The NIS 2 Directive[1] is a European-wide cybersecurity law that modernizes the existing legal framework to keep pace with increasing digitalization and the evolving cybersecurity threat landscape. By extending the scope of the cybersecurity rules to new sectors and entities, the resilience and incident response capability of public and private entities, competent authorities and the EU as whole is improved.
NIS 2 was transposed into the Slovak law by an Amendment to Act No. 366/2024 Coll., amending Act No. 69/2018 Coll. on cyber security and amending and supplementing certain acts, as amended and supplementing certain acts (hereinafter referred to as the "Amendment to the Act on Cyber Security"). The Amendment to the CCR was adopted on 19 December 2024 with effect from 01 January 2025.
a) expanding the range of entities required to take measures to enhance their cybersecurity
b) harmonizing a common EU approach to incident reporting, security requirements, supervisory measures and information exchange.
In contrast to the previous legislation, the Amendment to the Cybersecurity Act will apply to a broader range of industries (sectors) depending on their importance to the economy and society. The explanatory Memorandum to the Amendment to the Act on Cyber Security assumes that the new cybersecurity regulation will directly affect around 3,500 entities.
Obliged entities are classified based on their importance and divided into two categories:
a) operators of essential services
b) operators of critical services,
which will be subject to a different supervisory regime
To determine whether an entity falls under the category of an essential or critical service, it is necessary to assess in detail the specific sector in which the entity operates and whether it meets the definition of a small or medium-sized enterprise, or other conditions. The amendment to the Act on Cyber Security broadens the scope of the cybersecurity rules by adding new sectors based on their degree of digitalization and interconnectedness and their importance to the economy and society by introducing a clear rule on the size threshold. This means that all medium-sized[2] and large companies[3] in selected sectors will be included in the scope. However, it should be said that in some critical sectors, entities will be covered by cybersecurity regulation regardless of their size.
In addition, even if a company does not fall within the scope of the Act on Cyber Security, it is likely that some of the company's suppliers or customers that fall within the scope of the Act on Cyber Security will require the company to comply with the necessary cybersecurity requirements. This is due to the fact that the supplier or customer of the relevant company is an obliged entity under the Act on Cyber Security and is therefore obliged to put in place cybersecurity measures in relation to its supply chain and therefore the relevant company itself. Therefore, even entities that are not directly subject to cybersecurity regulation (and local legislation) will in some cases need to adjust their operations to comply with the requirements of their suppliers/customers who are subject to the regulation of the Act on Cyber Security.
The amendment to the Act on Cyber Security introduces a multi-stage obligation to report any significant cyber incident through the computer security incident response team ("CSIRT") to the National Security Authority ("NBU"), as appropriate:
- Early warning of an incident (within 24 hours of a significant incident
- Incident notification (without undue delay within 72 hours of a significant incident),
- Intermediate report (at the request of the CSIRT)
- Final report (no later than 1 month after official notification of the incident).
The amendment also introduces the possibility to report any cyber security incident (i.e. even those that are not serious), cyber threat or last-minute averted event voluntarily. In this context, the NBU will analyze the incident or threat reported to the extent that the NBU's technical conditions and capacities allow.
The amendment to the Act on Cyber Security imposes direct obligations on the statutory bodies of the affected entities. In other words, the statutory bodies (e.g. directors, chairman or board member) have ultimate responsibility for cybersecurity risk-management measures in the company.
They must and are responsible for:
a) Approval of cybersecurity risk-management measures
b) Supervise the implementation of cybersecurity risk-management measures
c) Complete risk-recognition training and assessment of cybersecurity risk-management practices and their impact on the services
provided by the entity
d) Regularly offer similar training to their staff
e) Taking responsibility for non-compliance
Failure by management bodies to comply with the requirements can have serious legal consequences, such as personal liability for damages, banning or restricting membership of the statutory body for a certain period, or other sanctions such as fines. However, temporary suspension from the statutory body should only be applied as a last resort, i.e. only after other relevant enforcement measures have been exhausted, and only until the entity concerned has taken the necessary measures to remedy the deficiencies or to comply with the requirements of the competent authority in relation to which such temporary suspension or prohibition has been applied.
The NBU, as a competent authority, has the ability to impose the following sanctions in the event of non-compliance with the cybersecurity rules set out in the Act on Cyber Security:
a) Fines
- Operator of a critical essential service - Maximum amount of the administrative fine – 10.000.000,- EUR or maximum of at least 2 % of
the total worldwide annual turnover in the preceding financial yea
- Operator of essential services- Maximum amount of the administrative fine – 7.000.000,- EUR or maximum of at least 1,4 % of the total
worldwide annual turnover in the preceding financial year
b) Imposing a binding instruction (e.g. conduct a cybersecurity audit, take corrective action)
c) Prohibition to provide the service until the unlawful situation has been rectified
d) Restriction of subscribers' access to the service, to the online interface (based on a court decision)
e) Prohibition on exercising the functions of a statutory body
In particular, the following steps should be taken by the entity concerned:
a) Conducting an impact analysis of the amendment to the Act on Cyber Security on a given entity - a detailed assessment of the criteria
whether the entity falls under the regulation of the Act on Cyber Security,
b) Entities that meet the criteria to be included in the list of essential service operators must file a petition for inclusion in the list of
essential service operators within 60 days after the effective date of the Amendment to the Act on Cyber Security,
c) Carrying out a detailed risk analysis and GAP analysis,
d) Detailed assessment of your supply-customer' chain,
e) Adoption of internal cyber security policies, including the adoption of the necessary security measures, as well as incident reporting
settings and procedures no later than 12 months after inclusion in the list of essential service operators,
f) Providing training for management as well as employees,
g) Conduct a cybersecurity audit within 24 months of being listed as an essential service operator
Lansky, Ganzger, Jacko & Partner, s.r.o. (Legal) has formed a unique partnership with Moore BDR s.r.o. (Audit) and DXC Technology Slovakia s.r.o. (IT), Aon Central and Eastern Europe (Insurance) to provide comprehensive cybersecurity services to clients for the purpose of ensuring compliance with the Act on Cyber Security (NIS 2), as well as other cybersecurity services such as:
a) Providing comprehensive cyber security consulting
b) Structuring cybersecurity projects
c) Conducting cybersecurity audits
d) Developing a cyber security strategy
e) Implementation of technical and legal solutions
f) Regular monitoring and system updates
g) Education and simulation of attacks
h) Preparation of complex contractual and other documentation
i) Negotiating cybersecurity contracts with IT providers as well as entities in the supply chain
j) Preliminary dispute resolution and litigation support
k) Cybersecurity survey on M&A transactions
l) Cybersecurity risk insurance
[1] DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL 14 December 2022 on measures to ensure a high common level of cybersecurity in the Union, Regulation (EU) No 910/2014 and Directive (EU) 2018/1972 and repealing Directive (EU) 2016/1148 (NIS 2 Directive), hereinafter referred to as 'NIS 2'
[2] Medium-sized enterprises - 50-249 employees or a turnover of more than €10 million,
[3] Large enterprises - 250 employees or a turnover of more than €50 million.
AUTHOR
