In a significant move to bolster national security, the Czech Republic’s leading cyber defense authority has issued a stark warning against the use of Chinese technology within the nation’s critical infrastructure. The directive underscores growing global concerns about digital sovereignty and foreign cyber influence.

The High-Risk Directive from NUKIB

The National Cyber and Information Security Agency (NUKIB) has formally advised all critical infrastructure organizations in the Czech Republic to immediately cease using technology from Chinese vendors. Crucially, the agency also mandates that these organizations stop transferring user data to servers located within China. This guidance stems from a comprehensive re-evaluation of threats, with NUKIB now classifying the risk of significant disruptions originating from China as “High”—indicating a high probability of occurrence.

This elevated threat level reflects the modern reality of critical systems. As NUKIB’s warning states, today’s infrastructure is deeply reliant on cloud storage, data processing, and remote network connectivity for operations and updates. This dependence means that technology providers inherently possess significant influence over the functionality of essential services and access to sensitive data, making absolute supplier trust a non-negotiable requirement.

Why Chinese Technology Poses a Threat

NUKIB’s warning is not based on theory alone. The agency confirms it has evidence of malicious cyber activities by Chinese state-aligned actors targeting Czech entities. This includes a recent campaign by the group known as APT31, which successfully targeted the Czech Ministry of Foreign Affairs.

Beyond direct cyber-attacks, the warning highlights a fundamental legal concern. The agency emphasizes that under Chinese laws, the government maintains broad access to data housed by private cloud service providers within its borders. This ensures that any sensitive information stored on Chinese servers is potentially accessible to state authorities, creating an unavoidable data sovereignty risk.

A Broad Spectrum of At-Risk Devices

The advisory extends far beyond servers and corporate IT. NUKIB characterizes a wide range of consumer and industrial devices manufactured by Chinese firms as potential risks. This includes:

• Smartphones and IP cameras
• Electric vehicles and photovoltaic converters
• Large language models (LLMs) and AI tools
• Medical devices and diagnostic equipment

These devices, the agency warns, can act as conduits, transferring potentially sensitive data back to infrastructure located in China without the user’s full knowledge.

Mandatory Actions for Critical Sectors

While not an outright ban, the directive carries significant weight. All entities governed by the Czech Cybersecurity Act—spanning energy, transport, healthcare, public administration, and financial services—are now required to incorporate this high-risk threat into their formal risk analyses. They must then decide and implement appropriate security measures to mitigate the danger effectively.

Although the order is not legally binding for the general public, NUKIB strongly recommends that all Czech citizens and private organizations carefully consider the bulletin and critically evaluate the technology products they use daily. This move positions the Czech Republic alongside other nations taking a firmer stance on technology sourcing to protect national security in an increasingly digital world.