Slovakia is currently still in the process of approving the draft legislation for the implementation of Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS2 Directive). However, Slovakia has missed the implementation deadline of October 17, 2024, with the draft pending approval in Parliament, expected by late November 2024.
The proposed legislation closely mirrors the NIS2 Directive’s text and introduces significant changes in several areas in comparison with the current legislation. A major adjustment involves incident reporting, making reporting and vulnerability notifications mandatory. Importantly, the NIS2 Directive removes the distinction between essential service providers and digital service providers, categorizing regulated entities into two types based on their significance: essential entities that provide critical essential services and important entities that deliver other essential services.
The draft legislation departs from existing laws by eliminating the classification of serious cybersecurity incidents into categories. Incident reporting will transition to a centralized cybersecurity information system, enhancing efficiency and consistency in incident management. Essential service operators will face expanded responsibilities for reporting cybersecurity incidents.
Under the NIS2 Directive framework, the proposed legislation introduces a threshold for the size of regulated businesses. Notably, critical entities will be regulated without a size assessment. Security measures will be refined to align with new standards and enhanced risk analysis tools will be established, ensuring a baseline level of cybersecurity across Slovakia.
The draft legislation also strengthens supervisory activities, promotes education, increases accountability, and enhances the role of cybersecurity managers. New entities subject to essential service operator obligations will be required to undergo cybersecurity audits, ensuring compliance with updated security requirements and best practices.
In Slovakia, the National Security Authority has been designated as the responsible body for cybersecurity, serving as both a supervisory authority and the national contact point for cybersecurity issues. It has established the National Cybersecurity Centre SK-CERT, which provides incident management services, recovery support, and system restoration after incidents, functioning as a national Computer Security Incident Response Team.
Operators of essential services must report significant cybersecurity incidents, substantial cyber threats, last-minute events that could lead to severe incidents, and vulnerabilities in publicly accessible networks and information systems they manage. The legislation will impact various entities, including domain name registrars, online marketplace providers, internet search services, and social media platforms, which will be tasked with updated cybersecurity obligations. These obligations include establishing security policies, appointing responsible individuals, mandatory reporting of security incidents to the National Security Authority, and conducting cybersecurity audits.
Domain name registration service providers will need to maintain a record of registration data, including details such as the domain name, registration date, and contact information for the domain holder.
The implementation of the draft legislation is expected to affect approximately 3,400 new entities, according to the National Security Authority. Among these, around 2,750 will be medium-sized enterprises, and approximately 650 will be large entities. However, this count may be somewhat inflated, as many organizations, particularly those classified as critical infrastructure, are already subject to existing legislation.
With the NIS2 Directive’s implementation, businesses in newly regulated sectors will face new compliance costs, potentially amounting to thousands of euros. Many operators already comply with international ISO security standards, and the main costs associated with the NIS2 framework will involve regulatory compliance, particularly concerning security requirements, incident reporting duties, and oversight measures, including compliance documentation through audits.
The draft legislation also includes specific decrees related to training center recognition. Should the Slovak draft legislation be approved by the end of this year, it is expected to take effect on January 1, 2025, with a 12-month timeline for implementing required security measures. Following the law’s passage, businesses must ensure compliance to avoid potential legal penalties and financial losses.
By Bernhard Hager, Managing Partner, and Simona Makuchova, Senior Associate, Eversheds Sutherland
This article was originally published in Issue 11.11 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.
