NIS 2 Status in Slovakia
What the directive requires, how Slovakia transposes it, and where NBÚ sits in the picture.
Overview
The NIS 2 Directive is the EU layer. It binds every Member State, including Slovakia, to a single minimum level of cybersecurity for essential and important entities. Slovakia has to write that level into Slovak law and supervise under it.
Slovakia transposes NIS 2 by amending its existing 2018 Cybersecurity Act. The vehicle is Act No. 366/2024 Z.z., which amends Act No. 69/2018 Z.z. on cybersecurity. It was adopted by the National Council on 28 November 2024, published in the Collection of Laws on 19 December 2024 and entered into force on 1 January 2025. Slovakia missed the 17 October 2024 EU deadline by about two and a half months, which puts it in the group of Member States the Commission addressed via infringement letters before full transposition was notified.
The Národný bezpečnostný úrad (NBÚ, National Security Authority) is the lead competent authority and single point of contact. SK-CERT, operated inside NBÚ, is the national CSIRT. Registration, incident reporting and most regulatory exchanges run through JISKB, the Jednotný informačný systém kybernetickej bezpečnosti.
EU Directive
Directive (EU) 2022/2555 (NIS 2)
The EU-wide cybersecurity directive. It defines the obligations every Member State has to transpose, including the size and sector test for essential and important entities.
EU Implementation
Implementing Regulation (EU) 2024/2690
Technical and methodological measures for providers of digital infrastructure. Directly applicable in Slovakia, no national transposition needed.
Slovak transposition
Act No. 366/2024 Z.z. (amendment to Act No. 69/2018 Z.z. on cybersecurity), in force 1 January 2025
The Slovak NIS 2 transposition. It rewrites the 2018 Cybersecurity Act rather than replacing it, replaces the old appendix-based identification of essential service operators with a statutory list in section 17 paragraph 1, and adds the supervisory powers and reporting duties required by NIS 2. Implementing decrees from NBÚ fill in the operational detail.
Act No. 366/2024 Z.z.
Brings the NIS 2 obligations into Slovak law by amending the 2018 Cybersecurity Act. Defines the new scope of essential and important entities, NBÚ's supervisory powers, the incident reporting timetable and the sanctions regime. Operational detail is set in implementing decrees and NBÚ guidance.
NBÚ as supervisor and SK-CERT operator
NBÚ is the lead competent authority and single point of contact under NIS 2. It runs supervision, audits and sanction procedures, operates SK-CERT as the national CSIRT, and runs JISKB as the central registration and reporting portal. Sector regulators keep their role where lex specialis applies, in particular for the financial sector under DORA.
Registration and reporting
The directive requires entities to be identifiable by Member States from 17 April 2025. In Slovakia this happens through JISKB. Significant incidents follow the directive: early warning within 24 hours, notification within 72 hours, final report within one month.
In Slovakia, Slovak law applies
Activities on Slovak territory follow the Slovak transposition. A German managing director with a Slovak subsidiary reads Act 366/2024 (amending Act 69/2018) for that subsidiary, not the BSIG. The directive-level obligations are identical. The procedure, the portal and the sanctions live in Slovak law.
Slovakia cannot fall below the EU level
The directive is minimum harmonisation. Slovakia may go stricter, in particular for sectors it identified as critical under its older framework. Slovakia may not fall below the directive, neither on the obligations for essential and important entities, nor on reporting deadlines, nor on management body accountability.
NBÚ
Národný bezpečnostný úrad. Lead competent authority and single point of contact under NIS 2. Runs supervision, issues implementing decrees and guidance, maintains the registers of essential and important entities, and operates JISKB. The point of contact for any cross-border NIS 2 case involving Slovakia.
SK-CERT
The national CSIRT, operated inside NBÚ. Receives incident notifications, coordinates with sectoral and governmental CSIRTs, and exchanges with the CSIRTs network at EU level. Reachable 24/7. The technical counterpart to NBÚ's regulatory role.
ENISA
The EU cybersecurity agency. Publishes guidance, runs the European vulnerability database and coordinates cross-border. Not a supervisor for Slovak entities. That role sits with NBÚ.
Slovak NIS 2 obligations are the same text as the German BSIG, so the German guidance is enough.
The directive-level obligations are identical, but the procedural layer is not. Slovakia keeps its 2018 Cybersecurity Act structure, with NBÚ instead of BSI, SK-CERT instead of CERT-Bund, JISKB instead of the German registration portal, and Slovak deadlines and sanction figures. A Slovak entity that reads only BSIG guidance will file in the wrong place and quote the wrong articles.
There is no registration portal yet, so we can wait.
Slovakia runs JISKB (Jednotný informačný systém kybernetickej bezpečnosti) for registration, notifications and incident reporting. It is operated by NBÚ and is the channel essential and important entities use to identify themselves to the authority. Waiting for a separate portal that does not exist is the most common reason Slovak entities miss the registration window.
Only entities on the old appendix list are in scope.
Act 366/2024 replaced the older appendix-based identification with a statutory list in section 17 paragraph 1 of the amended Cybersecurity Act. The size and sector test from the directive applies in addition. The result is a substantially larger population of regulated entities, estimated in published Slovak commentary in the order of several thousand. The applicability check has to be redone case by case.
Most Slovak mid-market operators we meet still treat NIS 2 as a small update to the 2018 Cybersecurity Act. The amendment is more than that. The scope of regulated entities is broader, the management body now carries personal accountability for approving risk treatment and for its own training, and the reporting timetable is harder than what the old appendix-based regime asked for.
The practical step is the same as everywhere in the EU: run the applicability check against the directive, register through the national portal (here JISKB), set up the four continuous obligations (keeping registration data current, incident reporting, supply chain risk, supervision by the management body), and document the minimum. The existing 2018 Cybersecurity Act process helps, but it does not replace the NIS 2 obligation register.
We build the NIS 2 obligation register at EU level, not on a single national transposition. The same checklist fits a Slovak entity under Act 366/2024, a German parent under BSIG and a French sister under Ordonnance n° 2024-1093. Article references change per country, the obligations in substance do not.
For Slovak scope, start with the applicability check, then reporting cadence, supply chain clauses and management body sign-off. Where NBÚ publishes sectoral decrees or guidance, we link them. We do not copy them.
- Directive (EU) 2022/2555 (NIS 2), EUR-Lex
- Implementing Regulation (EU) 2024/2690
- Act No. 366/2024 Z.z. amending Act No. 69/2018 Z.z. on cybersecurity, Slov-Lex
- Act No. 69/2018 Z.z. on cybersecurity (consolidated text), Slov-Lex
- Národný bezpečnostný úrad (NBÚ), official site
- SK-CERT, national Computer Security Incident Response Team
- JISKB, Jednotný informačný systém kybernetickej bezpečnosti, operated by NBÚ
- European Commission, NIS 2 implementation page for Slovakia