NIS2 Country Guide

NIS2 Slovenia: Information Security Act (ZInfV-1)

Learn how Slovenia has transposed the NIS2 Directive through the new Information Security Act (Zakon o informacijski varnosti, ZInfV-1), which entered into force on 19 June 2025, replacing the previous 2018 act and introducing stricter cybersecurity obligations for essential and important entities across the Slovenian economy.

Get Ready Checklist Get Consultation
Slovenia NIS2 law in force: 2025 National law: Information Security Act (ZInfV-1) NIS2 authority: URSIV

Introduction: NIS2 Directive & the Slovenian context

Slovenia previously regulated cybersecurity through the 2018 Information Security Act (ZInfV), which implemented the original NIS Directive and created a national framework for operators of essential services, digital service providers and key state systems.

The arrival of Directive (EU) 2022/2555 (NIS2) required a comprehensive overhaul. The new Information Security Act (ZInfV-1) goes beyond a simple alignment exercise: it replaces the old act, broadens the number and types of entities in scope, increases minimum security requirements, tightens incident-reporting deadlines and introduces stronger supervision and sanctions.

Quick link: New to NIS2? Start with our general guides “What is NIS2?” and “NIS vs NIS2”.

NIS2 implementation in Slovenia

Slovenia has transposed NIS2 through the Information Security Act (ZInfV-1), adopted by the National Assembly in spring 2025, published in the Official Gazette on 4 June 2025 and in force since 19 June 2025. ZInfV-1 implements the NIS2 Directive and also aligns Slovenian law with the EU Critical Entities Resilience (CER) framework.

ZInfV-1 replaces and updates the previous Information Security Act (ZInfV) from 2018. It establishes a modern national cybersecurity system, clarifies roles and responsibilities, and significantly expands the set of obliged entities to include both private and public sector organisations across all NIS2 sectors and some additional national priorities such as research and higher education.

The act follows the NIS2 structure but adds national detail through annexes that list covered sectors, sub-sectors, specific laws and public administration entities, as well as technical requirements and implementation deadlines.

Status

NIS2 is fully transposed in Slovenia. ZInfV-1 has been in force since 19 June 2025 and now serves as the core national cybersecurity law for NIS2-relevant entities.

Legal structure

ZInfV-1 is a horizontal act that defines scope, obligations, authorities, registry rules and sanctions for essential and important entities, supported by implementing acts and annexes that specify sectors, public bodies and detailed requirements.

Transition from old law

Entities previously regulated under the 2018 act are migrated into the new regime and must comply with ZInfV-1’s stricter risk-management, reporting and governance requirements within defined transition periods.

NIS2 Slovenia: what you need to know about compliance

ZInfV-1 mirrors the NIS2 distinction between essential entities and important entities, and uses annexes to list in-scope sectors, services and public bodies. It adopts the NIS2 size-cap rule (medium and large entities) but also includes some size-independent entities where national risks justify it.

Who is in scope?

  • Entities operating in NIS2 Annex I sectors of high criticality (energy, transport, banking, financial market infrastructures, health, drinking water, digital infrastructure, public administration, etc.).
  • Entities in NIS2 Annex II sectors (postal and courier services, waste management, food, manufacturing of critical products, ICT service management, research, etc.).
  • Additional Slovenian sectors such as research and higher education institutions, explicitly brought into scope by ZInfV-1.
  • Size-independent entities such as DNS and TLD operators, trust-service providers, major cloud providers and certain central ICT system operators for the state.

Core obligations

  • Implement technical and organisational measures for information and cybersecurity based on risk, aligned with NIS2 Article 21 and detailed in ZInfV-1 and secondary acts.
  • Maintain policies and procedures for asset management, access control, network and system security, vulnerability and patch management, backup and recovery, logging and monitoring.
  • Prepare and maintain incident-management plans and business continuity / disaster recovery procedures covering cyber incidents.
  • Report significant incidents and certain cyber threats to SI-CERT within strict deadlines (initial notification typically within 24 hours, followed by updates and a final report).
  • Manage supply-chain cybersecurity risk, including security, audit and notification clauses in contracts with key suppliers and service providers.
  • Ensure that management bodies approve cybersecurity strategies, oversee implementation and regularly receive training and reporting on cyber risk.

Deadlines & transition period

ZInfV-1 introduces a phased approach: essential and important entities must implement the core risk-management measures within a defined period after the law’s entry into force (generally within 18 months for risk-management measures, with further time limits for some detailed requirements and audits).

Key takeaway: Even though ZInfV-1 has only recently entered into force, the compliance clock is already ticking. Entities should not wait for inspections or additional guidance before starting their NIS2/ZInfV-1 programmes.

Competent authorities & CSIRTs

Slovenia uses a coordinated model in which the Government Information Security Office (URSIV) leads NIS2 supervision and strategy, while SI-CERT handles incident response and AKOS covers electronic communications and certain digital providers.

Role Authority Notes
NIS2 authority & Single Point of Contact Government Information Security Office (URSIV) Acts as the main NIS2 authority and coordinator, prepares legislation and guidance, oversees the national cybersecurity system, participates in EU cooperation networks and coordinates response to large-scale cyber crises.
National CSIRT SI-CERT (Slovenian Computer Emergency Response Team) Receives incident reports from essential and important entities, runs 24/7 incident intake and triage, issues alerts and advisories, and coordinates technical response with impacted entities and international partners.
Sectoral authority (telecom & digital services) AKOS (Agency for Communication Networks and Services) Acts as the sectoral regulator and NIS2 authority for certain electronic communications and digital service providers, including registry and compliance oversight for those entities.
Other sectoral authorities Relevant ministries and regulators In sectors such as energy, finance, transport, health and critical infrastructure, ministries and regulators support URSIV and SI-CERT with sector-specific supervision, inspections and follow-up.

NIS2 timeline & key dates (Slovenia)

2018 — Original Information Security Act (ZInfV) adopted, implementing the first NIS Directive in Slovenia.
14 December 2022 — NIS2 Directive adopted at EU level, setting an October 2024 deadline for national transposition.
10 April 2025 — Government finalises the draft of the new Information Security Act (ZInfV-1) and submits it to Parliament under an urgent procedure.
May 2025 — National Assembly approves ZInfV-1.
4 June 2025 — ZInfV-1 is published in the Official Gazette of the Republic of Slovenia.
19 June 2025 — ZInfV-1 enters into force, formally transposing NIS2 into Slovenian law.
2025–2026 — Transitional period during which essential and important entities must implement risk-management measures, register where required and prepare for audits and inspections.

Sector-specific notes for Slovenia

  • Energy: electricity, gas and other energy providers are classified as essential entities with strict resilience, monitoring and incident-reporting obligations.
  • Digital infrastructure & telecom: electronic communications networks, internet and cloud infrastructure, data centres and related services are a central focus, with supervision shared between URSIV, SI-CERT and AKOS.
  • Public administration: central government bodies and listed public administration entities are explicitly in scope via dedicated annexes to ZInfV-1.
  • Research & higher education: universities and research institutions are specifically mentioned as in-scope entities, reflecting Slovenia’s emphasis on protecting knowledge and innovation infrastructure.
  • Critical infrastructure & CER: ZInfV-1 works together with the Critical Infrastructure Act to cover critical entities whose disruption would significantly affect essential services or national security.

Penalties for non-compliance

Slovenia has aligned its sanctions regime with NIS2, giving authorities the ability to impose substantial fines and to hold management accountable where entities fail to meet their obligations under ZInfV-1.

  • For essential entities, fines can reach up to the higher of €10 million or 2% of the total worldwide annual turnover for the most serious infringements.
  • For important entities, fines can reach up to the higher of €7 million or 1.4% of total worldwide annual turnover.
  • Additional administrative fines may apply for procedural breaches such as late or incomplete incident reporting, failure to cooperate with authorities or failure to register correctly.
  • Supervisory authorities may impose corrective measures such as mandatory remediation plans, follow-up audits, enhanced supervision or restrictions on activities.
  • Management bodies can face specific consequences if they fail to fulfil their governance obligations, especially in cases of repeated or serious negligence.

How to prepare for NIS2 in Slovenia

  1. Check whether you are in scope: assess your sector, services and size against NIS2 Annex I & II and verify whether you appear in ZInfV-1 annexes as an essential or important entity.
  2. Clarify your supervisory contact: determine whether URSIV alone, or URSIV together with a sectoral authority such as AKOS, is your primary regulator under ZInfV-1.
  3. Run a NIS2/ZInfV-1 gap assessment: compare your current governance, technical measures, processes and documentation against legal requirements and any guidance published by URSIV and SI-CERT.
  4. Plan for the implementation deadlines: build a roadmap to implement required risk-management measures within the 18-month timeframe and prepare for possible audits or inspections.
  5. Strengthen incident detection and response: ensure you can detect and assess cyber incidents quickly, notify SI-CERT within 24 hours where required, and provide timely updates and final reports.
  6. Address supply-chain risk: identify critical suppliers and update contracts to include cybersecurity, audit and incident-notification clauses that are consistent with ZInfV-1.
  7. Use established frameworks: align your information security management system with standards such as ISO/IEC 27001 or NIST CSF to structure your compliance efforts and evidence.
  8. Engage leadership early: brief the board and senior management on their roles and potential liabilities, and make cybersecurity a standing topic in risk and strategy discussions.
Run Eligibility Check Start Readiness Test

Official links & resources

🇸🇮 Government Information Security Office (URSIV) — official site
🛡️ SI-CERT — Slovenian national CSIRT
📘 Official Gazette of the Republic of Slovenia — text of ZInfV-1
📊 European Commission — NIS2 implementation in Slovenia
📄 Guide: What is NIS2? · NIS vs NIS2

FAQ: NIS2 in Slovenia

Has Slovenia fully transposed NIS2?
Yes. Slovenia has transposed NIS2 through the Information Security Act (ZInfV-1), which entered into force on 19 June 2025 and now serves as the main national cybersecurity law for NIS2-relevant entities.
Which law should we look at for NIS2 compliance?
The primary law is the Information Security Act (ZInfV-1), together with its annexes and any implementing regulations adopted by the Government or URSIV. Older references to the 2018 act (ZInfV) have been superseded by ZInfV-1.
Who is the main NIS2 authority in Slovenia?
The Government Information Security Office (URSIV) is the main NIS2 authority and national Single Point of Contact. SI-CERT acts as the national CSIRT, and AKOS is the sectoral authority for certain telecom and digital services.
What are the key deadlines under ZInfV-1?
ZInfV-1 has applied since 19 June 2025. Essential and important entities must implement core risk- management measures within the transition period set by the law (typically within 18 months of entry into force) and be prepared for supervision, audits and incident-reporting requirements from that point onwards.
How high can fines be for non-compliance?
For essential entities, fines can be up to €10 million or 2% of worldwide annual turnover; for important entities, up to €7 million or 1.4% of turnover, with further administrative fines and corrective measures for specific breaches and repeated non-compliance.
Is ISO 27001 certification mandatory?
ISO/IEC 27001 is not mandated by name, but ZInfV-1 requires robust, risk-based security measures. Aligning with ISO 27001 or a similar framework is a practical way to structure, implement and demonstrate compliance with Slovenian NIS2 requirements.
Information provided for general guidance; always consult the official text of ZInfV-1, URSIV and SI-CERT publications and legal counsel for definitive NIS2 compliance requirements in Slovenia.