Skip to content
World Watch/Slovenia/Cybersecurity

Cybersecurity ยท Slovenia

Cybersecurity law in Slovenia: NIS2 compliance (2026)

Comprehensive lawZakon o informacijski varnosti (ZInfV-1), in force 19 June 2025, transposing EU NIS2 Directive 2022/2555; competent authority: URSIV (Government Information Security Office); national CSIRT: SI-CERTCountry index 96 ยท A+

Slovenia shaded by its cybersecurity status

Cybersecurity in Slovenia: comprehensive law, anchored by Zakon o informacijski varnosti (ZInfV-1), in force 19 June 2025, transposing EU NIS2 Directive 2022/2555; competent authority: URSIV (Government Information Security Office); national CSIRT: SI-CERT.

Slovenia enacted the Information Security Act (ZInfV-1), published in the Official Gazette on 4 June 2025 and in force from 19 June 2025, fully transposing the EU NIS2 Directive (2022/2555) and replacing the 2018 ZInfV. The law extends binding cybersecurity obligations to an estimated 6,000-8,000 entities across critical and important sectors, imposing risk management, personal management accountability, and tiered incident-reporting duties. Supervision and enforcement are vested in URSIV, while SI-CERT (hosted within ARNES) acts as the national CSIRT.

NIS2 & cybersecurity law in Slovenia

In Slovenia, baseline cybersecurity obligations come from the EU NIS2 Directive, transposed into national law, which sets risk-management and incident-reporting duties for essential and important entities.

Framework
the NIS2 Directive (EU) 2022/2555, transposed into national law
Approach
cybersecurity risk-management measures plus mandatory incident reporting for in-scope entities
Applies to
medium and large entities in critical sectors: energy, transport, banking, health, water, digital infrastructure, ICT and public administration
Incident reporting
an early warning within 24 hours and a full notification within 72 hours to the national CSIRT
Maximum fine
up to โ‚ฌ10 million or 2% of global annual turnover for essential entities
Oversight
the national competent authority and CSIRT designated under NIS2

NIS2 is a directive, so Slovenia implements it through national law; exact scope and deadlines can vary slightly by transposition.

NIS2 in Slovenia: FAQ

Does NIS2 apply in Slovenia?

Yes. As an EU member, Slovenia has transposed the NIS2 Directive (EU) 2022/2555 into national law, covering essential and important entities in critical sectors.

Who must comply with NIS2 in Slovenia?

Medium and large organisations in sectors such as energy, transport, banking, health, water, digital infrastructure and public administration.

What are the NIS2 incident-reporting deadlines in Slovenia?

An early warning within 24 hours of becoming aware and a fuller incident notification within 72 hours to the national CSIRT.

What are the penalties under NIS2 in Slovenia?

Up to โ‚ฌ10 million or 2% of global annual turnover for essential entities, with lower ceilings for important entities.

Key points

NIS2 Transposition, ZInfV-1

ZInfV-1 was published in Official Gazette No. 2025-01-1571 on 4 June 2025 and entered into force on 19 June 2025, replacing the 2018 ZInfV. It transposes NIS2 Directive 2022/2555 alongside the EU Cybersecurity Act and Cybersecurity Solidarity Act into a single comprehensive national instrument.

Scope of Obligations

The law covers entities in NIS2 Annex I (high-criticality sectors: energy, transport, banking, financial market infrastructure, health, digital infrastructure, etc.) and Annex II (other critical sectors: postal services, waste management, food production, etc.) with at least 50 employees and annual turnover or balance sheet of at least EUR 10 million. Public-sector bodies are also in scope.

Incident Reporting Duties

Essential and important entities must notify SI-CERT of any significant incident within 24 hours (initial early warning), submit a fuller incident notification within 72 hours, and provide a comprehensive final report within 30 days. Voluntary reporting is open to all other entities.

Supervisory Authorities

URSIV (Urad Vlade RS za informacijsko varnost) is the primary competent national authority, responsible for supervision, enforcement, and representing Slovenia in EU cybersecurity structures as the National Cybersecurity Coordination Centre (NCC-SI). SI-CERT, operationally hosted by ARNES and funded by URSIV, is the designated national CSIRT.

Sanctions and Enforcement

URSIV can impose administrative fines on essential entities of up to EUR 10 million or 2% of global annual turnover (whichever is higher), and on important entities up to EUR 7 million or 1.4% of turnover. Enforcement may escalate from warnings and corrective orders through daily coercive penalties to suspension of certifications for essential entities.

Compliance Timeline

In-scope entities were required to self-register within three months of ZInfV-1's entry into force (deadline approximately September 2025). Full organisational security controls are required by October 2026, with technical compliance measures required by October 2027. Management personal accountability (governing boards must demonstrably oversee security policies) applies from entry into force.

Slovenia - other topics

Cybersecurity in other countries

Last verified 5/24/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ†’