Act No. 366/2024 Coll. amended Act No. 69/2018 Coll. on Cybersecurity and transposed the NIS2 Directive into Slovak law. Effective: January 1, 2025. An estimated 10,000+ organizations in Slovakia are now in scope. If you haven't paid attention to NIS2 yet, it's time — the deadlines for internal policies and audits are already running.
Who is in scope
The law distinguishes two types of entities:
- Essential service operators — organizations with ≥250 employees and turnover ≥€50 million, operating in critical sectors (energy, transport, healthcare, water management, digital infrastructure, public administration, banking)
- Important service operators — organizations with ≥50 employees and turnover ≥€10 million in sectors such as postal services, waste management, manufacturing, food production, chemicals
Size thresholds are indicative — the law includes exceptions where smaller entities in critical sectors fall in scope regardless of size (e.g., DNS service providers, domain registrars).
Deadlines
The law sets deadlines relative to the date of inclusion in the list of essential service operators:
- Registration — within 60 days of the law taking effect, i.e., by approximately March 1, 2025 (this deadline has passed)
- Internal cybersecurity policies — within 12 months of inclusion (for most organizations: spring 2026)
- Cybersecurity audit — within 24 months of inclusion (for most: spring 2027)
If you registered in March 2025, internal policies must be in place by March 2026 — which is now. The audit follows a year later.
What you must do specifically
Internal policies (12 months)
The organization must adopt and implement internal cybersecurity policies covering at minimum:
- risk management — identification, assessment, and treatment of cyber risks
- incident management — detection, response, and reporting procedures
- business continuity — backup, recovery, crisis planning
- supply chain security
- access and identity management
- encryption and cryptography
- physical security
Incident reporting
NIS2 introduces three-stage incident reporting:
- Early warning — within 24 hours of detecting a significant incident
- Notification — within 72 hours with updated information
- Final report — within 30 days with root cause analysis and measures taken
Reports go to SK-CERT (National CSIRT) and the National Security Authority (NBÚ).
Audit (24 months)
The cybersecurity audit must verify that implemented measures meet the law's requirements. The audit is performed by a certified auditor. The output is a report with findings and recommendations. The organization is obligated to address identified deficiencies.
Penalties
- Essential service operators — up to €10,000,000 or 2% of global annual turnover
- Important service operators — up to €7,000,000 or 1.4% of turnover
Beyond fines, NBÚ can issue binding instructions, suspend services, or prohibit individuals from serving as statutory body members.
What to do now
If you haven't registered yet, do so immediately — the deadline passed in March 2025, but late registration is better than none. If you are registered:
- Check the status of your internal policies — the 12-month deadline for most organizations is around March 2026. If you don't have policies in place, you are already overdue.
- Start preparing for the audit — you have approximately 12 months. The audit verifies implementation, not just the existence of documents. Policies must be lived, not just written.
- Set up an incident reporting process — the 24-hour early warning deadline means you need a clear procedure: who reports, to whom, through what channel.
- Map your supply chain — NIS2 requires risk assessment of your suppliers. If your cloud provider lacks security measures, that's your risk.
NIS2 is not a one-time project. It is a permanent obligation with regular audits, reporting, and policy updates. The sooner you start, the less painful it will be.