NIS2 Country Guide

NIS2 Slovakia: Amended Cybersecurity Act (Act No. 69/2018 Coll.)

See how Slovakia has transposed the NIS2 Directive through a 2024 amendment to the Cybersecurity Act (Act No. 69/2018 Coll.), effective from 1 January 2025, expanding obligations to thousands of essential and important entities supervised by the National Security Authority (NBÚ) and the National Cybersecurity Centre SK-CERT.

Get Ready Checklist Get Consultation
Slovakia NIS2 law in force: 2025 National law: Cybersecurity Act (Act No. 69/2018 Coll., as amended by Act No. 366/2024 Coll.) Competent authority & CSIRT: NBÚ / SK-CERT

Introduction: NIS2 Directive & the Slovak context

Slovakia has had a dedicated Cybersecurity Act since 2018. Act No. 69/2018 Coll. on Cybersecurity established minimum cybersecurity requirements, incident-handling rules and the role of the National Security Authority (NBÚ) as the central player in national cyber governance.

The adoption of Directive (EU) 2022/2555 (NIS2) required Slovakia to substantially revise this framework. The result is a 2024 amendment that modernises the Act, broadens the scope to thousands more entities and aligns Slovak law with the EU’s latest cybersecurity baseline.

Quick link: New to NIS2? Start with our general guides “What is NIS2?” and “NIS vs NIS2”.

NIS2 implementation in Slovakia

NIS2 is implemented in Slovakia through an Amendment to Act No. 69/2018 Coll. on Cybersecurity, adopted as Act No. 366/2024 Coll.. The amendment was approved by Parliament in late 2024 and entered into force on 1 January 2025, formally transposing Directive (EU) 2022/2555 into Slovak law.

According to the European Commission and several legal trackers, Slovakia is now listed as “transposed” for NIS2, with the Cybersecurity Act (as amended) serving as the single horizontal NIS2 framework.

The amendment significantly extends the number of regulated entities: estimates range from around 7,000 to more than 10,000 organisations now falling under the Slovak NIS2 regime, including both public and private operators.

Status

NIS2 is fully transposed. The amended Cybersecurity Act has been in force since 1 January 2025, with additional implementing decrees and ordinances being rolled out during 2025.

Legal structure

The NIS2 regime is embedded in Act No. 69/2018 Coll. on Cybersecurity, as amended by Act No. 366/2024 Coll., complemented by secondary legislation defining detailed security measures, reporting and sector-specific rules.

Supervisory approach

The National Security Authority (NBÚ) leads supervision and coordination, while the National Cybersecurity Centre SK-CERT handles incident management and technical support, with additional roles for sectoral authorities.

NIS2 Slovakia: what you need to know about compliance

The amended Cybersecurity Act mirrors the NIS2 distinction between essential and important entities. In Slovak terminology, operators of essential services are split into critical essential service providers (essential entities) and other operators of essential services (important entities).

Who is in scope?

  • Operators in sectors covered by NIS2 (energy, transport, ICT, electronic communications, banking, financial market infrastructures, health, water, digital infrastructure, public administration, etc.).
  • Medium and large organisations meeting NIS2 size/turnover criteria, plus some size-independent providers (DNS, domain name registration, cloud, data centre, content delivery, managed and security services).
  • Additional entities designated by NBÚ as operators of “basic” or “critical basic” services under national criteria.

Core obligations

  • Implement risk-based cybersecurity measures aligned with NIS2 Article 21 and NBÚ’s detailed security-measures ordinance.
  • Maintain policies, procedures and governance structures for cyber risk management, including board-level responsibility and oversight.
  • Ensure detection, handling and reporting of significant incidents and certain cyber threats within the 24h / 72h / 30-day ladder required by NIS2.
  • Manage supply-chain and vendor risk, including contractually defined security requirements and notification duties for key suppliers.
  • Provide regular staff and management training and keep documentation and evidence ready for audits and inspections.

Registration & timelines

Entities in scope have strict deadlines after 1 January 2025: in-scope entities must register with NBÚ within a short period (typically by early spring 2025), and then implement management measures within 12 months of registration and complete the first audit or self-assessment within 24 months. For many essential entities, full implementation deadlines cluster around late 2026.

Important: the amended Act is intentionally strict. Many organisations that were never regulated before now fall under NBÚ’s supervision and must move quickly to meet registration, governance, technical and audit obligations.

Competent authorities & CSIRT

Slovakia uses a centralised model built around the National Security Authority (NBÚ) and its National Cybersecurity Centre SK-CERT, with additional roles for sectoral regulators in specific industries.

Role Authority Notes
National competent authority & Single Point of Contact National Security Authority (NBÚ) Leads implementation of the Cybersecurity Act, identifies and supervises essential and important entities, issues secondary legislation and represents Slovakia in EU NIS2 cooperation.
National CSIRT National Cybersecurity Centre SK-CERT (within NBÚ) Acts as the national CSIRT, handling incident notifications, issuing alerts and supporting technical response for all sectors. Recognised by the EU as the national CSIRT and reachable 24/7.
Sectoral authorities Various ministries & regulators In sectors such as energy, finance, electronic communications, health or transport, relevant ministries and regulators support NBÚ in supervising sector-specific obligations and audits.

NIS2 timeline & key dates (Slovakia)

30 January 2018 — Cybersecurity Act (No. 69/2018 Coll.) adopted, first comprehensive Slovak cybersecurity framework.
1 April 2018 — Original Cybersecurity Act enters into force, implementing NIS1.
17 October 2024 — EU deadline for NIS2 transposition passes; Slovakia’s amendment is in advanced legislative preparation.
Late 2024 — Amendment Act No. 366/2024 Coll. adopted, amending the Cybersecurity Act to transpose NIS2.
1 January 2025 — Amended Cybersecurity Act enters into force, making NIS2-effective in Slovakia.
Q1 2025 — Registration deadlines for in-scope entities (around March–April 2025, depending on category); re-registration of existing entities required.
12–24 months after registration — Deadline to implement management measures (12 months) and to complete first audit or self-assessment (24 months), with many essential entities facing a de facto horizon around end of 2026.

Sector-specific notes for Slovakia

  • Energy: electricity, gas and other critical energy operators are treated as key essential entities with strict resilience and incident-reporting duties.
  • Electronic communications & ICT: telecoms, internet and other ICT services are central to the Cybersecurity Act’s scope, reflecting Slovakia’s reliance on digital infrastructure.
  • Industry & manufacturing: sectors like pharmaceuticals, metallurgy and chemicals are explicitly mentioned in the Act’s sector list and are often designated as essential or important entities.
  • Healthcare: hospitals and other healthcare providers remain in scope as operators of essential services, with increased attention to cyber resilience and incident management.
  • Public administration & critical infrastructure: selected public bodies and critical infrastructure operators remain covered by the Cybersecurity Act and related critical-infrastructure regulations.

Penalties for non-compliance

The Slovak NIS2 regime is backed by a robust sanctions framework, closely aligned with the Directive’s ceilings and reinforced by national mechanisms for repeated or serious breaches.

  • For essential entities: fines up to €10 million or 2% of total worldwide annual turnover, whichever is higher, for the most serious infringements.
  • For important entities: fines up to €7 million or 1.4% of total worldwide annual turnover.
  • Additional fines for operational breaches, such as failure to register, failure to complete required audits or self-assessments, or failure to implement corrective measures on time.
  • Public naming and enhanced supervision in serious cases, as well as possible temporary bans or disqualification of directors for repeated negligence.

How to prepare for NIS2 in Slovakia

  1. Determine if you are in scope: map your organisation’s sector and size against NIS2 Annex I & II and Slovak categories for operators of basic and critical basic services.
  2. Confirm registration status: check whether you have already been registered or re-registered under the amended Cybersecurity Act and whether any NBÚ notifications or deadlines apply to you.
  3. Run a structured gap assessment: compare your current controls with NIS2 Article 21 and NBÚ’s security-measures ordinance, covering governance, technical controls, monitoring, incident response and documentation.
  4. Plan for 12- and 24-month milestones: ensure you can implement management measures within 12 months of registration and complete your first audit or self-assessment within 24 months.
  5. Strengthen incident readiness: align internal incident-response procedures with SK-CERT guidance and the 24h / 72h / 30-day reporting ladder; test escalation and communications regularly.
  6. Manage supply-chain risk: identify critical suppliers and update contracts with explicit cybersecurity, audit and incident-notification clauses consistent with Slovak and EU requirements.
  7. Use recognised frameworks: align your ISMS with ISO/IEC 27001, NIST CSF or similar to structure NIS2 compliance and make audits smoother.
  8. Engage leadership and boards: brief senior management on their responsibilities and potential personal exposure under the Slovak NIS2 regime and ensure cybersecurity is integrated into enterprise risk management.
Run Eligibility Check Start Readiness Test

Official links & resources

🇸🇰 National Security Authority (NBÚ) — official website
🛡️ Cybersecurity Act (Act No. 69/2018 Coll., as amended)
⚙️ National Cybersecurity Centre SK-CERT — official site
📊 European Commission — NIS2 implementation in Slovakia
📄 Guide: What is NIS2? · NIS vs NIS2

FAQ: NIS2 in Slovakia

Has Slovakia fully transposed NIS2?
Yes. NIS2 is implemented through the amended Cybersecurity Act (Act No. 69/2018 Coll., as amended by Act No. 366/2024 Coll.), which entered into force on 1 January 2025 and is recognised by the European Commission as transposing the Directive.
What law should we look at for NIS2 in Slovakia?
The key instrument is Act No. 69/2018 Coll. on Cybersecurity, as amended by Act No. 366/2024 Coll., together with implementing decrees that define detailed security measures and reporting rules.
Who is the main NIS2 authority in Slovakia?
The National Security Authority (NBÚ) is the national competent authority and single point of contact. The National Cybersecurity Centre SK-CERT, operating within NBÚ, acts as the national CSIRT and incident response hub.
What are the main deadlines we should be aware of?
The law has been in force since 1 January 2025. Entities in scope must register within a short period (around spring 2025 depending on category), implement management measures within 12 months of registration, and complete their first audit or self-assessment within 24 months — for many essential entities this means being fully ready by late 2026.
How high can fines be under the Slovak NIS2 regime?
For essential entities, fines can reach up to €10 million or 2% of worldwide annual turnover; for important entities, up to €7 million or 1.4% of worldwide annual turnover, plus additional fines for specific operational breaches such as failure to register or to complete audits.
Is ISO 27001 certification mandatory?
Slovakia does not prescribe one mandatory standard, but NBÚ’s security-measures catalogue is closely aligned with ISO/IEC 27001-style controls, and many organisations use ISO 27001 or similar frameworks to structure and demonstrate compliance.
Information provided for general guidance; always consult the official Slovak Cybersecurity Act, NBÚ / SK-CERT publications and legal counsel for definitive NIS2 compliance requirements in Slovakia.