Slovakia is one of the more active Member States of the EU when it comes to implementing Directive 2022/2555 (NIS2). A substantial amendment (effective from January 1, 2025) to Slovakia’s existing Cybersecurity Act No. 69/2018 introduced a new regulatory framework. Deadlines are now in place and regulatory activity is increasing. Businesses across various sectors, particularly in digital infrastructure, energy, finance, and manufacturing, are expected to adapt to the updated legal landscape rapidly.
Perhaps the most immediate impact of the new legislation was the registration requirement. Under the Cybersecurity Act, entities were required to assess internally if they fall within the scope of the new regulations and afterward register with the Slovak National Security Authority (NSA) within 60 days from January 1, 2025. Although the original estimates projected 5,000 to 6,000 registered entities, unofficially, the NSA now expects to process closer to 14,000 applications. This reflects both a broader scope of regulation and a more structured classification of affected organizations.
In addition to the initial 60-day registration deadline, regulated entities must meet two further time-bound obligations. First, all registered entities are required to implement their risk-based cybersecurity measures within 12 months from the date of registration. Second, they must conduct their first cybersecurity audit or a self-assessment in the case of important entities within 24 months of registration. These staged obligations give entities a defined yet reasonable timeframe to operationalize compliance, implement appropriate security controls, and demonstrate accountability under the law. In a unique legal twist, the law brings under regulation third parties that have a significant influence over the cybersecurity of an essential entity. If such a third party holds a contract with an essential entity, it too becomes classified as a regulated entity and is subject to equivalent obligations. This third-party inclusion goes beyond mere contractual transparency. Essential entities are obligated to notify the NSA not only of the existence of such contracts but also when they are terminated. The third parties are then recorded in the official register of regulated entities, are required to implement cybersecurity measures, and fall under the regulatory oversight of the NSA.
Security measures are central to the new regulations. The revised act sets out a comprehensive structure of risk-based cybersecurity obligations. These obligations are further detailed in a forthcoming technical decree, which outlines control requirements for both information and operational technologies. Slovakia is one of the first countries in the region to embed requirements based on the ISA/IEC 62443 series of standards for operational technology systems explicitly into national cybersecurity law. This move is widely viewed as a significant advancement in harmonizing cybersecurity protections between IT and OT environments.
Entities must also appoint a cybersecurity manager responsible for implementing the security measures. In cases where an applicable sector-specific security standard exists (e.g., in the public sector, digital services sectors), companies must align with that standard while still maintaining basic capabilities such as information security management and incident reporting. The law thus combines flexibility with a baseline of cybersecurity expectations.
In another major step, Slovakia has expanded a formal audit obligation for all regulated entities. As mentioned above, essential entities must undergo their first cybersecurity audit within two years of registration. These audits must be conducted by certified cybersecurity auditors under an approved scheme. For important entities, the law allows for a “self-assessment” process conducted by an appointed cybersecurity manager. However, even these entities are required to undergo a full audit by a certified auditor at least once every five years. This audit mechanism is expected to play a key role in enhancing regulatory accountability, enabling the NSA to better assess compliance and readiness across industries. The audit process, together with structured reporting and risk-based implementation of controls, positions Slovakia as a regional leader in structured cybersecurity supervision.
It is worth highlighting that Slovakia’s implementation of the NIS2 goes beyond the minimum requirements in several respects. By explicitly naming third parties as directly regulated entities and mandating detailed technical requirements for both IT and OT systems, Slovakia offers a more operational and enforceable interpretation of the EU directive. These measures are designed not only to protect critical infrastructure but also to strengthen public-private collaboration and build long-term cybersecurity resilience.
As the cybersecurity threat landscape continues to evolve, Slovakia’s structured and risk-based approach may serve as a model for other Member States seeking to balance regulatory clarity, technical depth, and business practicality.
By Michal Rampasek, Cybersecurity, Data, and Privacy Protection Leader, Peterka & Partners
This article was originally published in Issue 12.7 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.
