Skip to content
TECHNOMATON | Docs SAI Certified Trainers

Executive Summary

For: Board / C-level management Reading time: 5 minutes Version: 1.0 | December 2025

Situation

By 2026, three key EU legislations will fundamentally change how companies in the Czech Republic and EU handle data and artificial intelligence:

  1. AI Act (EU 2024/1689) - AI systems regulation
  2. NIS2 - Cybersecurity law
  3. GDPR - Personal data protection (ongoing)

Key Deadlines

Financial Risk

Non-compliance Penalties

RegulationPenaltyExample (€100M revenue)
AI Act (prohibited)€35M / 7% global annual turnover€7M
AI Act (high-risk)€15M / 3% global annual turnover€3M
NIS2CZK 20MCZK 20M
GDPR€20M / 4% global annual turnover€4M

Cumulative Risk

A single incident (e.g., data breach with AI decision) can trigger penalties from all three regulations simultaneously:

Worst-case scenario: up to €55M

Plus:

  • Class action lawsuit from data subjects
  • Reputational damage (20-50% sentiment drop)
  • Customer loss (10-30% revenue in first year)

Incident Probability

MeasuresIncident risk (2 years)
No measures60%
Basic ISMS15%
ISO 27001 + AI governance<5%

Current Status

Overall readiness: 40% (December 2025)

RegulationReadinessPriority
AI ACT50%HIGH PRIORITY
NIS225%CRITICAL
GDPR50%MEDIUM PRIORITY

What’s Done ✅

  • Governance: Board awareness
  • Team: CTO + DPO + CISO (external)
  • AI Inventory: Basic overview
  • GDPR Data Mapping: 70%

What’s Critical

  • NIS2 scope determination
  • GDPR DSAR workflow
  • Incident Response Plan
  • High-risk AI assessments

Required Resources

Personnel

  • CISO (external consultant, 3-6 months)
  • Compliance Officer (internal/external)
  • Legal support (AI Act assessment)

Financial (estimate)

  • ISMS setup: €30-50k
  • ISO 27001 certification: €30-50k
  • External audits: ~€100k/year
  • Total Y1: €150-200k

Timeline

  • Board approval: January 2026
  • Implementation: February-July 2026
  • Go-live: August 2026

Recommendations

Immediately (this week)

  1. ☐ Approve compliance roadmap
  2. ☐ Allocate budget
  3. ☐ Confirm ownership (CTO, CISO, DPO)

Month 1-3

  1. ☐ NIS2 scope with lawyer
  2. ☐ Complete AI inventory
  3. ☐ DSAR workflow kickoff

Month 3-6

  1. ☐ ISMS implementation
  2. ☐ High-risk AI DPIA
  3. ☐ ISO 27001 preparation

Month 6-12

  1. ☐ ISO 27001 certification
  2. ☐ AI Act go-live
  3. ☐ NIS2 full compliance

Summary

Timeline: 8 months to AI Act deadline, 11 months to NIS2 deadline

Status: ON SCHEDULE – but no delays on critical items

Investment: €150-200k (first year)

ROI: Avoiding penalties up to €55M + reputation protection

Prepared by: AI-Native Entry Framework™ Team Version: 1.0 Production Ready