Hidden overhaul of Czech FDI screening regime

Critical infrastructure: scope expanded and focus clarified

The new Critical Infrastructure Act reshapes Czech law by defining critical infrastructure at the level of the operator rather than the individual asset. In practical terms, companies that run critical infrastructure will themselves be designated as critical infrastructure subjects. As a result, mandatory FDI filings will be triggered by transactions acquiring shares in the operator, whereas purchasing the assets alone will not in itself require notification – though the buyer would step into the role of critical infrastructure subject with the associated obligations. This change should not materially disrupt deal execution, but it brings clearer, more predictable rules: equity acquisitions of operators will prompt filings, while pure asset deals are less likely to do so.

Second, the scope of critical infrastructure will probably modestly expand under the new regime. In international comparison, though, the old regime was very narrow, and the new regime will most likely still stay within reasonable limits.

Cybersecurity: a major driver of filings

By contrast, the new Cybersecurity Act is transformative in scope. It materially expands the range of covered services and providers in the Czech cyber regime. As the FDI Screening Act pegs mandatory filing obligations to designations under the cyber regime, this expansion will enlarge the universe of transactions subject to mandatory FDI filing. Going forward, all services that are potentially vulnerable in terms of cybersecurity are covered, including energy, mechanical engineering, the food sector, chemicals, water supplies, the waste industry, transport, digital infrastructure, financial services, the health sector, science and research, defence and the space industry. The magnitude of this knock-on effect is expected to be significant: more services will qualify, more entities will be designated, and more deals involving those entities will require prior FDI clearance. 

While the Cybersecurity Act will bring many more organisations into scope, a mandatory FDI filing will apply only to providers of services classified as "essential" under the higher regulatory regime, not to those deemed "important" under the standard regime. In practice, the dividing line is often scale and criticality: large operators whose services are vital to the economy or society are typically treated as essential, whereas medium sized operators performing comparable activities are usually classified as important. For example, large data centre or cloud computing providers are likely to be designated as essential, while mid market providers would generally fall under the important category. Experts expect that more than 1,000 additional entities will be designated as essential and therefore brought into the mandatory FDI filing regime.

Designation principle: when filing obligations arise

Both the critical infrastructure and cybersecurity regimes operate on a designation principle. An entity becomes a "subject of critical infrastructure" or a "provider of an essential service" only upon formal designation. From that moment – and not before – entity-specific obligations arise, and the entity falls into the FDI Act's mandatory filing net. However, entities that are likely to be designated are obvious candidates for voluntary FDI consultations, if the transaction occurs before their formal designation, given the heightened risk profile once designation occurs and corresponding possible interest of the Czech FDI authority to call such transactions in.

Pending deals and closing constraints

There is no grace period in the FDI regime for newly designated entities. From the moment an entity is formally designated, any transaction involving it as the target cannot close until FDI screening is completed. This creates immediate timing risk at designation and should be reflected in both transaction documentation and closing mechanics.

By contrast, the Critical Infrastructure Act and the Cybersecurity Act do provide interim windows tied to the designation process. Providers of essential services under the Cybersecurity Act must report by 31 December 2025, and operators meeting the criteria for critical infrastructure must inform the authority by 31 March 2026. Practically, this gives likely designees some control – within those windows – over when to notify. Buyers and sellers should therefore coordinate closely on notification timing, as formal notification is typically followed swiftly by designation, which in turn can trigger a new mandatory FDI filing requirement and delay closing.

While the Czech regime offers a voluntary filing route, it follows a distinct procedure. Voluntary filings begin with a Phase 0 review of up to 45 calendar days, and only if initial concerns arise does the case move to Phase 1 (90 days). Mandatory filings, by contrast, start directly in Phase 1. If a target becomes designated mid process, a transaction requires a Phase 1 clearance; Phase 0 approval would not dismantle the standstill obligation.

For targets likely to be designated, it is still sensible to open the process via a voluntary filing, since a mandatory filing is not available until the target is formally designated. Hopefully, the authority should move the case promptly into Phase 1 once designation occurs. Even so, parties should plan on clearance being issued roughly 70–80 calendar days after Phase 1 begins, i.e. from when the authority becomes aware of the designation.

Practical takeaways

The combination of expanded critical infrastructure coverage, entity-based scoping and a significantly broader cyber designation framework will increase the number of deals that require mandatory FDI filings after 1 November 2025. Parties should revisit deal timetables, conditions precedent, covenants and long-stop dates with a view to designation timing. For targets that are likely to be designated but not yet designated, voluntary consultation and careful coordination around interim-period notifications can be decisive in preserving deal momentum and closing certainty.