Cybersecurity ยท Slovenia
Cybersecurity law in Slovenia: NIS2 compliance (2026)
Slovenia shaded by its cybersecurity status
Cybersecurity in Slovenia: comprehensive law, anchored by Zakon o informacijski varnosti (ZInfV-1), in force 19 June 2025, transposing EU NIS2 Directive 2022/2555; competent authority: URSIV (Government Information Security Office); national CSIRT: SI-CERT.
Slovenia enacted the Information Security Act (ZInfV-1), published in the Official Gazette on 4 June 2025 and in force from 19 June 2025, fully transposing the EU NIS2 Directive (2022/2555) and replacing the 2018 ZInfV. The law extends binding cybersecurity obligations to an estimated 6,000-8,000 entities across critical and important sectors, imposing risk management, personal management accountability, and tiered incident-reporting duties. Supervision and enforcement are vested in URSIV, while SI-CERT (hosted within ARNES) acts as the national CSIRT.
NIS2 & cybersecurity law in Slovenia
In Slovenia, baseline cybersecurity obligations come from the EU NIS2 Directive, transposed into national law, which sets risk-management and incident-reporting duties for essential and important entities.
- Framework
- the NIS2 Directive (EU) 2022/2555, transposed into national law
- Approach
- cybersecurity risk-management measures plus mandatory incident reporting for in-scope entities
- Applies to
- medium and large entities in critical sectors: energy, transport, banking, health, water, digital infrastructure, ICT and public administration
- Incident reporting
- an early warning within 24 hours and a full notification within 72 hours to the national CSIRT
- Maximum fine
- up to โฌ10 million or 2% of global annual turnover for essential entities
- Oversight
- the national competent authority and CSIRT designated under NIS2
NIS2 is a directive, so Slovenia implements it through national law; exact scope and deadlines can vary slightly by transposition.
NIS2 in Slovenia: FAQ
Yes. As an EU member, Slovenia has transposed the NIS2 Directive (EU) 2022/2555 into national law, covering essential and important entities in critical sectors.
Medium and large organisations in sectors such as energy, transport, banking, health, water, digital infrastructure and public administration.
An early warning within 24 hours of becoming aware and a fuller incident notification within 72 hours to the national CSIRT.
Up to โฌ10 million or 2% of global annual turnover for essential entities, with lower ceilings for important entities.
Key points
ZInfV-1 was published in Official Gazette No. 2025-01-1571 on 4 June 2025 and entered into force on 19 June 2025, replacing the 2018 ZInfV. It transposes NIS2 Directive 2022/2555 alongside the EU Cybersecurity Act and Cybersecurity Solidarity Act into a single comprehensive national instrument.
The law covers entities in NIS2 Annex I (high-criticality sectors: energy, transport, banking, financial market infrastructure, health, digital infrastructure, etc.) and Annex II (other critical sectors: postal services, waste management, food production, etc.) with at least 50 employees and annual turnover or balance sheet of at least EUR 10 million. Public-sector bodies are also in scope.
Essential and important entities must notify SI-CERT of any significant incident within 24 hours (initial early warning), submit a fuller incident notification within 72 hours, and provide a comprehensive final report within 30 days. Voluntary reporting is open to all other entities.
URSIV (Urad Vlade RS za informacijsko varnost) is the primary competent national authority, responsible for supervision, enforcement, and representing Slovenia in EU cybersecurity structures as the National Cybersecurity Coordination Centre (NCC-SI). SI-CERT, operationally hosted by ARNES and funded by URSIV, is the designated national CSIRT.
URSIV can impose administrative fines on essential entities of up to EUR 10 million or 2% of global annual turnover (whichever is higher), and on important entities up to EUR 7 million or 1.4% of turnover. Enforcement may escalate from warnings and corrective orders through daily coercive penalties to suspension of certifications for essential entities.
In-scope entities were required to self-register within three months of ZInfV-1's entry into force (deadline approximately September 2025). Full organisational security controls are required by October 2026, with technical compliance measures required by October 2027. Management personal accountability (governing boards must demonstrably oversee security policies) applies from entry into force.
Slovenia - other topics
Cybersecurity in other countries
Last verified 5/24/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ