The Czech Republic’s National Cyber and Information Security Agency (NUKIB) has issued a new directive warning critical infrastructure operators to avoid using Chinese technology and to refrain from transferring sensitive data to servers located in China. The agency has elevated its risk estimate for Chinese cyber-related threats to a “High” level, citing confirmed malicious activity by Chinese cyber actors and the growing reliance of essential systems on foreign technology providers.
Elevated Risk Assessment for Chinese Cyber Threats
NUKIB stated that it had re-evaluated its assessment of the risks posed by Chinese technology in critical infrastructure. The agency now categorizes the likelihood of disruptions caused by China as “High,” signaling a strong probability of future incidents.
According to the bulletin:
“Current critical infrastructure systems are increasingly dependent on storing and processing data in cloud repositories and on network connectivity enabling remote operation and updates. In practice, this means that technology solution providers can fundamentally influence the operation of critical infrastructure and/or access important data, making trust in the reliability of the supplier absolutely crucial.”
Confirmed Malicious Cyber Activity Targeting Czech Institutions
The agency also highlighted that Chinese state-linked threat groups have already engaged in hostile activity against Czech institutions. Notably, NUKIB confirmed that APT31, a Chinese advanced persistent threat actor, had recently conducted operations targeting the Czech Ministry of Foreign Affairs.
NUKIB emphasized that these activities reinforce the broader security risks of allowing Chinese technology providers access to sensitive systems and data.
Chinese Government Access to Data Stored Domestically
A core concern raised by NUKIB is the legal framework in China, which allows the Chinese government to access data stored on servers operated by private cloud service providers inside the country.
This legal environment, the agency explained, means that sensitive data stored with Chinese technology firms is never fully beyond the reach of state authorities. For organizations handling critical infrastructure operations, this risk significantly undermines trust and creates potential for exploitation.
Broader Range of At-Risk Devices Beyond Infrastructure
While the focus of the warning is on critical infrastructure, NUKIB also drew attention to consumer and enterprise devices manufactured by Chinese firms. These include:
- Smartphones
- IP cameras
- Electric vehicles
- Large language models
- Medical devices
- Photovoltaic converters
The agency explained that these devices could pose risks by transmitting sensitive user or operational data back to infrastructure in China, even when used outside of critical sectors.
Obligations for Critical Infrastructure Operators
NUKIB’s warning is particularly directed at organizations covered by the Czech Cybersecurity Act, which include industries such as:
- Energy
- Transportation
- Healthcare
- Public administration
- Financial services
These organizations must now integrate the elevated threat level into their official risk assessments. While NUKIB’s order does not impose a full ban on using Chinese technology or transferring data to China, it requires operators to account for the risks and implement mitigation measures where necessary.
Guidance for the General Public
Though the warning is not legally binding for ordinary citizens, NUKIB has advised the general public to carefully consider its findings when evaluating the technology products they use. The agency recommended that Czech nationals remain cautious about Chinese-made consumer devices, given the possibility of sensitive data being transferred to Chinese-controlled infrastructure.
The warning underscores the growing intersection between cybersecurity and geopolitics. As critical infrastructure increasingly depends on cloud services, remote connectivity, and global supply chains, decisions about vendor trustworthiness carry far-reaching implications for national security and economic stability.
For the Czech Republic, the elevated threat level signals both a recognition of past Chinese cyber operations and a proactive attempt to shield critical sectors from further exposure.
