Cybersecurity · Slovakia
Cybersecurity law in Slovakia: NIS2 compliance (2026)
Slovakia shaded by its cybersecurity status
Cybersecurity in Slovakia: comprehensive law, anchored by Act No. 69/2018 Coll. on Cybersecurity (as amended by Act No. 366/2024 Coll.), supervised by the National Security Authority (NBÚ, Národný bezpečnostný úrad) and its national CSIRT SK-CERT.
Slovakia fully transposed the EU NIS2 Directive (2022/2555) via Act No. 366/2024 Coll., which amends the foundational Cybersecurity Act No. 69/2018 Coll. and entered into force on 1 January 2025. The law establishes a dual-tier regime (essential and important entities) covering 16 sectors, with mandatory registration, risk-management measures, multi-stage incident reporting, and management accountability. The NBÚ acts as the sole competent authority, single point of contact, and supervisory body, with SK-CERT as the national incident-response team.
NIS2 & cybersecurity law in Slovakia
In Slovakia, baseline cybersecurity obligations come from the EU NIS2 Directive, transposed into national law, which sets risk-management and incident-reporting duties for essential and important entities.
- Framework
- the NIS2 Directive (EU) 2022/2555, transposed into national law
- Approach
- cybersecurity risk-management measures plus mandatory incident reporting for in-scope entities
- Applies to
- medium and large entities in critical sectors: energy, transport, banking, health, water, digital infrastructure, ICT and public administration
- Incident reporting
- an early warning within 24 hours and a full notification within 72 hours to the national CSIRT
- Maximum fine
- up to €10 million or 2% of global annual turnover for essential entities
- Oversight
- the national competent authority and CSIRT designated under NIS2
NIS2 is a directive, so Slovakia implements it through national law; exact scope and deadlines can vary slightly by transposition.
NIS2 in Slovakia: FAQ
Yes. As an EU member, Slovakia has transposed the NIS2 Directive (EU) 2022/2555 into national law, covering essential and important entities in critical sectors.
Medium and large organisations in sectors such as energy, transport, banking, health, water, digital infrastructure and public administration.
An early warning within 24 hours of becoming aware and a fuller incident notification within 72 hours to the national CSIRT.
Up to €10 million or 2% of global annual turnover for essential entities, with lower ceilings for important entities.
Key points
Act No. 366/2024 Coll. (adopted 28 November 2024, published in the Collection of Laws 19 December 2024, in force 1 January 2025) amends Act No. 69/2018 Coll., directly transposing EU Directive 2022/2555 (NIS2). The original 2018 Act had already established a comprehensive cybersecurity framework.
The NBÚ (National Security Authority) is the national competent authority, national single point of contact, and supervisory body. SK-CERT, embedded within NBÚ, is the national CSIRT responsible for operational incident coordination.
Entities are classified as essential (≥250 employees and/or ≥€50 million turnover) or important (≥50 employees and/or ≥€10 million turnover), across 16 sectors including energy, transport, banking, financial market infrastructure, health, digital infrastructure, water, public administration, and manufacturing. Estimates place 7,000-10,000+ Slovak organisations in scope.
Regulated entities must report significant incidents in three stages: early warning within 24 hours, full incident notification within 72 hours, and a final report within one month. Voluntary reporting of non-significant incidents, threats, and near-miss events is also permitted.
Existing operators were required to register with NBÚ by 1 March 2025. After registration, entities have 12 months to implement mandatory security measures and 24 months to complete a first audit or self-assessment.
For essential (critical) entities, fines reach up to €10,000,000 or 2% of total worldwide annual turnover, whichever is higher. Management accountability is explicit: board members must approve and oversee cybersecurity risk-management measures.
Slovakia - other topics
Cybersecurity in other countries
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →