Czechia Warns of Chinese Data Transfers and Espionage Risks to Critical Infrastructure

 

Czechia’s National Cyber and Information Security Agency (NÚKIB) has issued a stark warning about rising cyber espionage campaigns linked to China and Russia, urging both government institutions and private companies to strengthen their security measures. The agency classified the threat as highly likely, citing particular concerns over data transfers to China and remote administration of assets from Chinese territories, including Hong Kong and Macau. According to the watchdog, these operations are part of long-term efforts by foreign states to compromise critical infrastructure, steal sensitive data, and undermine public trust. 

The agency’s concerns are rooted in China’s legal and regulatory framework, which it argues makes private data inherently insecure. Laws such as the National Intelligence Law of 2017 require all citizens and organizations to assist intelligence services, while the 2015 National Security Law and the 2013 Company Law provide broad avenues for state interference in corporate operations. Additionally, regulations introduced in 2021 obligate technology firms to report software vulnerabilities to government authorities within two days while prohibiting disclosure to foreign organizations. NÚKIB noted that these measures give Chinese state actors sweeping access to sensitive information, making foreign businesses and governments vulnerable if their data passes through Chinese systems. 

Hong Kong and Macau also fall under scrutiny in the agency’s assessment. In Hong Kong, the 2024 Safeguarding National Security Ordinance integrates Chinese security laws into its own legal system, broadening the definition of state secrets. Macau’s 2019 Cybersecurity Law grants authorities powers to monitor data transmissions from critical infrastructure in real time, with little oversight to prevent misuse. NÚKIB argues that these developments extend the Chinese government’s reach well beyond its mainland jurisdiction. 

The Czech warning gains credibility from recent attribution efforts. Earlier this year, Prague linked cyberattacks on its Ministry of Foreign Affairs to APT31, a group tied to China’s Ministry of State Security, in a campaign active since 2022. The government condemned the attacks as deliberate attempts to disrupt its institutions and confirmed a high degree of certainty about Chinese involvement, based on cooperation among domestic and international intelligence agencies. 

These warnings align with broader global moves to limit reliance on Chinese technologies. Countries such as Germany, Italy, and the Netherlands have already imposed restrictions, while the Five Eyes alliance has issued similar advisories. For Czechia, the implications are serious: NÚKIB highlighted risks across devices and systems such as smartphones, cloud services, photovoltaic inverters, and health technology, stressing that disruptions could have wide-reaching consequences. The agency’s message reflects an ongoing effort to secure its digital ecosystem against foreign influence, particularly as geopolitical tensions deepen in Europe.