The Czech Republic's National Cyber and Information Security Agency (NUKIB) is instructing critical infrastructure organizations in the country to avoid using Chinese technology or transferring user data to servers located in China.

The agency warned that these actions constitute a significant cybersecurity threat and should be entirely avoided unless there's a reasonable justification for continuing the practice.

The NUKIB states that it has re-evaluated its risk estimate of significant disruptions caused by China, now assessing it at a "High" level, indicating a high probability of occurrence.

"Current critical infrastructure systems are increasingly dependent on storing and processing data in cloud repositories and on network connectivity enabling remote operation and updates," reads NUKIB's warning.

"In practice, this means that technology solution providers can fundamentally influence the operation of critical infrastructure and/or access important data, making trust in the reliability of the supplier absolutely crucial."

NUKIB noted that it has already confirmed malicious activities of Chinese cyber-actors targeting the Czech Republic, including a recent APT31 campaign targeting the Czech Ministry of Foreign Affairs.

Additionally, the agency emphasizes that the Chinese government has access to data stored by private cloud service providers within the country, ensuring that sensitive data is always within its reach.

Apart from critical infrastructure, NUKIB also warns about consumer devices, such as smartphones, IP cameras, electric cars, large language models, and even medical devices and photovoltaic converters manufactured by Chinese firms.

These are all characterized as risky devices that can transfer potentially sensitive data to Chinese infrastructure.

All entities subject to the Czech Cybersecurity Act, including energy, transport, healthcare, public administration, financial services, and other critical industries, must adopt security measures to mitigate risks.

NUKIB's warning does not impose a ban on transferring data to the PRC or allowing remote administration from it, but critical infrastructure organizations must now include the threat in their risk analysis and decide what measures need to be applied to mitigate it.

The order, with its full text available here, is not legally binding for the general public.

However, NUKIB still recommends that Czech nationals carefully consider the bulletin and evaluate the products they use.