Cybersecurity · Slovenia

Cybersecurity regulation in Slovenia (2026)

Comprehensive lawZakon o informacijski varnosti (ZInfV-1), in force 19 June 2025, transposing EU NIS2 Directive 2022/2555; competent authority: URSIV (Government Information Security Office); national CSIRT: SI-CERTCountry index 96 · A+

Slovenia shaded by its cybersecurity status

Slovenia enacted the Information Security Act (ZInfV-1), published in the Official Gazette on 4 June 2025 and in force from 19 June 2025, fully transposing the EU NIS2 Directive (2022/2555) and replacing the 2018 ZInfV. The law extends binding cybersecurity obligations to an estimated 6,000–8,000 entities across critical and important sectors, imposing risk management, personal management accountability, and tiered incident-reporting duties. Supervision and enforcement are vested in URSIV, while SI-CERT (hosted within ARNES) acts as the national CSIRT.

Key points

NIS2 Transposition — ZInfV-1

ZInfV-1 was published in Official Gazette No. 2025-01-1571 on 4 June 2025 and entered into force on 19 June 2025, replacing the 2018 ZInfV. It transposes NIS2 Directive 2022/2555 alongside the EU Cybersecurity Act and Cybersecurity Solidarity Act into a single comprehensive national instrument.

source 1 ↗source 2 ↗

Scope of Obligations

The law covers entities in NIS2 Annex I (high-criticality sectors: energy, transport, banking, financial market infrastructure, health, digital infrastructure, etc.) and Annex II (other critical sectors: postal services, waste management, food production, etc.) with at least 50 employees and annual turnover or balance sheet of at least EUR 10 million. Public-sector bodies are also in scope.

source 1 ↗source 2 ↗

Incident Reporting Duties

Essential and important entities must notify SI-CERT of any significant incident within 24 hours (initial early warning), submit a fuller incident notification within 72 hours, and provide a comprehensive final report within 30 days. Voluntary reporting is open to all other entities.

source 1 ↗source 2 ↗

Supervisory Authorities

URSIV (Urad Vlade RS za informacijsko varnost) is the primary competent national authority, responsible for supervision, enforcement, and representing Slovenia in EU cybersecurity structures as the National Cybersecurity Coordination Centre (NCC-SI). SI-CERT, operationally hosted by ARNES and funded by URSIV, is the designated national CSIRT.

source 1 ↗source 2 ↗

Sanctions and Enforcement

URSIV can impose administrative fines on essential entities of up to EUR 10 million or 2% of global annual turnover (whichever is higher), and on important entities up to EUR 7 million or 1.4% of turnover. Enforcement may escalate from warnings and corrective orders through daily coercive penalties to suspension of certifications for essential entities.

source 1 ↗source 2 ↗

Compliance Timeline

In-scope entities were required to self-register within three months of ZInfV-1's entry into force (deadline approximately September 2025). Full organisational security controls are required by October 2026, with technical compliance measures required by October 2027. Management personal accountability (governing boards must demonstrably oversee security policies) applies from entry into force.

source 1 ↗source 2 ↗

Slovenia - other topics

Crypto & Digital Assets Artificial Intelligence Data & Privacy Digital Payments & Fintech Digital Nomad & Residency Internet & Online Safety Starting a Business

Read in:Spanish French German Portuguese Hindi

Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →