FAQ

Healthcare

We are medical device manufacturers – how should we address cybersecurity?

If you develop or market medical devices with digital components, you are subject to MDR (EU 2017/745) and, in the near future, to the Cyber Resilience Act (CRA). CRA introduces cybersecurity obligations—including mandatory incident reporting from September 2026, and full applicability from December 2027.

We recommend developing your products in accordance with:

IEC 62443-4-1 (secure development)
IEC 81001-5-1 (for medical software)
IEC 62443-4-2 (security of technical components)

These standards define clear requirements for development processes, system architecture, updates, and resistance to vulnerabilities.

Additionally, manufacturers must understand the deployment environment of their products. Hospitals should inform you of which security zones your products will enter (e.g., high-trust zone, security perimeter, open network).
Based on this, you can determine the required security level—which influences configuration, logging, encryption, updates, or integration into the hospital’s SIEM system.

We are a hospital – how should we approach cybersecurity?

Cybersecurity in healthcare is no longer optional—it is a mandatory part of risk and operational management in healthcare facilities. Hospitals are regulated entities under the new Cybersecurity Act (ZoKB), effective November 1, 2025, based on the NIS2 directive.

Cybersecurity in hospitals should be based on three key pillars:

ISO/IEC 27001 – An ISMS to manage risks, define policies, train staff, and handle incidents
ZoKB (NIS2) – A legislative framework requiring operational, technical, and organizational security measures, incident reporting, and auditability
IEC 62443-2-1 – A standard for designing and managing cybersecurity in operational (OT) environments, including healthcare settings

IEC 62443-2-1 should serve as a methodological framework for dividing hospital infrastructure into security zones. Each zone (e.g., critical systems, public networks, lab devices) has a designated security level, which determines the technical and organizational measures required—along with the security standards for products entering that zone.
Hospitals should apply this zoning approach in communication with suppliers and demand information on product security levels accordingly.

What legislation and standards apply to healthcare?

Healthcare is one of the most strictly regulated sectors—both in terms of handling sensitive data and the operation and safety of systems and devices. Regulations and standards affect not only care providers but also their suppliers, IT developers, and medical device manufacturers.

Legislation:

Cybersecurity Act (ZoKB) – Effective from November 1, 2025; implements NIS2. Applies to hospitals, healthcare facilities, public institutions, and IT vendors.
GDPR – Protection of personal data for patients, staff, and users of healthcare systems.
MDR (EU 2017/745) – Regulation of medical devices, including software with diagnostic or therapeutic functions.
MDSG 2019/16 – European Commission recommendation on cybersecurity for medical devices, especially networked ones.
Cyber Resilience Act (CRA) – Will apply to all products with digital elements, including medical software. Incident reporting will be required starting September 2026.

Standards:

ISO/IEC 27001 – Information Security Management System (ISMS)
ISO 13485 – Quality management system for medical device manufacturers
ISO 27799 – Protection of personal health data within an ISMS
IEC 81001-5-1 – Cybersecurity for medical software and IT systems in healthcare
IEC 62443 – Cybersecurity for industrial control systems; also applicable in hospitals/labs using OT technologies (e.g., lab automation, connected diagnostics)
ISO/IEC 62304-1 – Lifecycle management of medical software (development, maintenance, changes)
ISO/IEC 82304-1 – Quality and safety of health software products
ISO/IEC 42001 – Management of AI systems (recommended for organizations developing or operating AI in clinical or operational settings)

How to address cybersecurity in healthcare?

Cybersecurity in healthcare must be approached comprehensively—at the organizational/hospital level (IT systems, processes, staff) and at the level of technologies and medical devices that handle patient data or communicate with other systems.

It is essential to distinguish between management systems (e.g., ISO/IEC 27001, ISO 13485, or the new Cybersecurity Act based on NIS2), which apply solely to the organization, its processes, and quality management.
These systems do not demonstrate or prove the cybersecurity of specific products or medical devices—this must be addressed separately through technical standards and specialized assessments.

Ensuring the security of medical devices and information systems requires:

Secure development and system management (e.g., according to IEC 81001-5-1 or IEC 62443-4-1)
Vulnerability testing and penetration testing (e.g., according to IEC 62443-4-2)
Implementation of an Information Security Management System (ISMS according to ISO/IEC 27001)
Assessment of compliance with NIS2, the Cybersecurity Act (ZoKB), GDPR, and MDR (Medical Device Regulation)
Preparation of technical documentation and compliance for notification or CE marking

EZÚ offers both organizational and product-related services, supporting hospitals, public institutions, and healthcare technology providers in managing the full process of cybersecurity—from GAP analysis and tailored training to pre-assessments, audits, and certification based on relevant standards and regulations.

Industry

We are a manufacturing company. Do NIS2 and the new Cybersecurity Act apply to us?

Yes. If you are a manufacturing company, it is likely that the NIS2 directive and its Czech implementation (the new Cybersecurity Act) apply to you. These regulations target organizations operating critical or important infrastructure and may also affect manufacturers within key supply chains. We recommend conducting an assessment to determine whether your company falls under these rules and to prepare for any cybersecurity obligations.

Further information: NÚKIB Guide to the New Cybersecurity Act

Besides NIS2, it’s important to monitor other upcoming EU regulations that will significantly impact manufacturing firms:

RED: Effective August 1, 2025, the delegated act introduces cybersecurity requirements for all radio equipment connected directly or indirectly to the internet—ranging from industrial devices to consumer electronics.
Cyber Resilience Act (CRA): Effective December 11, 2027, with incident reporting obligations starting September 11, 2026. Applies to all products with digital elements and requires manufacturers to report major cybersecurity incidents and actively exploited vulnerabilities to ENISA or national authorities.

! Manufacturing companies should begin preparing for these regulations now—including assessing current products, implementing security measures, and ensuring compliance. Early preparation will help minimize risk and ensure a smooth transition to the new cybersecurity standards.

Which legislation and standards apply to the industry?

A variety of legislative frameworks and technical standards apply to both organizations and products:

Legislation:

NIS2 + new Cybersecurity Act – defines obligations for medium and large enterprises in key sectors (including manufacturing)
Cyber Resilience Act (CRA) – applies to all digital products placed on the EU market (including software, devices, and combined solutions)
RED Delegated Act – supplements the Radio Equipment Directive with cybersecurity requirements for wireless products (effective from August 1, 2025)
AI Act – upcoming EU regulation for AI systems, defining requirements based on risk levels (especially in areas like production control, quality, or predictive maintenance)

Standards:

ISO/IEC 27001 – Information Security Management System (for organizations)
IEC 62443 – Cybersecurity for industrial control systems and components (also applies to product development)
EN 18031 – Product vulnerability assessment and security testing (relevant for RED)
ETSI EN 303 645 – Baseline standard for consumer IoT cybersecurity
ISO/IEC 42001 – New international standard for AI system management, focused on transparency, risk management, and auditability

!!!Note: Management systems like ISO/IEC 27001 or the new Cybersecurity Act apply only to organizations—not products. Product and device security requires entirely different approaches, primarily based on IEC 62443.

How to address cybersecurity in industry?

Cybersecurity in the industrial sector must be approached comprehensively—both at the organizational infrastructure level (IT/OT systems) and at the product level for items placed on the market.

It’s essential to distinguish between security management systems (e.g., ISO/IEC 27001 or the new Cybersecurity Act based on NIS2), which apply solely to organizations and their processes. These systems, however, do not demonstrate or prove the security of specific products!

Ensuring product security, especially those with digital elements, requires:

Secure development (ideally according to IEC 62443-4-1)
Vulnerability testing (e.g., IEC 62443-4-2 and EN 18031)
Assessment of product compliance with legal requirements (particularly CRA and RED)
Preparation of technical documentation and CE marking (for RED)
CB certificates for IEC 62443-4-1 and IEC 62443-4-2 (globally recognized)

EZÚ offers both organizational and product-related services and helps manufacturers and suppliers manage the full lifecycle of cybersecurity—from initial GAP analysis, tailored training, and pre-assessments to successful certification.

State administration

We are a municipality or government office—does the new Cybersecurity Act apply to us?

Yes. The new Cybersecurity Act was signed by the president on June 26, 2025, and will take effect on November 1, 2025. It implements the NIS2 Directive and significantly expands the scope of regulated entities.

This means the law will affect thousands of institutions: government offices, public service organizations, hospitals, schools, regional governments, municipalities, and other public bodies.

Once in effect, regulated entities will have 60 days to report their regulated services and will then be required to meet specific obligations—such as:

Cyber risk management
Systems security
Incident response
Event reporting

We highly recommend familiarizing yourself with the law’s requirements in advance.
You can find clear and detailed guidance at the NÚKIB portal: Guide to the New Cybersecurity Act | NÚKIB Portal

How can EZÚ help with preparing for the new Cybersecurity Act?

EZÚ offers practical support to organizations subject to the new Cybersecurity Act, effective November 1, 2025. We can assist you with:

Mapping your current state (pre-screening, GAP analysis)
Training employees
Conducting a pre-audit of your preparedness

We can provide certification either independently or as part of an integrated system with your existing ISO/IEC 27001 implementation.
With our guidance, you can efficiently navigate the entire process—from initial steps to final compliance verification.

How does ISVS certification relate to the new Cybersecurity Act?

With the introduction of the new Cybersecurity Act (based on NIS2), there is now a strong connection between ISVS requirements and cybersecurity regulations.

In practice, if an ISVS also falls under the scope of the Cybersecurity Act (e.g., it ensures the provision of essential services), then the certification process must also reflect the cybersecurity requirements from that law.

Even today, ISVS certification routinely includes evaluating areas such as:

Access management
Backups
Change management
Incident response
Operational security

These areas overlap with the requirements of NIS2 and the Cybersecurity Act.

Therefore, we recommend planning ISVS certification in the context of broader cybersecurity requirements and ideally linking it with a compliance assessment based on ZoKB/NIS2.

What is ISVS certification and who needs it?

ISVS certification (Information System of Public Administration) is a legally defined process designed to verify whether a given information system meets the requirements established by legislation—specifically Act No. 365/2000 Coll. on information systems of public administration and Decree No. 529/2022 Coll.

Certification is mandatory for:

Public authorities that operate or manage ISVS
System suppliers who develop, implement, or operate information systems intended for public administration

Others

We don’t know where to start with cybersecurity. Can you help us?

We understand that new legislative requirements can seem complex and intimidating—especially if you don’t know where to begin.
But the important thing is: it doesn’t matter what stage you’re at—we’re here to help you from the very first step all the way to successful certification.

It can all start with a non-binding initial meeting, where we’ll clarify your organization’s key needs and expectations. From there, we offer:

Free pre-screening or
An initial GAP analysis to assess your current state and identify weaknesses and opportunities

Based on the results, we’ll design tailored training that matches your industry, organization type, or product portfolio.
Next comes a pre-audit or pre-assessment, where we objectively evaluate your certification readiness—highlighting strengths, weaknesses, and practical recommendations.

The final stage is the actual certification according to the chosen framework—whether it’s:

IEC 62443
IEC 81001-5-1
EN 18031 (RED)
ISO/IEC 27001
The Cybersecurity Act (ZoKB)
ISO/IEC 42001, or another regulation

Thanks to our expert guidance, the entire process runs smoothly and efficiently, with optimized time and cost on your side.

Do you perform penetration tests? For which systems and how deep?

Yes, we perform penetration and security tests, primarily aligned with EN 18031, a key standard for assessing the cybersecurity of products under requirements such as the RED Delegated Act.

Our testing approach is tailored to the client’s specific needs. With support from our partners, we perform:

Basic vulnerability scans (e.g., black-box testing)
Advanced security analysis, including white-box testing using source code or detailed documentation

Tests can be purposefully designed to support product certification according to standards such as:

IEC 62443-4-2 (security of products in industrial automation)
IEC 81001-5-1 (cybersecurity of medical software and IT systems)

This makes our test results practically useful not only for internal security assurance but also as part of formal compliance with European standards and regulations.

We provide trusted services – how can EZÚ help with eIDAS and eIDAS 2.0?

EZÚ is an accredited certification body for trusted services under the eIDAS Regulation and is preparing for the upcoming eIDAS 2.0 requirements.

We offer comprehensive support for qualified trust service providers (QTSPs), including:

Pre-audit and readiness assessment
Certification of all seven types of trust services
Supervisory and recertification audits

We also assist with:

Migration of key infrastructures
Expanding trusted lists
Evaluating technical solutions for compliance with ETSI standards and legislation

Our clients include both service providers (e.g., electronic signatures, timestamps, secure delivery) and system developers preparing their solutions for trusted environments.
EZÚ provides independent conformity assessment, expert consultations, and technical testing—including support for transitioning to eIDAS 2.0 and the EUDI Wallet.

We develop or use AI – does the ISO/IEC 42001 standard apply to us?

Yes. If you develop, operate, or in any way use Artificial Intelligence (AI) systems, the ISO/IEC 42001 standard likely applies to you.

It is the first international standard that defines rules for managing AI systems to ensure they are safe, responsible, and transparent. The standard was created in response to the growing use of AI across sectors and the need to align with ethical, technical, and legal expectations—including the upcoming AI Act regulation.

Name	Domain	Purpose	Expiry	Type
pll_language	it.ezu.cz	The pll _language cookie is used by Polylang to remember the language selected by the user when returning to the website, and also to get the language information when not available in another way.	1 year	HTTP
elementor	it.ezu.cz	This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time.	never	HTTP

Name	Domain	Purpose	Expiry	Type
_ga	it.ezu.cz	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.	2 years	HTTP
_gid	it.ezu.cz	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.	1 day	HTTP
_gat_UA-88740921-10	it.ezu.cz	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.	1 minute	HTTP

Products

FAQ