NIS 2 status in Slovenia
What the directive requires, how Slovenia transposes it, and where URSIV sits inside the picture.
Overview
The NIS 2 directive is the EU layer. It binds every member state, including Slovenia, with one cybersecurity floor for essential and important entities. Slovenia must put that floor into Slovenian law and run a supervision regime under it.
Slovenia missed the 17 October 2024 transposition deadline. The European Commission issued a reasoned opinion on 7 May 2025 for failure to notify full transposition. Slovenia then accelerated, published the new Information Security Act (Zakon o informacijski varnosti, ZInfV-1) in the Official Gazette on 4 June 2025, and brought it into force on 19 June 2025.
URSIV (Urad Vlade Republike Slovenije za informacijsko varnost, the Government Office for Information Security) is the competent national authority. SI-CERT, operated inside the Arnes public institute, is the national CSIRT and the incident reporting contact. Essential and important entities have 18 months from entry into force to implement the risk management measures under ZInfV-1.
EU directive
Directive (EU) 2022/2555 (NIS 2)
The EU-wide cybersecurity directive. Sets the obligations every member state must transpose, including the size and sector tests for essential and important entities.
EU implementation
Commission Implementing Regulation (EU) 2024/2690
Technical and methodological measures for digital infrastructure providers. Directly applicable in Slovenia without national transposition.
Slovenian transposition
Zakon o informacijski varnosti (ZInfV-1), Official Gazette 4 June 2025
The Slovenian NIS 2 transposition. Replaces the earlier ZInfV (NIS 1 era). Implementing acts and URSIV guidance fill in operational detail. Entry into force on 19 June 2025, with an 18-month window for entities to implement Articles 21 and 22 risk management measures.
ZInfV-1 (Information Security Act)
Carries the NIS 2 obligations into Slovenian law. Defines the perimeter of essential and important entities, the supervision powers of URSIV, incident reporting duties and sanctions. The act extends the population of regulated entities well beyond the NIS 1 ZInfV scope, into both public sector bodies and a broader set of private operators.
URSIV as competent authority
URSIV (Urad Vlade Republike Slovenije za informacijsko varnost) is the competent national authority and single point of contact for NIS 2 in Slovenia. It runs supervision and guidance. SI-CERT, inside the Arnes public institute, runs incident handling and is the operational reporting contact. Sectoral regulators stay competent where lex specialis applies, in particular finance under DORA.
Registration and implementation window
ZInfV-1 entered into force on 19 June 2025. Essential and important entities have 18 months from that date to implement the risk management measures under Articles 21 and 22 of the act. Significant incidents follow the directive's cadence: early warning within 24 hours, notification within 72 hours, final report within one month. Registration is run by URSIV. The exact portal mechanics are still being rolled out, so check URSIV guidance before assuming a specific URL.
Local law applies inside Slovenia
Operations on Slovenian territory follow the Slovenian transposition. A German parent running a Slovenian subsidiary reads ZInfV-1 for that subsidiary, not the German BSIG. The directive obligations are the same. Procedure, authority and sanctions live in Slovenian law.
Slovenia cannot go below the EU floor
The directive is a minimum harmonisation instrument. Slovenia can go stricter, and ZInfV-1 does extend the regulated population beyond the directive minimum. Slovenia cannot drop below the directive on essential and important entity duties, incident reporting deadlines or management body accountability.
URSIV
Government Office for Information Security. Competent national authority and single point of contact under NIS 2. Runs supervision, issues guidance, and is the policy owner for ZInfV-1. Maintains registration of essential and important entities.
SI-CERT (Arnes)
National CSIRT, operated inside the Arnes public institute (Academic and Research Network of Slovenia). Operational incident reporting contact, runs early warning, alerts and information dissemination. Coordinates with URSIV on NIS 2 incident handling.
ENISA
The EU cybersecurity agency. Publishes guidance, manages the European vulnerability database and supports cross-border coordination. Not a supervisor for Slovenian entities. URSIV is.
If we follow the German BSIG we are covered in Slovenia.
The substantive obligations come from the same directive, but the procedure, the competent authority, the reporting channel and the sanctions sit in Slovenian law. A Slovenian subsidiary registers with URSIV, reports to SI-CERT, and is supervised under ZInfV-1. Reading the German act gives you the directive shape but not the local procedure.
Slovenia missed the deadline, so nothing is in force yet.
ZInfV-1 entered into force on 19 June 2025. The 18-month implementation window for Articles 21 and 22 risk management measures runs from that date, not from the EU deadline. The Commission's reasoned opinion of 7 May 2025 was about late notification of transposition; it does not pause obligations on entities once the national law is in force.
We are not in a critical sector, so ZInfV-1 does not touch us.
ZInfV-1 covers the directive's full essential and important entity perimeter and adds public sector bodies. The size test caps at medium and large enterprises by default, but the directive captures smaller entities where they are the sole provider, where disruption has cross-border impact, or where Slovenian law names them. The applicability check has to be done case by case, not by self-perception of criticality.
Most Slovenian operators we see treat NIS 2 as a continuation of the old ZInfV regime. That is partly right: URSIV is still the policy owner and SI-CERT still runs incident response. The scope is wider, the management body sign-off is heavier, and the 18-month implementation window from 19 June 2025 is a real clock. The director or management board is personally on the hook for risk management approval and for completing the required training.
The practical move is the same as everywhere else in the EU: confirm scope under the directive, register with URSIV, set up the four continuous obligations (registration upkeep, incident reporting, supply chain risk, management body oversight) and document the minimum. The old ZInfV documentation helps, but it does not substitute for the ZInfV-1 obligation register.
We build the NIS 2 obligation register on the EU layer, not on any single national transposition. The same checklist works for a Slovenian entity under ZInfV-1, a German parent under BSIG and a French sister under Ordonnance n° 2024-1093. Article references switch per locale. The substantive obligations do not.
For Slovenian scope you start with the applicability check, then move to incident reporting cadence into SI-CERT, supply chain clauses and management body sign-off. Where URSIV publishes sector guidance, we reference it. We do not duplicate it.
- Directive (EU) 2022/2555 (NIS 2), EUR-Lex
- Commission Implementing Regulation (EU) 2024/2690
- Zakon o informacijski varnosti (ZInfV-1), Official Gazette of the Republic of Slovenia, 4 June 2025
- URSIV, Urad Vlade Republike Slovenije za informacijsko varnost, gov.si
- SI-CERT, national CSIRT inside the Arnes public institute, cert.si
- European Commission, NIS 2 implementation overview for Slovenia, reasoned opinion of 7 May 2025