NIS2 Slovakia Compliance Guide: Act on Cybersecurity Amendment, NBU Enforcement, and SK-CERT Incident Reporting for 2026

Slovakia transposed the EU NIS2 Directive through an amendment to the Act on Cybersecurity (Zákon o kybernetickej bezpečnosti), which was adopted in 2024 and entered into force on 1 January 2025. The amendment significantly expands Slovakia’s existing cybersecurity framework — originally established under the 2018 Act — bringing it into alignment with NIS2’s broader scope, stricter penalties, and enhanced supervisory powers. NBU (Národný bezpečný úrad / National Security Authority) serves as the central competent authority and Single Point of Contact, while SK-CERT — Slovakia’s national CSIRT operated within NBU — handles incident response and reporting coordination. As a Central European Visegrád Group member bordering Czech Republic, Hungary, Poland, Austria, and Ukraine, Slovakia’s NIS2 approach reflects its strategic position between established and emerging cybersecurity ecosystems, requiring a framework that balances robust domestic enforcement with effective cross-border coordination.

This guide covers Slovakia’s NIS2 transposition, NBU enforcement, SK-CERT incident reporting, entity classification, sector-specific requirements, penalties, implementation milestones, and practical steps for compliance.

Slovakia’s NIS2 Transposition: Where Things Stand

The Legal Framework

Slovakia implemented NIS2 through an amendment approach rather than a standalone new act — leveraging its existing 2018 Act on Cybersecurity infrastructure while substantially expanding it:

• Act on Cybersecurity (Zákon o kybernetickej bezpečnosti, Act No. 69/2018 Coll.): The original 2018 law transposed NIS1 and established NBU’s cybersecurity mandate, SK-CERT, and the basic framework for operators of essential services and digital service providers.
• Act on Cybersecurity Amendment (2024): The comprehensive amendment transposing NIS2, adopted in late 2024 and entering into force on 1 January 2025. The amendment expands the definition of in-scope entities, introduces the essential/important entity distinction, strengthens NBU’s supervisory powers, incorporates the NIS2 penalty framework (up to €10M / 2% turnover), adds personal liability for management, and establishes the three-stage incident reporting procedure.
• Decree on Cybersecurity Security Measures: Updated secondary legislation providing detailed technical and organizational security requirements for essential and important entities (expected revision in 2026 to align with NIS2 Article 21 measures).
• National Cybersecurity Strategy 2025–2030: Updated strategic document aligning national cybersecurity priorities with NIS2 objectives and establishing long-term capacity-building goals.

Slovakia completed transposition around the EU deadline period. The European Commission’s review of Slovakia’s transposition is ongoing, but the legislative framework is now in force. NBU is in the process of building its enhanced supervisory capacity to match the expanded NIS2 mandate.

Key Dates and Timeline

Milestone	Date	Status
NIS2 Directive adopted	January 2023	—
Original Act on Cybersecurity (NIS1)	2018	In force (amended)
Draft amendment published for consultation	Q1 2024	Complete
Amendment adopted by National Council	Late 2024	Complete
Amendment enters into force	January 1, 2025	Complete
NBU begins expanded entity registration	Q1 2025	Ongoing
SK-CERT NIS2 reporting framework operational	Q2 2025	Ongoing
EU transposition deadline reference	17 October 2024	Near-complete
EC transposition review	May 2025	Under review
Updated Decree on Security Measures expected	Q2–Q3 2026	Pending
Full supervisory regime operational	Q4 2026	Expected
First enforcement actions anticipated	2027	Projected

Important: The amended Act on Cybersecurity is in force as of 1 January 2025, but NBU’s enhanced supervisory apparatus — including expanded entity registration, classification procedures, and audit protocols — is still being developed. Entities should treat the amended Act’s obligations as binding and begin compliance preparations immediately.

Comparison with Other EU Countries

Slovakia’s approach shares characteristics with several EU states in our country guide series:

• Czech Republic (NUKIB): Former federation partner, similar legal tradition and institutional approach — the closest comparative model
• Hungary (SZTFH/NKI): Visegrád Group partner, comparable central European approach with multi-authority dimensions
• Hungary (NBI/NKH Multi-Authority): Hungary’s cross-authority enforcement model — useful contrast for Slovakia’s NBU-concentrated approach
• Poland (NCSA): Visegrád partner, comparable amendment-based transposition approach
• Slovenia (SI-CERT/URSIV): Small Central European neighbor, similar institutional concentration and small-market dynamics
• Austria (NISG 2026): Western neighbor, more mature cybersecurity infrastructure — useful best-practice reference

Key Regulatory Bodies

NBU — National Security Authority (Národný bezpečný úrad)

NBU is Slovakia’s central NIS2 authority, combining multiple institutional roles:

• National Competent Authority (NCA) for both essential and important entities across all sectors
• Single Point of Contact (SPOC) for EU-level NIS2 coordination, cross-border cooperation, and EU CSIRTs Network representation
• CSIRT Authority — hosts and operates SK-CERT
• Security clearance authority — NBU’s historical mandate includes national security clearance processing, which intersects with NIS2’s personnel security requirements
• Cybersecurity supervisory authority — expanded powers under the 2024 amendment including on-site inspections, audit orders, corrective directives, and penalty assessment
• Policy development — leads national cybersecurity strategy and issues binding technical standards

NBU was established in 2006 with a primary focus on national security classifications and personnel vetting. Its cybersecurity mandate expanded significantly under the 2018 Act and the 2024 NIS2 amendment. The dual mandate — national security and cybersecurity — creates a unique institutional character compared to authorities in other Member States that separate these functions.

Contact:

• Address: Kvetná 8, 821 01 Bratislava, Slovakia
• Email: nbu@nbu.gov.sk
• Phone: +421 2 5729 4111
• Website: https://nbu.gov.sk

SK-CERT — National CSIRT

SK-CERT is Slovakia’s national Computer Security Incident Response Team, operated within NBU:

• National CSIRT for all NIS2 incident reporting
• Full member of FIRST and Trusted Introducer accredited
• Incident handling, triage, and coordination for essential and important entities
• Vulnerability coordination — processes responsible vulnerability disclosures affecting Slovak entities
• Threat intelligence sharing with EU CSIRTs Network and international partners
• Security advisory publication — alerts on emerging threats relevant to Slovak infrastructure
• Cross-border coordination — interfaces with CSIRT.CZ, NKI (Hungary), CERT.hr, and A-CERT
• 24/7 incident response for critical national incidents

Contact:

• Email: incident@sk-cert.sk
• Phone: +421 2 5729 4555 (24/7)
• Website: https://www.sk-cert.sk
• PGP Key: Available on SK-CERT website

Sectoral Competent Authorities

Slovakia uses a coordinated multi-authority model with sectoral regulators:

Authority	Sector	Coordination Role
NBU	Digital infrastructure, ICT services, public administration	Primary competent authority
National Bank of Slovakia (NBS)	Banking, financial market infrastructure	Sectoral regulator for financial entities — independent supervisory powers
Ministry of Economy	Energy (electricity, gas, oil, district heating)	Sectoral authority for energy
Ministry of Transport and Construction	Road, rail, air, waterway transport	Sectoral authority for transport
Ministry of Health	Healthcare	Sectoral authority for health sector
Regulatory Office for Network Industries (ÚRSO)	Energy market regulation	Technical regulatory input
Office for Regulation of Electronic Communications (TÚ SR)	Electronic communications	Telecom sector regulator

Important distinction: While NBU is the primary NIS2 competent authority, the National Bank of Slovakia (NBS) retains independent supervisory authority over financial sector entities. This creates a dual-regulatory dynamic similar to other EU states with significant financial sectors — NBS may conduct its own cybersecurity inspections and impose sectoral penalties alongside NBU’s NIS2 enforcement.

Which Entities Are Affected?

Essential Entities

Under the amended Act on Cybersecurity, Slovakia designates essential entities in these sectors:

• Energy: Slovenské elektrárne (nuclear and conventional power), Západoslovenská energetika, other distribution companies, Eustream (gas pipeline), Slovnaft (petroleum), district heating operators
• Transport: Bratislava M. R. Štefánik Airport, Košice International Airport, ŽSR (Slovak Railways), Danube port operators, road freight operators
• Banking: Credit institutions licensed by NBS (including Slovak subsidiaries of EU/EEA banks)
• Financial Market Infrastructure: Slovak National Stock Exchange, payment systems operators
• Health: University hospitals (Bratislava, Košice, Martin), regional hospitals, clinical laboratories, medical device distributors
• Drinking Water: Water supply companies (Záhorie, Západoslovenské vodárne, etc.)
• Wastewater: Wastewater treatment operators
• Digital Infrastructure: .sk ccTLD registry (operated by SK-NIC), DNS providers, cloud computing providers, data centres, CDNs
• ICT Service Management: Managed security providers, managed IT service providers, B2B ICT services
• Public Administration: Government ministries, agencies, and municipalities above population thresholds
• Space: Ground station infrastructure supporting EU space programmes

Important Entities

Slovakia identifies important entities from additional sectors:

• Postal and Courier Services: Slovenská pošta, private courier operators
• Waste Management: Collection, treatment, and disposal operators
• Chemical Manufacturing: Production and distribution of hazardous substances (e.g., Duslo Šaľa)
• Food Production: Large-scale food processing and distribution
• Manufacturing: Designated manufacturing sectors including automotive (Volkswagen Bratislava, Kia Žilina, Jaguar Land Rover Nitra), electronics, pharmaceuticals
• Digital Providers: Online marketplaces, search engines, social media platforms operating in Slovakia
• Research Organisations: Slovak Academy of Sciences institutes, designated university research centres

Size Thresholds

Slovakia applies standard NIS2 size thresholds:

Criterion	Essential Entities	Important Entities
Employees	≥250	≥50
Annual turnover	≥€50 million	≥€10 million

Entities covered regardless of size:

• Qualified trust service providers
• .sk ccTLD registry
• DNS service providers
• Public electronic communications providers
• Cloud computing service providers
• Data centre operators
• Entities designated as sole providers of essential services in Slovakia
• Entities whose disruption could significantly impact public safety, security, or health

Slovakia-Specific Designation Criteria

Slovakia’s amendment incorporates several designation criteria reflecting the domestic market structure:

• Automotive sector emphasis — Slovakia’s automotive manufacturing sector (VW, Kia, JLR) represents a significant portion of GDP; NBU may designate automotive manufacturers as important entities beyond standard NIS2 sectoral scope
• Nuclear energy consideration — Slovakia operates two nuclear power plants (Jaslovské Bohunice, Mochovce); entities associated with nuclear infrastructure may receive enhanced cybersecurity designation
• Cross-border infrastructure — entities operating pipelines (Eustream), rail links, and Danube transport infrastructure connecting to Austria, Hungary, Ukraine, or Czech Republic face designation based on cross-border impact potential

Entity Designation Process

NBU follows a registration and formal designation process:

1. Self-assessment — Entities determine whether they fall within NIS2 scope
2. Registration with NBU — In-scope entities must register through the NBU cybersecurity portal
3. NBU verification — NBU reviews registrations and may request additional information
4. Formal designation notice — NBU issues binding classification as essential or important entity
5. Compliance timeline — Designated entities receive a compliance deadline (expected 12–18 months from designation)

Continuity from NIS1: Entities that were already designated as operators of essential services under the 2018 Act should already be registered with NBU. These entities must update their registration to reflect their NIS2 classification (essential vs. important) and expanded obligations.

Slovakia-Specific Requirements (Beyond NIS2 Minimums)

Slovakia’s amendment introduces several provisions beyond NIS2 minimum standards:

NBU’s Dual National Security and Cybersecurity Mandate

NBU’s unique institutional position as both the national security authority and the cybersecurity competent authority creates additional compliance requirements:

• Security clearance integration — entities in sectors overlapping with national security (energy, transport, defence industry) may be required to obtain NBU security clearances for personnel in cybersecurity-critical roles
• Classified information handling — entities processing classified information must satisfy both national security requirements (Act No. 285/2019 Coll.) and NIS2 cybersecurity requirements simultaneously
• Foreign vendor restrictions — NBU may impose restrictions on non-EU/EEA vendors for entities handling classified or security-sensitive information

Nuclear and Critical Infrastructure Overlay

Given Slovakia’s nuclear energy infrastructure, the amendment provides for enhanced cybersecurity requirements for nuclear-adjacent entities:

• Nuclear power plant operators must implement cybersecurity controls aligned with IAEA Nuclear Security Guidance (NSS No. 33-T) alongside NIS2 requirements
• The Slovak Nuclear Regulatory Authority (ÚJD) coordinates with NBU on cybersecurity oversight for nuclear facilities
• Nuclear facility cybersecurity incidents follow a dual-reporting path to SK-CERT and ÚJD

Automotive Sector Coordination

Recognizing the automotive sector’s significance, NBU is developing sector-specific cybersecurity guidance for automotive manufacturers and their supply chains:

• Alignment with UNECE WP.29 Regulation R155 (Cybersecurity of Vehicles) alongside NIS2 obligations
• Supply chain cybersecurity requirements for automotive Tier 1 and Tier 2 suppliers
• Joint NBU-industry working group on automotive cybersecurity standards

Penalties and Enforcement

Entity-Level Fines

Slovakia’s penalties align with NIS2 maximum thresholds under the amended Act:

Violation Type	Entity Category	Maximum Fine
Risk management breach	Essential	Higher of €10,000,000 or 2% of total worldwide annual turnover
Risk management breach	Important	Higher of €7,000,000 or 1.4% of total worldwide annual turnover
Non-compliance with corrective measures	Both	Corrective orders and escalating penalties
Failure to register with NBU	Both	Up to €100,000
Failure to report incidents	Both	Up to €500,000
Failure to cooperate with supervision	Both	Up to €200,000

Personal Liability for Management

The amended Act includes personal liability provisions for senior management:

Violation	Maximum Fine
Management member failing to approve cybersecurity risk management measures	Up to €30,000 per violation
Management member failing to oversee implementation	Up to €20,000 per violation
Non-cooperation with supervisory authority	Up to €10,000 per violation
Repeated violations	Escalating penalties including potential management ban

Board-level approval of cybersecurity strategies is mandatory, with documentary evidence required in board minutes.

Enforcement Posture

NBU is enhancing its supervisory capacity following the January 2025 amendment entry into force. The expected enforcement trajectory:

• 2025–early 2026: Cooperative phase — entity registration, guidance issuance, stakeholder education
• Mid 2026: Supervisory activation — initial inspections, audit orders for non-responding entities
• Late 2026–2027: Active enforcement — penalties for persistent non-compliance, corrective orders for identified deficiencies

The dual NBS supervision for financial sector entities means that financial institutions may face earlier and more intensive enforcement, as NBS already has established supervisory infrastructure and inspection capabilities.

Compliance Requirements

Article 21 Risk Management Measures

Slovak essential and important entities must implement measures covering the 10 NIS2 Article 21 areas, mapped to the updated Decree on Security Measures:

1. Risk analysis and information security policies — documented risk assessments and security strategies updated annually, proportionate to entity size and risk profile
2. Incident handling — prevention, detection, analysis, response, and recovery procedures coordinated with SK-CERT
3. Business continuity — crisis management, disaster recovery, backup procedures, and crisis communication plans
4. Supply chain security — assessment of ICT suppliers and service providers, vendor risk management, concentration risk analysis for automotive and manufacturing supply chains
5. Security in network and information systems — secure acquisition, development, and maintenance practices
6. Vulnerability handling and disclosure — vulnerability management processes and coordinated disclosure policies
7. Cryptography and encryption — data encryption at rest and in transit, key management practices
8. Human resources security — training, awareness, background checks, and NBU security clearance for designated roles
9. Access control — least privilege, MFA for privileged access, periodic access reviews, privileged access management
10. Physical security — premises and data center protection measures

Incident Reporting Requirements

Slovak entities must report significant incidents to SK-CERT following the NIS2 three-stage timeline:

Reporting Stage	Timeline	Content
Early Warning	Within 24 hours	Initial notification — whether suspected unlawful/criminal offense, whether possible cross-border impact (particularly Czech Republic, Hungary, Austria, Ukraine), indicators of compromise
Incident Notification	Within 72 hours	Severity assessment, impact analysis, containment status, technical information
Final Report	Within 30 days	Detailed root cause analysis, cross-border impact assessment, remediation measures, lessons learned

Cross-border emphasis: Given Slovakia’s geographic position bordering five countries, entities must specifically assess and report on cross-border impact affecting Czech Republic, Hungary, Austria, Poland, and Ukraine as part of their incident reporting obligations.

Where to report:

• Email: incident@sk-cert.sk
• PGP-encrypted email using SK-CERT public key
• Phone: +421 2 5729 4555 (24/7)
• NBU cybersecurity portal: Online submission for registered entities

Financial sector entities must also report incidents to NBS in accordance with NBS cybersecurity reporting requirements. NBU and NBS coordinate to minimize duplicative reporting burden.

Supply Chain Security

The amended Act requires Slovak entities to assess and manage cybersecurity risks across their supply chain, with sector-specific emphasis:

• Automotive supply chain — Tier 1 and Tier 2 suppliers must be assessed for cybersecurity capabilities aligned with UNECE R155
• Energy supply chain — critical energy infrastructure supply chain security aligned with EU energy sector regulations
• Cross-border vendor dependencies — many Slovak entities rely on Czech, Austrian, and German ICT service providers
• Concentration risk — NBU guidance highlights the risk of single-vendor dependencies in Slovakia’s concentrated industrial sectors

This aligns with our guide on NIS2 supply chain and third-party risk management.

Implementation Roadmap for Slovak Entities

Phase 1 — Immediate (April–June 2026)

1. Register with NBU through the cybersecurity portal — confirm entity classification and sector designation
2. Complete self-assessment — determine whether the entity qualifies as an essential or important entity based on sector, size, and supplementary criteria
3. Transition from NIS1 designation — if previously designated under the 2018 Act, update registration to reflect NIS2 classification
4. Designate cybersecurity governance — assign board-level responsibility and appoint a security officer
5. Identify cross-border dependencies — map services and vendors operating across Slovakia’s borders (especially Czech and Hungarian connections)
6. Conduct initial asset inventory — catalogue all network and information systems

Phase 2 — Foundation (July–September 2026)

1. Conduct gap analysis against NIS2 Article 21 measures (see our NIS2 gap analysis guide)
2. Establish incident reporting procedures — register with SK-CERT, test reporting channels and 24-hour escalation capability
3. Begin cybersecurity risk assessment — analysis proportionate to entity size and sector risk profile
4. Review supply chain security — assess vendor dependencies, update contracts with cybersecurity clauses, address automotive/nuclear sector-specific requirements
5. Deploy baseline security controls — MFA, encryption, logging, vulnerability management, access control
6. Address NBU security clearance requirements — if operating in security-sensitive sectors, initiate personnel clearance process

Phase 3 — Full Compliance (Q4 2026–2027)

1. Implement all Article 21 measures — technical and organizational controls meeting the amended Act’s requirements
2. Test incident reporting — conduct tabletop exercises including cross-border impact assessment scenarios with Czech, Hungarian, and Austrian counterparts
3. Complete business continuity and disaster recovery testing
4. Prepare for NBU supervision — document policies, procedures, and evidence (see our NIS2 audit preparation guide)
5. Monitor updated Decree on Security Measures — await finalization of NBU’s detailed technical guidance
6. Participate in SK-CERT exercises — engage in national and cross-border cybersecurity exercises
7. Review NBS coordination — financial sector entities should coordinate NBU and NBS compliance timelines

Cyber Insurance Implications for Slovak Entities

Why Slovak Entities Need Cyber Insurance

Slovakia’s NIS2 enforcement creates significant new liability exposure for entities across the economy:

• Maximum penalties up to €10M or 2% global turnover — substantial for Slovakia’s mid-market corporate landscape
• Personal liability for management — directors and officers face individual fines up to €30,000
• Cross-border incident exposure — entities operating cross-border infrastructure (pipelines, railways, Danube transport) face amplified incident costs and multi-jurisdiction reporting obligations
• Automotive sector concentration — Slovakia’s automotive manufacturing sector faces compound exposure from NIS2 and UNECE R155 requirements
• Nuclear infrastructure overlap — nuclear-adjacent entities face additional cybersecurity liability under nuclear security regulations
• Dual NBU/NBS regulation — financial sector entities face compounded regulatory exposure
• Business interruption from corrective orders or system shutdowns during incident response
• Supply chain vulnerabilities — reliance on cross-border vendors creates cascading risk exposure

What Underwriters Should Ask

When underwriting Slovak entities under NIS2, insurers should seek:

1. Entity classification — Is the insured designated as an essential or important entity by NBU?
2. NBU registration status — Is the entity registered and has it received formal designation?
3. Previous NIS1 designation — Was the entity already regulated under the 2018 Act, and has it transitioned to NIS2 classification?
4. Cross-border dependencies — What percentage of critical ICT services are provided by non-Slovak vendors (esp. Czech, Austrian, Hungarian)?
5. Cross-border infrastructure operations — Does the entity operate pipelines, railways, or transport infrastructure connecting to neighboring states?
6. Automotive supply chain role — Is the entity a Tier 1 or Tier 2 supplier to automotive manufacturers? What UNECE R155 compliance measures are in place?
7. Nuclear adjacency — Does the entity operate in or adjacent to nuclear facilities?
8. NBS dual-regulation — If a financial entity, what is the coordination status between NBU and NBS supervisory processes?
9. Security clearance status — Does the entity require NBU security clearances for personnel?
10. SK-CERT incident history — Has the entity previously reported incidents to SK-CERT or predecessor CSIRT?

Coverage Considerations

For Slovak entities, cyber insurance policies should address:

• Regulatory investigation costs under NBU and NBS enforcement actions
• Dual-regulatory exposure — coverage for proceedings from both NBU (NIS2) and NBS (financial sector) or ÚJD (nuclear)
• Personal liability extensions — D&O coverage for management individual fines up to €30,000
• Cross-border incident costs — legal and forensic expenses for incidents requiring coordination with Czech, Hungarian, Austrian, Polish, or Ukrainian authorities
• Business interruption during NBU-mandated system reviews or corrective orders
• Incident response retainers — pre-approved forensic teams familiar with SK-CERT reporting procedures
• Automotive supply chain losses — coverage for production disruption from cyber incidents in the supply chain
• Nuclear facility exposure — specialized coverage for entities adjacent to nuclear infrastructure
• Supply chain losses from vendor incidents (see supply chain attack loss scenarios)
• Data restoration costs following ransomware or destructive attacks
• Crisis management and reputational harm coverage

Use our cyber insurance buying guide to compare coverage options and our NIS2 compliance checker to assess your current compliance status.

Key Takeaways

1. Slovakia transposed NIS2 through an amendment to the Act on Cybersecurity, which entered into force on 1 January 2025 — expanding the existing 2018 NIS1 framework rather than creating a standalone act
2. NBU (National Security Authority) serves as the central competent authority, SPOC, and SK-CERT operator — its dual national security and cybersecurity mandate creates unique compliance dynamics
3. SK-CERT provides 24/7 national incident response with strong cross-border coordination ties to CSIRT.CZ, NKI, and other neighboring CSIRTs
4. Automotive sector is Slovakia’s most distinctive NIS2-relevant sector — requiring alignment with both NIS2 and UNECE R155 cybersecurity standards
5. Nuclear infrastructure overlay adds cybersecurity compliance requirements beyond NIS2 for energy sector entities
6. Standard NIS2 penalty framework applies — up to €10M or 2% global turnover for essential entities, plus personal management liability up to €30,000
7. Dual NBU/NBS regulation for financial sector entities creates compound regulatory exposure requiring coordinated compliance strategies
8. Cyber insurance is essential for Slovak entities — particularly those in automotive, nuclear-adjacent, financial, and cross-border infrastructure sectors

---

For more NIS2 compliance resources, explore our NIS2 compliance checklist, penalties guide, and technical measures requirements. Compare your country’s approach with our essential vs important entity classification guide.