NIS2 in Slovenia

1. Quick SME Applicability Snapshot in Slovenia

Does NIS2 apply to SMEs in Slovenia?

Yes — depending on sector and size.

• Automatic applicability to medium-sized entities (≥50 employees and ≥€10 million turnover or balance sheet total) operating in covered sectors.
• Small or micro entities are included only if formally designated or operating in high-criticality sectors.
• Applies to entities established in Slovenia and, in certain cases, foreign digital providers serving the Slovenian market.

SMEs should assess qualification under Slovenia's national cybersecurity framework based on sector classification and statutory thresholds.

2. Overview of NIS2 Implementation in Slovenia

Slovenia completed NIS2 transposition through the Information Security Act (ZInfV-1) (Zakon o informacijski varnosti), a new comprehensive statute replacing the prior ZInfV (2018). The Act was adopted by the National Assembly on 23 May 2025, published in Official Gazette No. 40/25 on 4 June 2025, and entered into force on 19 June 2025.

Slovenia missed the original 17 October 2024 transposition deadline; the European Commission issued a reasoned opinion on 7 May 2025, and transposition was completed under emergency procedure. ZInfV-1 expands scope beyond the Directive minimum to include research and higher-education institutions, with the cybersecurity requirements framework annexed to the law and ISO/IEC 27001 referenced as the applicable standard.

URSIV (Urad Vlade Republike Slovenije za informacijsko varnost — Government Office for Information Security) is the lead authority and also serves as NCC-SI and the national single point of contact. SI-CERT (operated by ARNES) is the national CSIRT for the private sector; SIGOV-CERT handles government institutions. Risk-management obligations apply on a phased schedule: 12 months (by 19 June 2026) for entities already designated as essential service providers under the prior ZInfV, and 18 months (by 19 December 2026) for all other essential and important entities.

3. Scope of Application in Slovenia

Slovenia's scope reflects Directive minimum sector categories without confirmed structural expansion.

4. Size Thresholds and SME Applicability in Slovenia

The baseline thresholds apply:

• ≥50 employees, and
• ≥€10 million annual turnover or balance sheet total.

Entities meeting both criteria within covered sectors are automatically within scope.

Small and micro enterprises may be designated if considered critical to national security, economic stability, or essential service continuity.

Slovenian authorities retain formal designation powers where systemic risk justifies inclusion.

5. Entity Classification Framework in Slovenia

Entities are categorized as:

• Essential Entities — Subject to proactive supervision, including inspections and structured compliance monitoring.
• Important Entities — Primarily subject to reactive supervision triggered by significant incidents or compliance concerns.

Classification is determined by sector and size. Authorities may reclassify entities where operational impact or risk exposure warrants enhanced oversight.

Slovenia follows the Directive's two-tier supervisory structure.

6. Cybersecurity Risk Management Requirements in Slovenia

Slovenia's national regime aligns with the Directive baseline for cybersecurity risk management. In-scope entities must implement proportionate technical and organizational measures addressing:

• Risk analysis and system protection
• Incident detection and response
• Business continuity and crisis management
• NIS2 supply chain Slovenia risk controls
• Secure acquisition and development of ICT systems
• Access control and identity management
• Encryption and cryptographic safeguards
• Vulnerability management procedures
• Staff cybersecurity training

Measures must reflect state-of-the-art standards and organizational risk exposure. Alignment with ISO/IEC 27001 and Slovenian cybersecurity guidance is encouraged.

7. Management Liability and Governance in Slovenia

Management bodies must formally approve cybersecurity risk management measures and oversee implementation.

Under Slovenia's framework:

• Boards are accountable for compliance oversight.
• Senior management must ensure sufficient cybersecurity competence.
• Administrative sanctions may address governance failures.
• Temporary suspension of managerial functions may be available under Directive-aligned enforcement mechanisms.

NIS2 management liability Slovenia expectations elevate cybersecurity governance to executive level responsibility.

8. Incident Reporting Obligations in Slovenia

9. Supervisory Authorities and Enforcement Model in Slovenia

Primary authority: URSIV (Urad Vlade Republike Slovenije za informacijsko varnost) — Government Office for Information Security. Under ZInfV-1, URSIV also serves as the National Cyber Security Coordination Centre (NCC-SI) and the national single point of contact. SI-CERT (operated by ARNES) is the national CSIRT for the private sector; SIGOV-CERT handles government institutions.

Slovenia operates a centralized supervisory model led by URSIV. Essential entities are subject to both proactive (ex-ante) and reactive (ex-post) inspections, while important entities are subject to reactive inspections. Essential entities must have compliance assessed by an accredited Conformity Assessment Body (CAB) at least every two years; important entities conduct self-assessment at least every two years.

Supervisory powers include:

• Requests for documentation and information
• Security audits
• On-site inspections
• Binding compliance instructions
• Participation in EU cybersecurity coordination mechanisms

The enforcement structure aligns with Directive-level cooperation requirements.

10. NIS2 Fines and Sanctions in Slovenia

Slovenia applies Directive-aligned administrative penalties.

NIS2 fines Slovenia enforcement may also include:

• Binding remediation orders
• Public identification of non-compliant entities
• Suspension of authorizations or certifications
• Managerial suspension powers
• Management disqualification under Slovenia's Companies Act for persistent negligence

11. NIS2 Supply Chain and Vendor Security in Slovenia

Entities must manage third-party cybersecurity exposure through:

• Vendor risk assessments
• Contractual security flow-down provisions
• Continuous ICT supplier monitoring
• Concentration risk analysis
• Incident propagation mitigation

Slovenia's approach aligns with Directive baseline expectations regarding supplier risk management.

12. Registration and Self-Identification Duties in Slovenia

Entities within scope must:

• Register with URSIV — entities already in scope on 19 June 2025 had a registration deadline of 19 December 2025 (6 months from entry into force, now passed); new entities must register within 30 days of becoming subject to the Act; initial registration is by sending information digitally to URSIV pending launch of a formal self-registration platform
• Provide corporate identification details
• Disclose sector classification
• Maintain updated reporting contacts

ZInfV-1 requires entities to implement a documented Information Security Management System (ISMS) and Business Continuity Management System (BCMS), including risk analysis, incident response plans, business continuity plans, and system recovery plans. Risk management measures from Articles 21 and 22 must be implemented by 19 June 2026 (entities already designated as essential service providers under the prior ZInfV / 12 months) and 19 December 2026 (all other essential and important entities / 18 months).

Self-identification is mandatory where entities meet statutory thresholds. ISO/IEC 27001 certification (from an SA-accredited body) is explicitly referenced as the applicable standard and may be used for compliance assessments; essential entities must have compliance assessed by an accredited Conformity Assessment Body (CAB) at least every two years.

13. Interaction With GDPR and Other Laws in Slovenia

The General Data Protection Regulation continues to apply concurrently.

Overlap considerations include:

• 72-hour personal data breach notification
• Supervisory authority coordination

14. Cross-Border Applicability

Entities with their main establishment in Slovenia are supervised by Slovenian authorities for cross-border services.

Foreign digital providers offering services in Slovenia may be subject to national obligations depending on establishment structure.

Representation requirements follow Directive standards for non-EU providers serving the Slovenian market.

15. Implementation Timeline in Slovenia

• Directive adoption: 2022
• Directive adoption: 2022
• National legislation: Information Security Act (ZInfV-1) adopted 23 May 2025; published in Official Gazette No. 40/25 on 4 June 2025; adopted under emergency procedure following EC reasoned opinion of 7 May 2025
• Entry into force: 19 June 2025 (15 days after publication); ZInfV-1 replaces prior ZInfV (2018)
• Commission notification: EC reasoned opinion 7 May 2025 for failure to notify; resolved following adoption and entry into force on 19 June 2025
• Compliance milestones: URSIV registration deadline (entities in scope on 19 June 2025) — 19 December 2025 (passed); new-entity registration — 30 days from becoming in-scope; risk management measures (prior ZInfV essential service providers) — 19 June 2026; risk management measures (all other essential/important entities) — 19 December 2026; compliance assessment cycle — at least every 2 years

Slovenia completed NIS2 transposition on 19 June 2025. The URSIV registration deadline of 19 December 2025 has passed — entities not yet registered should act immediately. Risk management implementation deadlines run through June and December 2026, and compliance assessments are required at least every two years from designation.

16. Key Takeaways for SMEs in Slovenia

• Medium-sized entities in covered sectors are automatically within scope; ZInfV-1 has been in force since 19 June 2025, and Slovenia's scope extends beyond the Directive minimum to include research and higher-education institutions.
• Small entities may be designated if critical to national or economic stability.
• Board-level governance oversight is mandatory.
• Incident reporting follows 24h / 72h / 1 month deadlines; reports are submitted to URSIV and the relevant national CSIRT — SI-CERT (private sector) or SIGOV-CERT (government entities).
• Financial penalties can reach €10 million or 2% of global turnover.
• Vendor risk management is required.
• URSIV registration deadline (19 December 2025) has passed — register immediately if not yet done; risk management measures must be implemented by 19 June 2026 (prior ZInfV essential entities) or 19 December 2026 (all others); ZInfV-1 requires documented ISMS and BCMS aligned with ISO/IEC 27001; essential entities require compliance assessment by an accredited CAB at least every two years.

FAQ: NIS2 Slovenia SME Guide