NIS2 Slovakia: what you need to know about compliance and certification

NIS2 Slovakia

The original NIS1 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 was introduced to strengthen cybersecurity within the EU. Due to the increasing threat of cyber attacks, this directive was replaced by the NIS2 Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022, which imposes stricter requirements and has a broader scope to increase the resilience of critical infrastructures against cyber attacks.

The NIS2 Directive was transposed into Slovak law through the Cyber Security Act (366/2024), hereinafter referred to as the NIS2 Act, which has been in force since 1 January 2025.

On this page, you will find everything you need to know about the impact of NIS2 on your organisation and how you can prepare for the new regulations.

The content of this page is subject to change and will be updated as necessary.

NIS2 entities

The Slovak NIS2 Act applies to both legal entities and natural persons (collectively referred to as ‘entities’) registered in Slovakia that provide products and/or services in an EU country.

The NIS2 Act explicitly specifies which public and private entities are subject to the cybersecurity obligations. A distinction is made between essential entities and important entities. The categorisation of entities takes into account the services provided, the size of the entity and the location of the entity.

In principle, your entity is subject to the Slovak NIS2 Act if:

  1. Your organisation provides services within a sector listed in Annex I and Annex II of the NIS2 Act;
  2. Your organisation exceeds the thresholds for medium-sized enterprises; and
  3. Your organisation is established in Slovakia (with the exception of providers of public electronic communications networks and providers of public electronic communications services. These are subject to the Slovak NIS2 Act if they provide services on Slovak territory).

Criteria 1: services provided

Annexes I and II of the Slovak NIS2 Act describe the sectors that fall within its scope. It is therefore very important to thoroughly analyse the services you provide to third parties by (sub)sector.

The Slovak NIS2 Act differs from the NIS2 Directive in this respect. The amended (sub)categories are shown in italics.

Annex I: Very critical sectorsAnnex II: Other critical sectors
Energy
• Electricity
• Thermal energy
• District heating and cooling
• Oil
• Natural gas
• Hydrogen		Postal and courier services
Transport
• Air
• Rail
• Water
• Road		Waste management
Finance
• Banking
• Financial market infrastructure
• Public finance management systems		Manufacture, production and distribution of chemicals
HealthProduction, processing and distribution of food
Water and atmosphere
• Drinking water
• Waterwater
• Meteorological service
• Water structures		Manufacture
• Medical devices and in vitro diagnostic medical devices
• Computer, electronic and optical products
• Electrical equipment
• Machinery and equipment n.e.c.
• Motor vehicles, trailers and semi-trailers
• Other transport equipment
Digital infrastructure supervised by the Ministry of TransportDigital providers
Digital infrastructure supervised by the National Security AuthorityResearch
Digital infrastructure supervised by the Ministry of the Interior 
Digital infrastructure supervised by the Ministry of Defence 
Management of ICT services (business-to-business) 
Government services supervised by the Ministry of the Interior 
Government services supervised by the Ministry of Finance 
Government services supervised by MIRRI 
Space 

If your organisation provides a service from the above overview, your organisation may fall within the scope of the NIS2 Act.

Criteria 2: company size

In addition to the services provided, the size of the entity is also important in determining whether your organisation falls within the scope of the Slovak NIS2 Act. Click here to determine whether your organisation is a small, medium-sized or large enterprise. In principle, medium-sized and large enterprises must comply with the obligations under the NIS2 Act.

In addition, the law also applies to the following specific providers, regardless of the size of the entity. These are:

  • Providers of public electronic communications networks or services
  • Providers of trust services
  • TLD administration
  • Domain name registry operators

Furthermore, the law also applies to entities, regardless of their size, if their activities are crucial to society or the economy. This is the case if:

  • They provide services that are essential for critical societal or economic functions and are not provided by other providers
  • A disruption of their services would have a significant impact on public order, safety or public health
  • An incident at them could cause systemic risks with cross-border consequences
  • They are of strategic or vital importance at national or regional level, for example due to dependencies in other sectors

Criteria 3: established entity in Slovakia

In principle, the Slovak NIS2 Act can only apply to entities established in Slovakia. However, the following entities are subject to the Slovak NIS2 Act by way of exception:

  • Providers of public electronic communications networks or providers of public electronic communications services offering their services in Slovakia;
  • DNS service providers, top-level domain name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, as well as online marketplace providers, online search engines or social networking service platforms, if they have their principal place of business in Slovakia or if they have their legal representative for the EU in Slovakia in the case that they do not have an establishment within the EU;
  • Public authorities established by Slovakia.

In addition to the three criteria above, when analysing the scope of the NIS2 Act, it should be taken into account that a non-NIS2 organisation may still be affected by the NIS2 Act because the national authority designates the entity as essential or important or because the non-NIS2 organisation is part of the supply chain of a NIS2 organisation.

What does this mean for my company?

1. Registration

The supervisory authority must keep a list of essential and important entities under its jurisdiction. These entities must register by completing the form sent via the central government portal. Registration is based on self-identification, whereby organisations must determine for themselves whether they fall within the scope of the Slovak NIS2 Act; see the section on ‘NIS2 entities’ for more information.

Registration must be submitted within 60 days of the start of the relevant activities. To do so, the entity must complete the official form and submit it electronically via the portal, after which it will receive confirmation.

The following information must be provided upon registration:

  • Name of the organisation
  • Sector and subsector
  • Address of the establishment(s) where the services are provided
  • Address of the registered office or representative (if applicable)
  • Contact details of the entity and its legal representative
  • Overview of EU Member States where the services are provided
  • IP address ranges

Any changes to this information must be reported via the portal.

For entities that were already registered before 1 January 2025, the transition to the new register will happen automatically and no action is required.

2. Management measures

If your organisation is categorised as an essential or important entity, this means that you are responsible for implementing appropriate technical and organisational measures to ensure the security of your network and information systems. These cybersecurity management measures include at least:

  • Secure management of network and information systems used
  • Management of vulnerabilities and cyber threats
  • Asset management and cyber threat and risk management
  • Incident management
  • Security in the acquisition, development and maintenance of network and information systems, including the response to and disclosure of vulnerabilities
  • Policies and procedures to assess the effectiveness of measures for managing cyber security risks
  • Policies and procedures for the use of cryptography and, where appropriate, encryption
  • Personnel security and competencies
  • Identity verification, access management and security of personnel data
  • Business continuity and crisis management and, where necessary, the use of secure backup systems
  • Protection against malware and detection of intrusion attempts
  • System security, network security and communication security
  • Monitoring, logging and reporting of events
  • Physical and technical security of critical IT areas
  • Data protection, privacy and information classification
  • Supply chain security
  • Purchase and use of certified ICT products, services and processes

The European Commission has elaborated in the implementing regulation 2024/2690 the above minimum cybersecurity measures for DNS service providers, top-level domain name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, online marketplace providers, online search engines and social networking service platforms, and trust service providers.

3. Reporting obligation of significant incidents

Essential and important entities are required to notify the national Computer Security Incident Response Team (CSIRT), namely SK-CERT, when a significant incident occurs. In addition, they must also notify the recipients of their services if the significant incident affects the provision of services relating to the (sub)sectors listed in Annexes I and II.

An incident is considered significant if

  • The incident has led or may lead to serious disruption of services or financial losses for the affected entity, or
  • The incident has affected or may affect other natural or legal persons by causing significant material or immaterial damage.

The significant incident shall be reported by the essential and important entity by email to incident@nbu.gov.sk or via the online form in accordance with the following procedure:

  1. immediately and within 24 hours of becoming aware of the significant incident, the entity shall submit an early warning, stating the probable cause and any cross-border implications;
  2. immediately and within 72 hours of becoming aware of the significant incident, the entity shall communicate an incident report containing an information update and an initial assessment of the incident;
  3. at the request of the competent CSIRT, the entity shall submit an interim report;
  4. No later than one month after the incident report, the entity shall submit a final report stating:
    1. A detailed description of the incident, as well as its severity and consequences;
    2. The type of threat or root cause that is likely to have led to the incident;
    3. Applied and ongoing risk mitigation measures;
    4. The cross-border consequences of the incident, if applicable.
  5. If the incident is still ongoing one month after the incident report, the entity must submit a progress report and a final report within one month of the incident being resolved.

The European Commission has defined the criteria for a significant incident in the implementing regulation 2024/2690 for DNS service providers, top-level domain name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, online marketplace providers, online search engines and social networking service platforms, and trust service providers. These special rules take precedence over national rules in case of inconsistencies.

Finally, all entities, regardless of whether they fall within the scope of the NIS2 Act, can voluntarily report (significant) incidents, cyber threats and near misses to the SK-CERT. Essential and important entities are also required to report near misses and vulnerabilities.

More information on reporting significant cyber incidents can be found here.

4. Management obligations and responsibilities

The management bodies of essential and important entities are responsible for compliance with the NIS2 Act and must fulfil various obligations, including:

  • Approving cyber security management measures and monitoring compliance with them
  • Undertaking training to ensure they have sufficient knowledge and skills to identify risks and assess control measures and their impact on their services
  • Continuously training the employees of the cyber security entity in the field of cyber security

The management bodies are liable for non-compliance with the NIS2 Act.

5. Cooperating with authorities

Essential and important entities must cooperate with the national authorities. This concerns the exchange of information on the security of network and information systems, reporting incidents, cooperation with the inspection service, etc.

How can I demonstrate that my company is in compliance with the NIS2 legislation?

As indicated in the chapter ‘Enforcement and sanctions’, the competent authorities carry out inspections of essential and important entities to ensure compliance with the NIS2 Act.

To prove compliance with the NIS2 regulations, either internal self-assessments or external audits are carried out.

Essential entities must undergo an external audit every two years, carried out by an independent, accredited Conformity Assessment Body (CAB). Important entities may also be subject to such audits, depending on their risk profile. The results of these audits must be reported to the NBU and any shortcomings must be addressed within a specified period. Based on an independent conformity assessment by a CAB, the entity can obtain a certificate demonstrating compliance with the NIS2 Act to stakeholders.

In addition, entities may also carry out self-assessments. These internal assessments enable entities to proactively monitor their security level and make adjustments where necessary. Although self-assessments are not a substitute for external audits, they are a valuable tool for continuous compliance.

Although the law does not impose specific certification standards, it leaves room for the use of internationally recognised frameworks such as ISO/IEC 27001.

If you would like more information about certification, you can make an appointment with an expert here.

Enforcement and sanctions

The competent authority carries out inspections to verify compliance with the requirements by cyber security entities. A distinction must be made between essential and important entities:

  • Essential entities are checked both proactively (ex-ante) and reactively (ex-post) and are required to undergo regular conformity assessments.
  • Important entities are in principle only checked reactively, after an incident or in the event of suspected non-compliance with the law.

The Slovak NIS2 Act provides for specific sanctions for entities that fail to comply with the legal provisions. These sanctions vary according to the nature and severity of the infringement and are divided into administrative measures and administrative fines.

Possible administrative measures that may be imposed include issuing warnings, temporarily prohibiting the performance of management functions, requiring the entity to take certain measures, etc.

Administrative fines that may be imposed are also laid down by law and can amount to up to 10,000,000 euros or 2% of the total worldwide annual turnover of the essential entity and up to 7,000,000 euros or 1.4% of the total worldwide annual turnover of the important entity. In addition, the Slovak NIS2 Act provides for additional fines for non-compliance with operational obligations, such as failure to register, failure to carry out audits or self-assessments in accordance with legal requirements, or failure to take corrective measures within the specified time limit.

Timeline

  • 17 October 2024: initial deadline for EU Member States to transpose the NIS2 Directive into national law
  • 1 January 2025: Slovak NIS2 law enters into force
  • 1 March 2025: Deadline for re-registration of existing entities
  • Within 12 months of registration: implementation of management measures
  • 31 December 2026: Deadline for external cyber security audit for essential entities

Competent authorities

In Slovakia, several important national authorities are involved in the implementation of the NIS2 Act, each with specific but complementary tasks.

The Národný bezpečnostný úrad (NBU) is the central supervisory authority for cybersecurity and the implementation of the NIS2 Act. The NBU manages the register of essential and important entities, monitors compliance with the law, handles incident reports and maintains communication with European bodies such as ENISA. The registration of entities and the reporting of incidents are done via the national government portal, which is managed by the NBU.

Within the NBU, the national CSIRT (Computer Security Incident Response Team), SK-CERT, is responsible for handling cyber incidents, supporting affected organisations in their recovery and raising cyber awareness through analysis, training and education. SK-CERT cooperates with other CSIRTs within the EU and is the operational point of contact for incident response.

In addition, there are also sectoral supervisory authorities, depending on the sector in which the entity operates. These authorities work together with the NBU and include:

  • The Ministry of Health
  • The Ministry of Transport
  • The National Bank of Slovakia
  • The Ministry of the Interior

Finally, MIRRI is involved in policymaking and digitisation strategy, and supports the implementation of NIS2 legislation at national level.