On January 1, 2025, an amendment to the Cybersecurity Act will take effect, significantly expanding its scope. For the first time, cybersecurity obligations will also apply to companies outside the critical infrastructure sector, such as food production, electronics, and waste management. The new obligations will apply to companies with at least 50 employees and an annual turnover of at least EUR 10 million. These businesses will be required to implement cybersecurity measures, conduct audits and risk assessments, ensure data protection, and report incidents to the National Security Authority (NBU). Companies will have specific deadlines to meet these obligations.

On November 28, 2024, the National Council of the Slovak Republic approved an amendment to the Cybersecurity Act No. 69/2018 Coll., which transposes the European NIS 2 Directive (Network and Information Systems Directive) into Slovak law. The amendment will take effect on January 1, 2025.

Scope of the Act

The original act primarily applied to critical infrastructure entities operating in sectors such as energy, healthcare, public administration, and others. The amendment expands the scope of the act to include new entities.

If:

  • you operate in industries such as food production, waste management, or manufacturing (e.g., electronics, computing equipment, machinery, motor vehicles, and other transport equipment),
  • you have at least 50 employees, and
  • your annual turnover is at least EUR 10 million,

it is likely that the amendment will apply to you.

Obligations

Affected companies are required to fulfill several key cybersecurity requirements:

  • implement cybersecurity protection measures,
  • educate employees,
  • conduct security audits and risk assessments,
  • ensure the protection of personal and sensitive data,
  • report significant security incidents to the NBU.

If your business falls under the scope of the law, you must register with the NBU within 60 days of its effective date or the commencement of operations. The NBU will register your company within 30 days. Within 12 months of registration, appropriate cybersecurity measures must be adopted, and within 24 months, the first audit must be conducted.

To protect your company from cyber threats, the first step is to conduct an asset analysis, i.e., identify systems in the company without which daily operations cannot be performed (e.g., customer databases, product information, attendance systems). Based on this analysis, ways to prevent or address cyber threats (e.g., data backups, antivirus programs) are determined.

A new requirement is to ensure the security of the supply chain. This applies to suppliers of activities directly related to the operation of networks and information systems. Companies are required to enter into contracts with these suppliers, obligating them to adhere to cybersecurity measures.

Sanctions

Failure to comply with obligations may result in fines of up to EUR 10 million or 2% of annual turnover, whichever is higher. Statutory representatives who seriously breach their obligations under the law may be banned from holding managerial positions until these obligations are met.