NIS2 in Slovakia

1. Quick SME Applicability Snapshot in Slovakia

Does NIS2 apply to SMEs in Slovakia?

Yes — depending on sector and size.

• Automatic applicability to medium-sized entities (≥50 employees and ≥€10 million turnover or balance sheet total) operating in covered sectors.
• Small or micro entities are included only if formally designated or operating in high-criticality sectors.
• Applies to entities established in Slovakia and, in certain cases, foreign digital providers serving the Slovak market.

SMEs should assess qualification under Slovakia's national cybersecurity framework based on sector classification and statutory thresholds.

2. Overview of NIS2 Implementation in Slovakia

Slovakia completed NIS2 transposition through Act No. 366/2024 Coll., amending Cybersecurity Act No. 69/2018 Coll. The National Council adopted the Act on 28 November 2024, it was published in the Collection of Laws on 19 December 2024, and it entered into force on 1 January 2025 — making Slovakia the 4th EU Member State to complete transposition.

The amended framework aligns Slovakia's regime with Directive (EU) 2022/2555 and is operationalized through the JISKB portal (managed by the NBÚ) for registration and incident reporting, while SK-CERT (National Cyber Security Centre, within the NBÚ) acts as the national CSIRT. Risk management is aligned with the ISO 27000 family of standards, with a supporting Ordinance on Security Measures developed during 2025.

Approximately 3,500–14,000 entities are expected to fall within scope. Slovakia's regime extends beyond the Directive minimum by explicitly regulating third parties in the supply chain as direct entities, and full compliance with all obligations is required by 31 December 2026.

3. Scope of Application in Slovakia

Slovakia's scope reflects Directive minimum sector categories without confirmed structural expansion.

4. Size Thresholds and SME Applicability in Slovakia

The baseline thresholds apply:

• ≥50 employees, and
• ≥€10 million annual turnover or balance sheet total.

Entities meeting both criteria within covered sectors are automatically within scope.

Small and micro enterprises may be designated if considered critical to national security, economic stability, or essential service continuity.

Slovak authorities retain formal designation powers where systemic risk justifies inclusion.

5. Entity Classification Framework in Slovakia

Entities are categorized as:

• Essential Entities — Subject to proactive supervision, including inspections and structured compliance monitoring.
• Important Entities — Primarily subject to reactive supervision triggered by significant incidents or compliance concerns.

Classification is determined by sector and size. Authorities may reclassify entities where operational impact or risk exposure warrants enhanced oversight.

Slovakia follows the Directive's two-tier supervisory structure.

6. Cybersecurity Risk Management Requirements in Slovakia

Slovakia's national regime aligns with the Directive baseline for cybersecurity risk management. In-scope entities must implement proportionate technical and organizational measures addressing:

• Risk analysis and system protection
• Incident detection and response
• Business continuity and crisis management
• NIS2 supply chain Slovakia risk controls
• Secure acquisition and development of ICT systems
• Access control and identity management
• Encryption and cryptographic safeguards
• Vulnerability management procedures
• Staff cybersecurity training

Measures must reflect state-of-the-art standards and organizational risk exposure. Alignment with ISO/IEC 27001 and Slovak cybersecurity guidance is encouraged.

7. Management Liability and Governance in Slovakia

Management bodies must formally approve cybersecurity risk management measures and oversee implementation.

Under Slovakia's framework:

• Boards are accountable for compliance oversight.
• Senior management must ensure sufficient cybersecurity competence.
• Administrative sanctions may address governance failures.
• Temporary suspension of managerial functions may be available under Directive-aligned enforcement mechanisms.

NIS2 management liability Slovakia expectations elevate cybersecurity governance to executive level responsibility.

8. Incident Reporting Obligations in Slovakia

9. Supervisory Authorities and Enforcement Model in Slovakia

Primary authority: NBÚ (Národný bezpečnostný úrad) — national competent authority, single point of contact, and primary supervisory body. SK-CERT (National Cyber Security Centre) operates within the NBÚ as the national CSIRT for incident handling, analysis, and coordination.

Slovakia operates a centralized supervisory model led by the NBÚ. Sector-specific ministries (e.g., Ministry of Health, Ministry of Transport) have supplementary sectoral roles. Registration and incident reporting flow through the JISKB portal managed by the NBÚ, which serves as both the compliance registry and the reporting platform.

Supervisory powers include:

• Requests for documentation and information
• Security audits
• On-site inspections
• Binding compliance instructions
• Participation in EU cybersecurity coordination mechanisms

The enforcement structure aligns with Directive-level cooperation requirements.

10. NIS2 Fines and Sanctions in Slovakia

Slovakia applies Directive-aligned administrative penalties.

NIS2 fines Slovakia enforcement may also include:

• Binding remediation orders
• Public identification of non-compliant entities
• Suspension of authorizations or certifications
• Managerial suspension powers

Criminal liability applies only where explicitly provided under Slovak legislation.

11. NIS2 Supply Chain and Vendor Security in Slovakia

Entities must manage third-party cybersecurity exposure through:

• Vendor risk assessments
• Contractual security flow-down provisions
• Continuous ICT supplier monitoring
• Concentration risk analysis
• Incident propagation mitigation

Slovakia's approach aligns with Directive baseline expectations regarding supplier risk management.

12. Registration and Self-Identification Duties in Slovakia

Entities within scope must:

• Register with the NBÚ via the JISKB portal (jiskb.sk.gov.sk) — entities in scope as of 1 Jan 2025 had a registration deadline of approximately 1 Mar 2025 (passed); new entities must register within 60 days of becoming in-scope; entities already registered under the prior NIS1 framework auto-transitioned with no re-registration required
• Provide corporate identification details
• Disclose sector classification — use the NBÚ online classification wizard to determine essential/important status before registering
• Maintain updated reporting contacts

The JISKB portal serves as both the registration platform and the incident reporting hub. Additional fines apply for failure to register, failure to conduct required audits/self-assessments, and failure to take corrective measures within deadlines. Full compliance with all obligations is required by 31 December 2026.

Self-identification is mandatory where entities meet statutory thresholds. All registrations and incident submissions are made through the JISKB portal.

13. Interaction With GDPR and Other Laws in Slovakia

The General Data Protection Regulation continues to apply concurrently.

Overlap considerations include:

• 72-hour personal data breach notification
• Supervisory authority coordination

14. Cross-Border Applicability

Entities with their main establishment in Slovakia are supervised by Slovak authorities for cross-border services.

Foreign digital providers offering services in Slovakia may be subject to national obligations depending on establishment structure.

Representation requirements follow Directive standards for non-EU providers serving the Slovak market.

15. Implementation Timeline in Slovakia

• Directive adoption: 2022
• National legislative amendments: Act No. 366/2024 Coll. adopted by the National Council on 28 Nov 2024; published in the Collection of Laws on 19 Dec 2024; supporting Ordinance on Security Measures developed during 2025
• Entry into force: 1 January 2025 — Slovakia was the 4th EU Member State to complete transposition
• Commission notification: Fully notified; no outstanding EC reasoned opinion
• Compliance milestone: JISKB portal registration deadline ~1 Mar 2025 (passed) for entities in scope as of 1 Jan 2025; new entities within 60 days of becoming in-scope; full compliance with all obligations by 31 December 2026

Slovakia completed transposition on 1 January 2025, ahead of most EU peers. The initial JISKB registration deadline has passed; full compliance under the amended Cybersecurity Act is required by 31 December 2026. Entities not yet registered should act immediately.

16. Key Takeaways for SMEs in Slovakia

• Medium-sized entities in covered sectors are automatically within scope. Act No. 366/2024 Coll. has been in force since 1 January 2025; use the NBÚ online classification wizard to verify essential/important status.
• Small entities may be designated if critical to national or economic stability.
• Board-level governance oversight is mandatory.
• Incident reporting follows 24h / 72h / 1 month deadlines. Reports are submitted via the JISKB portal to SK-CERT (national CSIRT); an intermediate report may be requested by SK-CERT.
• Financial penalties can reach €10 million or 2% of global turnover.
• Vendor risk management is required.
• The initial registration deadline (~1 Mar 2025) has passed — register via the JISKB portal immediately if not yet done. Full compliance with all obligations is required by 31 December 2026; risk management framework should be aligned with ISO 27000 standards.

FAQ: NIS2 Slovakia SME Guide