When I first came across the numbers—jumping from around 1,000 to over 10,000 regulated entities in Slovakia—it was clear that the NIS2 Directive (Network and Information Security Directive 2) wasn’t just an update; it was a systemic upheaval. For companies operating in Slovakia, whether in manufacturing, healthcare, or digital infrastructure, the shift is substantial. The revised directive doesn’t just tighten cybersecurity obligations—it reshapes the entire regulatory landscape.
In this article, we’ll break down what the Slovakia NIS2 implementation means in practice, who it affects, the penalties for non-compliance, and how companies can act now to avoid scrambling later. Let’s start by looking at the foundation of this regulatory overhaul.
Key takeaways on the NIS2 Slovakia transposition
Slovakia has formally transposed the NIS2 Directive through Act No. 366/2024 Coll., an amendment to the original Cybersecurity Act 69/2018 Coll. The amendment passed through the National Council on 28 November 2024, was published in the official Collection of Laws on 19 December, and came into force on 1 January 2025. This legal framework significantly expands the scope of regulated entities and establishes detailed cybersecurity obligations.
Current implementation status
Here’s a detailed look at the legal and procedural milestones defining NIS2 Slovakia transposition:
Implementation timeline for Slovakia NIS2 directive
| Date | Milestone | Status |
| 27 Apr 2024 | NBÚ (National Security Authority) opens stakeholder consultations | ✔︎ |
| 27 Sep 2024 | Government sends draft bill to Parliament | ✔︎ |
| 28 Nov 2024 | Parliament passes Act No. 366/2024 | ✔︎ |
| 19 Dec 2024 | Law published in official collection | ✔︎ |
| 1 Jan 2025 | Law enters into force; JISKB portal opens | ✔︎ |
| 1 Mar 2025 | Deadline for re-registration of existing operators | ⏳ |
| 31 Dec 2026 | Deadline for full compliance and legacy control upgrades | ⏳ |
The portal where entities must register—JISKB by NBÚ—acts as both a reporting platform and compliance registry.
How Slovakia is implementing the NIS2 directive
Unlike its predecessor, the new framework introduces a dual classification of entities: essential and important. The distinction hinges on both service criticality and size thresholds—≥250 FTEs and €50 million turnover for essential; ≥50 FTEs and €10 million for important. However, entities in sectors like cloud services, telecommunications, and DNS are in-scope regardless of size.
New classification and obligations under Slovakia NIS2 directive
| Classification | Criteria | Key obligations |
| Essential | ≥250 FTE / €50m turnover | Full audits, detailed incident reporting, large fines |
| Important | ≥50 FTE / €10m turnover | Self-assessment (initially), lighter supervision |
| Public Sector (Large) | Municipalities ≥50,000 people | Only corrective orders, no fines |
This new model is backed by a revised risk management catalogue aligned with ISO/IEC 27001, which the NBÚ will further detail in upcoming decrees.
What companies should know now
The most pressing task for affected organisations is self-identification and registration. Companies must determine whether they fall under the essential or important category using the NBÚ’s online wizard.
Once identified, the steps are straightforward—but demanding:
- Register via the JISKB portal within 60 days of being in-scope.
- Conduct a gap analysis aligned with Article 21 of NIS2, focusing on controls like multi-factor authentication and third-party risk.
- Prepare incident reporting SOPs that dovetail with GDPR obligations.
- Secure board-level approval for a strategic cybersecurity program.
- Schedule an audit—self-assessment is permitted initially, but certified audits are required within five years.
Sector-specific impacts across Slovakia
NIS2 is not a one-size-fits-all framework—it varies considerably across sectors. The scope expansion is especially significant in industries that weren’t regulated under the original directive.
Sector-specific changes and new responsibilities
| Sector | Change from previous regime | New requirements |
| Manufacturing | Now included as important entities | Annual red-team tests, OT/IT segregation |
| Energy & Utilities | Broader scope incl. LNG & hydrogen | 24h incident rule, board KPIs, SBOM requirements |
| Healthcare | Dramatic expansion to 250+ providers | ISO 27001 compliance, backup drills, 24h alerts |
| Digital Infrastructure | In scope regardless of size | 24/7 SOC in EU, zero-trust strategies, vendor logs |
| Finance | Merged with DORA | Dual reporting, third-party ICT registers |
| Public Sector | Larger municipalities in-scope | Baseline security, designated CISO, reporting rules |
Sanctions and compliance enforcement
The penalties under the Slovakia NIS2 implementation are no longer symbolic. Essential entities face fines up to €10 million or 2% of global turnover, while important entities may be fined up to €7 million or 1.4%. Beyond fines, other consequences include:
- Public naming for non-compliance
- Temporary bans on directors for repeated negligence
- Service suspension for essential providers
- Corrective orders for public entities, with no monetary penalties
Incident reporting deadlines are similarly strict: within 24 hours for alerts, 72 hours for updates, and 30 days for final reports. All submissions go through the JISKB portal.
Building cybersecurity resilience in Slovakia
Slovakia’s NIS2 transposition doesn’t merely bring the country into compliance with EU standards—it sets the tone for a long-term cultural shift in digital risk management. The combination of sector-specific mandates, strict timelines, and robust enforcement will likely transform how organisations approach cybersecurity.
Companies that act early—by registering, conducting gap analyses, and briefing their boards—will not only meet compliance but also strengthen their digital operations.
Are you prepared for the next incident?
With only months left before mandatory registration deadlines, and less than two years until full compliance is required, Slovak companies must move swiftly. The regulatory bar is higher, and the consequences of falling short are steeper. But those who treat the Slovakia NIS2 directive as an opportunity—not just a mandate—will be best positioned to lead in a digitally secure future.
For the official NIS2 implementation details in Slovakia, visit the NBÚ’s dedicated NIS2 portal.
