Czech Republic issues high-risk warning on Chinese data transfers after cyberattacks
The Czech Republic’s cybersecurity agency, NUKIB, has issued a high-level warning against transferring data to China or allowing remote administration of technical assets from Chinese territory, building on the government’s formal attribution of cyberattacks to Beijing earlier this year.
The National Cyber and Information Security Agency classified the threat as ‘High – The threat is likely to very likely’, it said, covering data transfers and remote administration involving mainland China, Hong Kong and Macau.
The warning last week follows the Czech government’s report in May blaming a ‘malicious cyber campaign’ targeting the Foreign Ministry on APT31, a hacking group allegedly associated with the Chinese intelligence service. ‘This group has been attacking one of the unclassified networks of the Ministry of Foreign Affairs of the Czech Republic since 2022,’ the agency said.
The Czech foreign ministry said in May that an investigation by the security and military services and other ministries had reached ‘a high degree of certainty about the responsible actor’, namely the People’s Republic of China, as the country is officially known.
NÚKIB Director Lukáš Kintr said in last week’s notice that ‘the security threat posed by the PRC to the Czech Republic in this context should not be taken lightly,’ citing Chinese Foreign Minister Wang Yi’s comments in July that ‘the PRC does not wish for Russia to lose the war in Ukraine’.
The cybersecurity agency warned that Chinese laws create particular risks by requiring companies and citizens to assist state authorities in intelligence activities. NÚKIB said the legal framework allows Chinese authorities unlimited access to all data transferred to the PRC and enables remote administration of technical assets, posing threats to systems that ‘ensure the provision of very important services in the Czech Republic’.
The agency noted that other European countries including Belgium and the United Kingdom have attributed cyberattacks to Chinese government-linked groups, while nations like Italy, Germany, the Netherlands and Australia have restricted certain Chinese technologies over data concerns.
NÚKIB’s warning does not constitute a direct ban but requires regulated entities to evaluate the threat during procurement and security assessments. The agency recommended that the public ‘carefully assess the use of the affected products and technologies’ and consider ‘what kind of information they put into them’.
The agency specifically advised individuals in senior political, public or decision-making positions to consider restricting technologies that could transfer data to China or enable remote administration from Chinese territory.
Several European countries have restricted Chinese equipment from critical infrastructure amid security concerns. Germany ordered operators to remove Huawei and ZTE components from 5G core networks by 2026, while Sweden banned the companies entirely and required removal of existing equipment. The UK reversed course in 2020, banning Huawei after initially allowing limited participation, while France has effectively limited Chinese equipment to just 11% of its 5G networks through strict restrictions.
An email for comment to the Chinese embassy in Prague did not receive an immediate response.
