Czechia’s national cybersecurity watchdog has issued a warning about foreign cyber operations, focussed on Chinese data transfers and remote administration, urging both government bodies and private businesses to bolster defenses amid rising espionage campaigns tied to China and Russia.
The alert, published this week by the National Cyber and Information Security Agency (NÚKIB), cites ongoing risks to government systems, energy providers, telecoms, and other critical infrastructure operators. While NÚKIB did not name specific incidents in its bulletin, the agency said that “selected foreign states” were increasingly engaged in long-term campaigns designed to compromise strategic sectors, exfiltrate sensitive information, and undermine public trust.
The Core Threat Assessment
NÚKIB has classified the threat as “High – likely to very likely,” encompassing two primary concerns; data transfers to the People’s Republic of China (PRC) and its Special Administrative Regions (Hong Kong and Macau), and remote administration of technical assets from these territories. This assessment applies to all entities regulated under Czech cybersecurity legislation, including critical infrastructure operators.
The agency’s decision to issue this warning stems from what it describes as “facts established during the exercise of its powers, supplemented by unclassified and classified information obtained from domestic and foreign partners.”
At the heart of NÚKIB’s warning lies a detailed analysis of China’s legal environment, which the agency argues fundamentally compromises data security. The assessment identifies several problematic regulations:
National Security Framework: The 2015 National Security Law imposes broad obligations on Chinese citizens and organizations to assist state authorities in matters of national security. More significantly, the 2017 National Intelligence Law requires “every citizen and organisation” to support intelligence activities and maintain confidentiality.
Corporate Control Mechanisms: The 2013 Company Law mandates Communist Party of China (CPC) organizations within companies, effectively allowing party influence over corporate operations. This creates a direct channel for state interference in nominally private enterprises.
Vulnerability Reporting Requirements: 2021 regulations require technology manufacturers to report security vulnerabilities to the Ministry of Industry and IT within two days, with subsequent reporting to the Ministry of State Security. Crucially, manufacturers are prohibited from disclosing these vulnerabilities to foreign organizations.
The Counter-Espionage Law, particularly following its 2023 amendment, expands espionage definitions to encompass virtually any documents or data deemed related to national security by Chinese authorities. This creates an environment where state access to private data is not only legal but mandated.
Special Administrative Regions, Means Extended Reach
NÚKIB’s analysis extends to Hong Kong and Macau, territories that maintain economic autonomy while remaining under Chinese sovereignty. The agency identifies concerning legislation in both regions
The 2024 Safeguarding National Security Ordinance integrates China’s national security framework into Hong Kong’s legal system, creating vague definitions of “state secrets” that could encompass economic, social, technological, or scientific activities.
In Macau, the 2019 Cybersecurity Law grants the Cybersecurity Incident Alert and Response Center (CARIC) authority to conduct real-time monitoring of critical infrastructure data transmissions, with no supervisory mechanism to prevent abuse.
Attribution and Active Threats
The warning gains particular weight from recent attribution activities. In May, the Czech government publicly attributed cyberattacks against its Ministry of Foreign Affairs to APT31, a group associated with China’s Ministry of State Security. This campaign, active since 2022, targeted critical infrastructure and demonstrated sophisticated, persistent capabilities.
The Czech government “strongly condemns this malicious cyber campaign against its critical infrastructure” and noted that “such behavior undermines the credibility of the People´s Republic of China and contradicts its public declarations.
This attribution wasn’t conducted in isolation. NÚKIB worked alongside the Security Information Service, Military Intelligence, and the Office for Foreign Relations and Information to achieve what they describe as “a high degree of certainty about the responsible actor.”
The Czech warning aligns with broader international concerns about Chinese technology risks. NÚKIB notes that Italy, Germany, the Netherlands, and Australia have taken measures regarding specific Chinese products and services, while the Five Eyes intelligence alliance has issued advisories about Chinese cyber espionage groups.
Also read: Six Australian MPs Confirm They were Targeted by China’s APT31 Hackers
The agency specifically references a 2021 European Data Protection Board study concluding that Chinese laws allow “broad access by PRC state authorities to data without sufficient independent oversight,” fundamentally contradicting GDPR principles of transparency, proportionality, and legal protection.
Critical Infrastructure Implications
The warning carries particular significance for critical infrastructure operators. NÚKIB emphasizes that disruption of availability, confidentiality, or integrity of backbone systems “could potentially have a significant impact on many people in the territory of the Czech Republic.”
The agency identifies specific technology categories of concern:
- Personal devices (smartphones, watches, electric vehicles)
- Cloud services
- Photovoltaic inverters
- IP cameras
- Health technology
- Smart meters
A Pattern of Firm Stances
The warning follows a series of steps by the Czech government to push back against foreign digital influence. Earlier this year, Prague moved to restrict the use of Chinese-developed AI platforms such as DeepSeek, citing risks of data exfiltration and systemic manipulation. The Ministry of Foreign Affairs said at the time that trust in the country’s digital infrastructure was “not compatible with applications subject to extraterritorial control by foreign powers.”
This builds on years of concern over technology supply chains. Czechia was one of the first EU members to limit Huawei and ZTE equipment in its 5G rollout, a decision backed by NÚKIB in 2018 that placed it firmly in the transatlantic camp on telecom security. The latest warning suggests the government is prepared to extend that logic into AI systems and cloud-based platforms as well.
The warning reflects evolving geopolitical realities. NÚKIB notes that China’s support for Russia in the Ukraine conflict has intensified its interest in European affairs, manifesting in increased cyber espionage activities. The agency cites intelligence assessments showing Chinese actors targeting Czech state institutions with increasingly sophisticated spear-phishing attacks.
The Security Information Service has repeatedly emphasized technological dependence on China as a strategic vulnerability, particularly given China’s “autocratic regime with global ambitions to create an effective counterbalance to the G7 countries.
