Slovakia

(a) What is the NIS2 implementation status?

The parliament approved the NIS2 implementation legislation. The law entered into force on 1 January 2025, after the president signed the law and it is published.

The amendment to the Cybersecurity Act is available online (only in Slovak).

(b) What is the envisaged NIS2 implementation timeline?

The NIS2 implementation is effective as of 1 January 2025.

(c) What does the NIS2 mean for other national cybersecurity legislation?

The implementation of NIS2 resulted in novelization of the Act No. 69/2018 Coll. on cybersecurity and relating legislation. The current amended version of the Cybersecurity Act is available online (only in Slovak).

(d) Who will be the supervisory authority and how are they preparing the market?

The supervisory authority for the matter of cybersecurity is National Security Authority in cooperation with the ministries of the Slovak Republic. The web site of the National Security Authority available also in English may be found here.

National Security Authority is also national point of contact for cybersecurity. Additionally, national CSIRT has been established in the Slovak Republic – National Cyber Security Centre SK-CERT.

The National Security Authority organises seminars and training events to raise awareness of the obligations arising from the cybersecurity legislation. The National Security Authority also provides consultations if requested. However, National Security Authority does not determine whether a non-public sector entity falls within the scope of the new legislation.

(e) What should you be doing/on the lookout for?

First of all, the clients should assess whether they qualify as affected entities under the new legislation, i.e. self-assessment.

For entities who fall under the scope of the new legislation, the following deadlines apply as of 1 January:

• 60 days to submit an application for registration in the register maintained by the National Security Authority;
• the new legislation is applicable to the entity after 30 days since the registration in the register maintained by the National Security Authority;
• 12 months from the date of registration to implement security measures;
• 24 months from the date of registration to perform the first audit or self-assessment (if critical services are not provided).

The Cybersecurity Act applies under certain conditions to entities that do not have a registered office in Slovakia, specifically to those providing services such as DNS, domain name registration, cloud computing, data centres, or social networks. To a limited extent, it also applies to suppliers outside the EU operating in Slovakia. These entities must have a representative in Slovakia or another EU member state and may be designated as an ESS (Essential Service Provider) if they have a significant impact on cybersecurity.