The practical guide to this change is the NÚKIB Portal, through which organizations will fulfill notification and other obligations. The law sets a clear start date: from November 1, 2025, deadlines begin running, and universities will need to complete self-identification and report regulated services within a specified timeframe (typically 60 days), then demonstrate how they have implemented cybersecurity management and related processes. In practice, this means being able to prove what data we manage, where it's located, who's responsible for it, and how it's secured.

‍

For universities that traditionally manage extensive datasets, from student records and research data to financial and HR systems, this transformation represents a significant challenge. How can they respond effectively with reasonable resource allocation?

Legislative Context NIS2: What Does the Law Specifically Require?

The Cybersecurity Act (Zákon o kybernetické bezpečnosti) categorizes higher education institutions as critical information infrastructure entities or essential service providers, depending on their size and significance. This means obligations to:

• Identify and categorize information assets, including data sources and their relationships
• Implement information security management processes, which include data asset management
• Ensure documentation of data flows and relationships between systems
• Implement measures for personal data protection in compliance with GDPR
• Regularly report on the state of cybersecurity and data management

‍

Practical Minimum for Universities (Quick Steps)

1. Map the regulatory impact (classification, obligation regime, deadlines; monitor the NÚKIB Portal)
2. Establish glossaries and catalogs as a single source of truth (in line with the upcoming DGA framework/Czech data governance law, which emphasizes local catalogs, data dictionaries, and metadata in higher education, linked to NKOD)
3. Inventory key data and reports
4. Set up classification and access controls (linked to IAM) and audit trails
5. Clarify data flows (lineage)

‍

Why Data Governance Is the Shortest Path to Compliance with NIS2

Data governance offers universities a framework that translates legal requirements into daily practice and ensures demonstrable records, roles, and auditability (see NIS2 Directive, Articles 20–23). Beyond cybersecurity, the Czech data governance and controlled data access law (DGA implementation) is being prepared, which emphasizes local catalogs, data dictionaries, and metadata in public administration, connecting to the national catalog, areas where data governance provides concrete procedures and tools.

‍

Instead of a one-time "documentation hunt," it creates systematic records of data assets, clear roles and responsibilities, glossaries of terms and data, and, most importantly, auditability. Where the law requires risk management, access control, the ability to analyze incident impacts, and unified terminology, governance provides a unified catalog, definitions, and transparent relationships between reports and source data. This enables leadership and IT to quickly determine where numbers in reports come from, who guarantees them, and what changes or incidents might affect them.

‍

At the same time, governance naturally aligns with the trend of open and cataloged data in public administration. The state has long been building an environment for data and metadata records (NKOD – Národní katalog otevřených dat) and strengthening standards for their description and reuse. A university's internal catalog and glossaries stand "on the same side", helping introduce consistent metadata, quality, and traceability across faculties and agendas. The Digital and Information Agency manages the national catalog, coordinating digitalization standards and methodologies across public administration as part of the Digital Czechia (Digitální Česko) program.

‍

What Every University Should Have to Pass an Audit

It's not about a long list, but solid foundations that can be implemented gradually and pragmatically. The core is a single source of truth, a central overview of data assets, unified definitions, and traceable relationships. At the strategic level, this means naming data owners and stewards, setting classification and access rules, and maintaining an audit trail of changes. At the operational level, you need to build a business glossary (so that "student," "enrollment," or "success rate" mean the same thing across the university), a data dictionary (so specific sources and attributes can be found), and a report catalog linked to sources. For reports that serve as decision-making bases for leadership, grant agencies, or accreditation processes, data lineage is essential, knowing the flow of data from source through transformations to final visualizations.

‍

How to Start Smart: Small Pilot, Quick Value

It's proven effective to select 1–2 priority areas (e.g., academic and financial reporting) where the impact on decision-making and reputation is highest. Map key reports and their sources, unify definitions of the most-used terms, and build elementary lineage. Benefits usually appear within the first weeks: fewer disputes over "correct numbers," faster approvals, easier responses to legislative changes or incidents.

‍

This approach has proven successful in education, delivering quick results and helping reduce disagreements about numbers.  

‍

More on this in:

• EDUCAUSE (A Data and IT Governance Journey)
• EDUCAUSE (Keys to an Analytics Future)
• General 'quick wins' methodology at Gartner

‍

Dawiso as Support for Efficient Data Management

Dawiso is a data governance and data catalog platform that helps build these foundations quickly and sustainably. Unlike cumbersome solutions, it's designed for high adoption across faculties, specialist teams, and "business" users work in one environment where they see the same thing.  

• Unified glossaries and catalog: Central records of terms, datasets, and reports, linked to owners and guarantors. Universities reduce the risk of fragmented definitions between faculties and departments.
• Interactive data lineage: Overview of data flows from sources to outputs. During an incident or rule change, you can quickly estimate impact and decide on remediation priorities.
• Roles, workflow, and audit trail: Controlled approvals, change history, and demonstrability. What auditors and cybersecurity regulations actually require.

‍

Dawiso AI Context Layer for More Efficient Data Work and Generative AI

Traditional data governance building means weeks to months of mapping and documentation. The modern approach significantly accelerates this start, shortening the time needed to build a catalog from months to days and helping keep it continuously current. AI Context Layer isn't a legislative requirement. But it's an accelerator that builds on well-managed data and helps teams quickly gain value from catalogs and glossaries.

• Automatic business context generation – Analyzes metadata from source systems and suggests definitions, descriptions, and relationships between objects
• Living business glossary – Instead of a static document, a living glossary emerges that continuously updates according to data changes
• Human-in-the-loop validation – AI proposes, domain experts at the university confirm. Ensures accuracy at a fraction of the time compared to purely manual procedures
• Integration into existing systems – Connection to student information systems, HR, finance, and data warehouses; Dawiso creates a unified layer of context and management over them

‍

The result is a practical answer to two key questions: Do we meet legal requirements? And simultaneously: Are we increasing data quality and trustworthiness?

‍

What to Watch for in the Coming Months

Legislative milestones are firmly set and will be reflected in control activities and state methodological activities. We recommend continuously monitoring NÚKIB information on law effectiveness and notification obligations through the NÚKIB Portal. It will become the main gateway not only for self-identification and reporting of regulated services but also for further communication and fulfilling obligations. If a university has implemented basic asset records, glossaries, and a report catalog, it significantly shortens the time between the obligation to "report something" and the ability to demonstrate content and quality of management.

‍

Learn More at Our Webinar

Join us on November 4, 2025, for a live demonstration where we'll show what Data Governance entails, its benefits, and how to effectively implement it in a university environment. We'll walk through together with our partner Dolphin Consulting, who is hosting this webinar, what a university business glossary and data dictionary can look like, how to link report catalogs to sources, and how generative AI accelerates initial catalog population and autolinking. Through practical scenarios from other sectors, we'll show how the same principles helped shorten the time from requirement changes to reporting updates and how lineage visualization simplifies impact analysis.

‍

Register for the webinar: https://events.teams.microsoft.com/event/a5b59d32-57ed-4039-8425-cc754e8df38f@1856b27d-b96f-4580-841c-78e786c387c6