a limit of CZK 400,000,000. To verify the current wording of the regulations and their application to your specific situation, it is necessary to contact ARROWS Law Firm directly (office@arws.cz). We are not liable for any damages arising from the independent use of the information in this article without prior individual legal consultation.

Read also: