When I first heard about the growing buzz around NIS2 in the European cybersecurity community, I couldn’t help but wonder: how would smaller EU countries, like Slovenia, approach this sweeping regulation? Now, standing in 2025, it’s fascinating to see how Slovenia has carved its own thoughtful, structured path toward compliance.
Without further ado, let me guide you through the key aspects of Slovenia’s journey to implement the Network and Information Security 2 Directive (NIS2) and what organizations need to know moving forward.
Key take-aways on NIS2 Slovenia implementation
Slovenia has made significant progress toward adopting the European Union’s NIS2 directive, formally known as the “Directive on measures for a high common level of cybersecurity across the Union.” The country’s primary legislative vehicle is the Zakon o informacijski varnosti (ZInfV-1), a brand-new cybersecurity act.
The new law does not merely tweak existing rules; it represents a comprehensive overhaul. It replaces the 2018 cybersecurity act (ZInfV) and also transposes another critical regulation, the Critical Entities Resilience (CER) Directive. The Slovenian government approved the final version of ZInfV-1 on April 10, 2025, and sent it to the National Assembly under urgent procedure. A parliamentary vote is anticipated between May and June 2025.
Here is a snapshot of where things stand:
Current status of NIS2 Slovenia transposition
| Theme | Where things stand |
| Transposition law | ZInfV-1 replaces ZInfV; covers NIS2 and CER Directive |
| Timeline | Government approval in April 2025; parliamentary vote expected May/June 2025 |
| Scope expansion | From ~1,000 to 6,000–8,000 essential and important entities |
| Entity classes | Essential (≥250 FTE/€50M turnover) and important (≥50 FTE/€10M turnover) |
| Maximum fines | Essential: €10M or 2% global turnover; Important: €7M or 1.4% |
| Lead authority | URSIV (Government Office for Information Security) |
| Public sector obligations | Corrective orders instead of fines |
This move considerably enlarges the scope of regulation, affecting medium manufacturers, municipalities with populations over 50,000, and all cloud and telecom operators, regardless of size.
Timeline and important deadlines for Slovenia NIS2 directive
Understanding the detailed timeline is crucial for any organization preparing for the upcoming obligations. The legislative journey has been deliberate and transparent, beginning early in 2024 and progressing steadily toward full implementation in mid-2025.
Key dates in Slovenia NIS2 implementation
| Date | Milestone | Status |
| 16 Feb 2024 | Consultation draft published | Completed |
| 19 Jul 2024 | Government outlines NIS2 changes | Completed |
| 10 Apr 2025 | Government adopts final bill | Completed |
| May-Jun 2025 | National Assembly vote | Pending |
| Jul 2025 (expected) | Law enters into force | Pending |
| Oct 2025 | Registration deadline | Pending |
| Oct 2026 / Oct 2027 | Organisational / technical compliance deadlines | Pending |
The law will become effective roughly 15 days after publication in the Official Gazette, with entities required to register within three months and achieve organizational compliance within one year and technical compliance within two years.
How Slovenia is implementing the NIS2 directive
Rather than a mere copy-paste of the European text, Slovenia’s ZInfV-1 adds national layers and specific expectations. It goes beyond the 18 sectors required by NIS2, including research and higher education institutions.
A few highlights of the new cybersecurity act include the full incorporation of the risk-management obligations outlined in Article 21 of NIS2. The Slovenian Government Office for Information Security (URSIV) plans to map these obligations to ISO/IEC 27001 standards in a future decree. Organizations will also face stringent incident reporting requirements: an initial alert within 24 hours, an update within 72 hours, and a full report within 30 days through the national CERT portal.
Supervision will be handled jointly by URSIV and sectoral regulators, who have been granted powers to conduct audits, order penetration tests, and recover costs where necessary.
You can view further details about the draft law on Portal GOV.SI.
Sanctions and board-level accountability
The sanctions under the Slovenia NIS2 directive are stiff and mirror the EU’s broader ambition to ensure that cybersecurity becomes a top priority at the executive level. Depending on classification, companies may face the following penalties:
Sanctions framework under NIS2 Slovenia
| Entity Type | Maximum Fine |
| Essential entities | €10 million or 2% of worldwide turnover |
| Important entities | €7 million or 1.4% of worldwide turnover |
Authorities have established a structured escalation ladder, moving from warnings and corrective orders to coercive daily penalties, culminating in fines. In severe cases involving essential entities, regulatory bodies can even suspend company certificates.
Crucially, boards of directors are required to formally approve cybersecurity programs. Persistent negligence may result in management disqualification under Slovenia’s Companies Act, a measure that places personal responsibility at the very top.
Impact of NIS2 on Slovenian industries
The expansion in scope under the Slovenia NIS2 implementation has profound effects across different sectors. Many industries that were previously lightly regulated must now meet strict new cybersecurity requirements.
Sectoral impact overview
| Sector | Change | New duties |
| Manufacturing (auto, pharma, hi-tech) | Newly regulated if ≥50 FTE | Supply chain reviews, segmentation of OT/IT systems, annual red-team tests |
| Energy & utilities | Expanded to include LNG, hydrogen | SBOM exchange, quarterly cybersecurity KPIs to the Energy Agency |
| Healthcare | From ~40 hospitals to >200 providers | ISO 27001 governance, 24h incident reporting, backup drills |
| Digital infrastructure | All in scope regardless of size | 24/7 SOC presence in EU, zero-trust roadmap |
| Finance | Alignment with DORA regulation | ICT third-party register, dual reporting obligations |
| Public administration | Ministries, regions & large municipalities in scope | Appointment of CISOs, fulfillment of 24h/72h reporting obligations |
For further insight into European cybersecurity regulations harmonized with NIS2, the European Commission’s official NIS2 Directive page is a highly recommended resource.
What companies should know about compliance
Businesses should not delay preparing for the incoming changes. Proactive engagement is key, especially for those that suspect they might fall within the “essential” or “important” categories under the Slovenia NIS2 directive.
Immediate actions companies should consider include checking eligibility through the forthcoming URSIV wizard, expected in Q3 2025. Organizations must be ready to submit registration data like their MÅ ID, NACE code, and cybersecurity contact information. Additionally, running a gap analysis against Article 21 requirements will be critical in identifying vulnerabilities, with common shortcomings including missing multi-factor authentication (MFA) on privileged accounts and insufficient supply chain contract clauses.
It is also essential to integrate incident reporting protocols with existing GDPR breach notification processes, given the tight 24- and 72-hour windows. Board members must be briefed early and must officially approve cybersecurity programs to avoid liability.
Preparing for the future of cybersecurity regulation in Slovenia
As Slovenia nears full adoption of the NIS2 directive, organizations must recognize that cybersecurity is no longer a “nice-to-have” but a legal and strategic imperative. The deadlines for registration and compliance under the Slovenia NIS2 directive are fast approaching, and proactive planning today will distinguish compliant, resilient organizations from those struggling with penalties tomorrow.
Are you ready to meet the new expectations set by Slovenia’s cybersecurity evolution?
