Skip to content
World Watch/Slovakia/Cybersecurity

Cybersecurity · Slovakia

Cybersecurity law in Slovakia: NIS2 compliance (2026)

Comprehensive lawAct No. 69/2018 Coll. on Cybersecurity (as amended by Act No. 366/2024 Coll.), supervised by the National Security Authority (NBÚ, Národný bezpečnostný úrad) and its national CSIRT SK-CERTCountry index 93 · A+

Slovakia shaded by its cybersecurity status

Cybersecurity in Slovakia: comprehensive law, anchored by Act No. 69/2018 Coll. on Cybersecurity (as amended by Act No. 366/2024 Coll.), supervised by the National Security Authority (NBÚ, Národný bezpečnostný úrad) and its national CSIRT SK-CERT.

Slovakia fully transposed the EU NIS2 Directive (2022/2555) via Act No. 366/2024 Coll., which amends the foundational Cybersecurity Act No. 69/2018 Coll. and entered into force on 1 January 2025. The law establishes a dual-tier regime (essential and important entities) covering 16 sectors, with mandatory registration, risk-management measures, multi-stage incident reporting, and management accountability. The NBÚ acts as the sole competent authority, single point of contact, and supervisory body, with SK-CERT as the national incident-response team.

NIS2 & cybersecurity law in Slovakia

In Slovakia, baseline cybersecurity obligations come from the EU NIS2 Directive, transposed into national law, which sets risk-management and incident-reporting duties for essential and important entities.

Framework
the NIS2 Directive (EU) 2022/2555, transposed into national law
Approach
cybersecurity risk-management measures plus mandatory incident reporting for in-scope entities
Applies to
medium and large entities in critical sectors: energy, transport, banking, health, water, digital infrastructure, ICT and public administration
Incident reporting
an early warning within 24 hours and a full notification within 72 hours to the national CSIRT
Maximum fine
up to €10 million or 2% of global annual turnover for essential entities
Oversight
the national competent authority and CSIRT designated under NIS2

NIS2 is a directive, so Slovakia implements it through national law; exact scope and deadlines can vary slightly by transposition.

NIS2 in Slovakia: FAQ

Does NIS2 apply in Slovakia?

Yes. As an EU member, Slovakia has transposed the NIS2 Directive (EU) 2022/2555 into national law, covering essential and important entities in critical sectors.

Who must comply with NIS2 in Slovakia?

Medium and large organisations in sectors such as energy, transport, banking, health, water, digital infrastructure and public administration.

What are the NIS2 incident-reporting deadlines in Slovakia?

An early warning within 24 hours of becoming aware and a fuller incident notification within 72 hours to the national CSIRT.

What are the penalties under NIS2 in Slovakia?

Up to €10 million or 2% of global annual turnover for essential entities, with lower ceilings for important entities.

Key points

Legislative basis

Act No. 366/2024 Coll. (adopted 28 November 2024, published in the Collection of Laws 19 December 2024, in force 1 January 2025) amends Act No. 69/2018 Coll., directly transposing EU Directive 2022/2555 (NIS2). The original 2018 Act had already established a comprehensive cybersecurity framework.

Supervisory authority

The NBÚ (National Security Authority) is the national competent authority, national single point of contact, and supervisory body. SK-CERT, embedded within NBÚ, is the national CSIRT responsible for operational incident coordination.

Entity scope & classification

Entities are classified as essential (≥250 employees and/or ≥€50 million turnover) or important (≥50 employees and/or ≥€10 million turnover), across 16 sectors including energy, transport, banking, financial market infrastructure, health, digital infrastructure, water, public administration, and manufacturing. Estimates place 7,000-10,000+ Slovak organisations in scope.

Incident reporting obligations

Regulated entities must report significant incidents in three stages: early warning within 24 hours, full incident notification within 72 hours, and a final report within one month. Voluntary reporting of non-significant incidents, threats, and near-miss events is also permitted.

Compliance timeline

Existing operators were required to register with NBÚ by 1 March 2025. After registration, entities have 12 months to implement mandatory security measures and 24 months to complete a first audit or self-assessment.

Penalties

For essential (critical) entities, fines reach up to €10,000,000 or 2% of total worldwide annual turnover, whichever is higher. Management accountability is explicit: board members must approve and oversee cybersecurity risk-management measures.

Slovakia - other topics

Cybersecurity in other countries

Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →