Cybersecurity regulation in Slovakia (2026)

Act No. 366/2024 Coll. (adopted 28 November 2024, published in the Collection of Laws 19 December 2024, in force 1 January 2025) amends Act No. 69/2018 Coll., directly transposing EU Directive 2022/2555 (NIS2). The original 2018 Act had already established a comprehensive cybersecurity framework.

The NBÚ (National Security Authority) is the national competent authority, national single point of contact, and supervisory body. SK-CERT, embedded within NBÚ, is the national CSIRT responsible for operational incident coordination.

Entities are classified as essential (≥250 employees and/or ≥€50 million turnover) or important (≥50 employees and/or ≥€10 million turnover), across 16 sectors including energy, transport, banking, financial market infrastructure, health, digital infrastructure, water, public administration, and manufacturing. Estimates place 7,000–10,000+ Slovak organisations in scope.

Regulated entities must report significant incidents in three stages: early warning within 24 hours, full incident notification within 72 hours, and a final report within one month. Voluntary reporting of non-significant incidents, threats, and near-miss events is also permitted.

Existing operators were required to register with NBÚ by 1 March 2025. After registration, entities have 12 months to implement mandatory security measures and 24 months to complete a first audit or self-assessment.

For essential (critical) entities, fines reach up to €10,000,000 or 2% of total worldwide annual turnover, whichever is higher. Management accountability is explicit: board members must approve and oversee cybersecurity risk-management measures.