Slovak Act 366/2024 transposed NIS2 into national law on 1 January 2025. The concrete technical requirements, however, arrived only with the new decrees from the National Security Authority (NBÚ), effective from 1 September 2025. Decree 227/2025 replaces the earlier 362/2018 and significantly expands the scope of mandatory measures. Decree 226/2025 governs incident reporting.
Essential service operators have 12 months from entry in the register to fully implement the measures. Entities already registered before 1 January 2025 fall under a transition period that ends on 31 December 2026.
What decree 227/2025 covers
The decree defines the content of security measures, the scope of general security measures for networks, information systems and operational technology (OT), and the structure of the required security documentation. Compared with the previous decree it is much more detailed and reflects the current threat landscape — ransomware, supply-chain attacks, compromises through OT.
Network segmentation
Network infrastructure must be divided into security zones with controlled access between them. The goal is to constrain lateral movement after an initial compromise. For manufacturing and energy, that means separating IT and OT networks; for office environments, separating user, server and management segments.
Identity and access management
Multi-factor authentication is mandatory for privileged accounts — system, database, network and security-tool administrators. You also need access records, regular permission reviews, and segregation of duties.
Monitoring and incident detection
Continuous monitoring of security events with defined response times. In practice, for most organisations this means a SIEM or an outsourced SOC, tracked alerts and a documented escalation path.
Supplier risk management
Security standards must be embedded in supplier contracts, with risk assessments and controls over third-party access. After incidents like SolarWinds or MOVEit, this is one of the most important and most commonly underestimated areas.
Resilience testing
Regular penetration testing and vulnerability assessments are mandatory. Findings must drive remediation and become part of the security documentation.
Incident reporting under 226/2025
Decree 226/2025 sets the severity criteria for incidents and the content of reports. Operators must be able to quickly decide whether an event meets the thresholds — number of affected users, outage duration, impact on data confidentiality — and submit reports within the statutory deadlines. That requires a rehearsed internal process, not just a written one.
What to do before the year ends
The transition period ends in eight months. If you have not started, we recommend the following sequence:
- Gap analysis — compare the current state against decree 227/2025. The output is a list of gaps, not a perfect score.
- Prioritisation — measures with the highest risk impact go first: segmentation of critical systems, MFA for admin accounts, baseline logging.
- Documentation — policies, procedures and evidence. An audit requires not only a working control but also proof that it works.
- Incident reporting process — rehearsed, not just written. A tabletop exercise surfaces gaps faster than an audit.
- Pre-audit — an internal or external review before the deadline leaves time to fix findings.
Penalties and accountability
For serious violations, NBÚ can impose fines up to EUR 10 million or 2% of global annual turnover. NIS2 also introduces personal accountability for statutory officers — repeated violations can lead to a temporary ban from executive functions. Compliance is no longer a purely IT matter.