NIS2 Slovenia: what you need to know about compliance and certification

NIS2 Slovenia

The original NIS1 Directive (EU) 2016/1148 of the European Parliament and Council of 6 July 2016 was introduced to strengthen cyber security within the EU. Due to the increasing threat of cyber attacks, this directive was replaced by the NIS2 Directive (EU) 2022/2555 of the European Parliament and the Council of 14 December 2022, which imposes stricter requirements and applies a broader scope to increase the resilience of critical infrastructures to cyber attacks.

The NIS2 Directive was transposed into Slovenian law through the Information Security Act (Zakon o informacijski varnosti ZInfV-1), hereinafter NIS2 Act, which has been in force since 19 June 2025.

On this page, you will find everything you need to know about the impact of NIS2 on your organisation and how to prepare for the new regulations.

The content of this page is subject to change and will be updated as needed.

NIS2 entities

The Slovenian NIS2 Act is relevant to both legal entities and natural persons (collectively referred to as ‘entities’) registered in Slovenia that provide products and/or services in an EU country. The Slovenian NIS2 Act largely corresponds to the European NIS2 Directive.

The NIS2 Act explicitly defines which public and private entities are subject to cybersecurity obligations. For this purpose, a distinction is made between essential entities and important entities. To categorise entities, the services offered, the size of the entity and the location of the entity are taken into account.

In principle, your entity falls under the Slovenian NIS2 Act when:

  1. Your organisation provides services within a sector listed in Annex I and Annex II of the NIS2 Act;
  2. Your organisation exceeds the thresholds for medium-sized enterprises; and
  3. Your organisation is located in Slovenia (except providers of public electronic communication networks and providers of public electronic communication services. These are covered by the Slovenian NIS2 Act if they provide services on Slovenian territory).

Criteria 1: services provided

Annexes I and II of the Slovenian NIS2 Act describe the sectors that fall within its scope. It is therefore very important to thoroughly analyse your provided services to third parties by (sub)sector.

Annex I: Highly critical sectorsAnnex II: Other critical sectors
Energy
• Electricity
• District heating and cooling
• Oil
• Gas
• Hydrogen		Postal and courier services
Transport
• Air
• Rail
• Water
• Road		Waste management
BankingManufacture, production and distribution of chemicals
Financial market infrastructuresManufacture, processing and distribution of food
HealthManufacturing
• Medical devices and in vitro diagnostic medical devices
• Computer, electronic and optical products
• Electrical equipment n.e.c.
• Machinery and equipment n.e.c.
• Motor vehicles, trailers and semi-trailers
• Other transport equipment
Drinking waterDigital providers
WastewaterResearch
Digital infrastructurePublic administration
ICT service management (business-to-business) 
Public administration 
Space 

If your organisation provides a service from the above list, your organisation may fall within the scope of the NIS2 Act.

The Slovenian NIS2 Act does not apply to entities exempted from the Digital Operational Resilience Regulations for the Financial Sector (DORA).

Criteria 2: company size

In addition to the services provided, the size of the entity is also important in determining whether your organisation falls within the scope of the Slovenian NIS2 Act. Click here to determine whether your organisation is a small, medium, or large enterprise. In principle, medium and large enterprises must comply with the obligations under the NIS2 Act.

In addition, the Act also applies to the following specific providers, regardless of the size of the entity. They are:

  • Providers of public electronic communication networks or services
  • Central government agencies
  • Providers of trust services
  • Managers of domain name registries
  • DNS providers

Moreover, the law also applies to entities, regardless of their size, if their activities are crucial to society or the economy. This is the case if:

  • They provide services essential for critical social or economic functions that are not provided by other providers
  • A disruption of their services would have a significant impact on public order, security or public health
  • An incident at them could cause systemic risks with cross-border implications 
  • They are of strategic or vital importance on a national or regional level, for example due to dependencies in other sectors

Criteria 3: established entity in Slovenia

In principle, the Slovenian NIS2 Act can only apply to entities with an establishment in Slovenia. However, by way of exception, the following entities are subject to the Slovenian NIS2 Act:

  • Providers of public electronic communication networks or providers of public electronic communication services offering their services in Slovenia;
  • DNS service providers, top-level domain name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, as well as providers of online marketplaces, online search engines or social networking service platforms, if they have their principal place of business in Slovenia or if they have their EU legal representative in Slovenia in case they do not have an establishment within the EU;
  • Public bodies established by Slovenia.

In addition to the 3 criteria above, when analysing the scope of the NIS2 Act, one should take into account the fact that as a non-NIS2 organisation, one may still be affected by the NIS2 Act due to the fact that the national authority designates the entity as an essential or important entity or that the non-NIS2 organisation belongs to the supply chain of an NIS2 organisation.

What does this mean for my business?

1. Registration

The supervisory authority must maintain a list of essential and important entities under its jurisdiction. Essential and important entities are required to register with the supervisory authority, being URSIV, no later than 30 days after they fall under the scope of the Slovenian NIS2 Act. If an entity is already in scope at the time of the entry into force of the Slovenian NIS2 Act, a registration obligation applies within a deadline of 6 months after the entry into force.

As long as the self-registration system is not yet operational, which should be 4 months after entry into force at the latest, the information should be sent in digital form to the e-mail address of the competent national authority.

2. Management measures

If your organisation is categorised as an essential or important entity, this means that you are responsible for implementing appropriate technical and organisational measures to ensure the security of your network and information systems. These cybersecuritymanagement measures cover at least:

  • Integration of cybersecurity into the annual plan and management support
  • Integrity check of staff before, during and after employment
  • Basic cyber hygiene practices and training
  • Identity verification, access management and security of personnel data
  • Management and execution of backups
  • Maintaining log files according to legal requirements
  • Secure management of network and information systems used
  • Policies and procedures for the use of cryptography and, where appropriate, encryption
  • Security of network and communication systems
  • Supply chain security
  • Physical and technical security of critical IT areas
  • Security in the acquisition, development and maintenance of network and information systems, including vulnerability response and disclosure
  • Incident management
  • Protection against malware and detection of intrusion attempts
  • Use of multi-factor authentication where appropriate
  • Use of secure voice, video and text communications and secure emergency communications systems within the entity, where applicable
  • Policies and procedures regarding the use of cloud services

The European Commission has elaborated in the implementing regulation 2024/2690 the above minimum cybersecurity measures for DNS service providers, top-level domain name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, online marketplace providers, online search engines and social networking service platforms, and trust service providers.

3. Reporting obligation of significant incidents

Essential and important entities are required to notify the national Computer Security Incident Response Team (CSIRT), being SI-CERT, when a significant incident occurs. In addition, they must also notify the recipients of their services if the significant incident affects the provision of services concerning Annex I and II (sub-)sectors.

An incident is considered significant if

  • The incident has led or may lead to serious disruption of services or financial losses for the affected entity or
  • The incident has affected or may affect other natural or legal persons by causing significant material or immaterial damage.

The significant incident is reported by the essential and important entity by mail to cert@cert.si according to the following procedure:

  1. immediately and within 24 hours of becoming aware of the significant incident, the entity shall submit an early warning, reporting probable cause and any cross-border impact;
  2. immediately and within 72 hours of becoming aware of the significant incident, the entity communicates an incident notification that includes an information update and an initial assessment of the incident;
  3. at the request of the relevant CSIRT, the entity submits an interim report;
  4. No later than 1 month after the incident notification, the entity submits a final report indicating:
    1. A detailed description of the incident, as well as its severity and consequences;
    2. The type of threat or root cause likely to have led to the incident;
    3. Risk mitigation measures applied and ongoing;
    4. The cross-border impact of the incident, if applicable.
  5. If the incident is still ongoing one month after the incident report, the entity shall submit a preliminary report, and a final report shall be submitted within one month of the incident resolution.

The European Commission has defined the criteria for a significant incident in the implementing regulation 2024/2690 for DNS service providers, top-level domain name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, online marketplace providers, online search engines and social networking service platforms, and trust service providers. These special rules take precedence over national rules in case of inconsistencies.

Finally, all entities, regardless of whether they fall within the scope of the NIS2 Act, can voluntarily report (significant) incidents, cyber threats and near-incidents to the SI-CERT.

More information regarding incident reporting can be found here.

4. Management obligations and responsibilities

The governing bodies of essential and important entities are responsible for compliance with the NIS2 Act and must fulfil several obligations including:

      • Approve cybersecurity management measures and monitor compliance with them
      • Undergoing training at least once every four years to have sufficient knowledge and skills to identify risks and assess control measures and their impact on their services
      • Continuous training of employees of the cyber security entity on cyber security
      • Annual refresher training for all managers of information and communication systems

Governing bodies are liable for non-compliance with the NIS2 Act.

5. Cooperating with authorities

Essential and important entities should cooperate with national authorities. Involves sharing information on network and information system security, incident reporting, cooperation with the inspectorate and so on.

How can I demonstrate that my company is in compliance with NIS2 legislation?

As indicated in the ‘Enforcement and sanctions’ section, competent authorities conduct inspections of essential and important entities for compliance with the NIS2 Act.

Essential entities should conduct a compliance assessment and important entities a self-assessment at least every two years or in case of a significant incident. Based on an independent compliance assessment by an accredited Conformity Assessment Body (CAB), the entity can obtain a certificate demonstrating compliance with the NIS2 Act to stakeholders. An important international standard that can be used for this purpose is ISO/IEC 27001.

If you would like more information regarding certification, you can make an appointment with an expert here.

Enforcement and sanctions

The competent authority conducts inspections on cyber security entities’ compliance with the requirements. For this purpose, a distinction must be made between essential and important entities:

  • Essential entities are inspected both proactively (ex-ante) and reactively (ex-post) and are required to have regular compliance assessments.
  • Important entities are in principle only monitored reactively, following an incident or suspected non-compliance with the law.

The Slovenian NIS2 Act provides for specific sanctions for entities that fail to comply with the legal provisions. These sanctions vary depending on the nature and severity of the breach and are divided into administrative measures and administrative fines.

Possible administrative measures that may be imposed include issuing warnings, temporarily prohibiting the performance of managerial functions, requiring the entity to take certain measures and so on.

Administrative fines that can be imposed are also laid down by law and can amount to €10,000,000 or 2% of the essential entity’s total annual global turnover and up to €7,000,000 or 1.4% of the important entity’s total annual global turnover. In addition, the responsible of a legal entity, natural person and public authority can be fined up to €10,000 for essential entities and up to €7,000 for important entities in case of a breach of the rules.

Timeline

  • 17 October 2024: initial deadline for EU member states to transpose NIS2 directive into national law
  • 19 June 2025: Slovenian NIS2 law enters into force
  • 19 December 2025 or within 30 days of receipt of decision that entity falls under NIS2 Act: entity must register with URSIV

Competent authorities

In Slovenia, there are several important national authorities involved in the implementation of the NIS2 Act, each with specific but complementary tasks.

The Information Security Agency of the Republic of Slovenia (URSIV) is the National Cyber Security Coordination Centre (NCC-SI) and is responsible for enforcing cyber security obligations, coordinating national policies, monitoring risk management measures and representing Slovenia in European cyber security cooperation structures.

SI-CERT, Slovenian Computer Emergency Response Team, is responsible for handling incidents, providing technical support and alerts, and cooperating with domestic partners and the European CSIRT network. SIGOV-CERT, the government CSIRT, is in charge of managing cyber security incidents within government institutions and acts as a sector-specific CSIRT for state infrastructure.

Finally, the Ministry of Digital Transformation contributes to the development and support of cyber security policies and legislation, including efforts related to digital resilience and the transposition of the NIS2 directive into national legislation. Together, these bodies form a coordinated national system aimed at strengthening Slovenia’s cyber resilience in line with EU obligations.