The Slovak Cyber Security Act (Act No. 69/2018 Coll., the “Act”) defines the minimum requirements to ensure cyber security in Slovakia. The Act applies to operators of essential services, i.e., to entities in key sectors, including banking, electronic communications, energy and healthcare , and to digital service providers.
While the Act focuses on providers of services that are essential for the proper functioning of society and the economy, its measures may also apply to smaller companies in certain sectors. For instance, in healthcare the Act applies to (1) healthcare providers listed in Annex 1 of the Act, defined as “any persons or any other entity legally providing healthcare in the territory of a Member State” and (2) administrators and operators of networks and IT systems that form an element of critical infrastructure.
Decree No. 164/2018 Coll., laying down identification criteria for operated services (essential services criteria) sets out the specific sector and impact criteria for healthcare. These include setting out the minimum number of emergency beds in last three calendar years at 500, the status of highly specialised traumatology care centres under separate legislation and the provision of laboratory services.
In principle, operators of essential services have primarily the obligation (1) to take the prescribed security measures, and (2) to address and immediately report security incidents. However, they are also obliged:
a) to report to the National Security Authority (the “NSA”) that the company should be registered in the register of essential services operators (and to inform the provider of electronic communication services of this);
b) to take and comply with security measures to the extent prescribed;
c) to address cyber security incidents (including providing appropriate evidence to be used in prosecution);
d) to enter into an agreement on compliance with safety measures and notification duties with providers of those services that directly relate to the operation of networks and information systems; and with
e) various notification duties:
1. to report each substantial cyber security incident through a uniform cyber security information system,2. to notify the providers listed above about any reported cyber security incident; 3. to inform the law enforcement authorities if a crime related to a cyber attack was committed.
Impact criteria are defined in the Decree as the consequences of a cyber security incident involving the functionality of an IT system or network upon which the provision of service depends. Potential consequences of a cyber security attack in healthcare can include an economic loss higher than 0.1% of GDP, an economic loss or material damage of more than EUR 250,000 suffered by at least one user, more than 100 injured persons requiring medical treatment, or the loss of one life, and also includes disruption of public order or public security.
Another important obligation is to carry out a cyber security audit within two years from registration in the list of essential services operators.The cyber security audit seeks to evaluate compliance with adopted security measures and with other obligations under the Act. A Decree laying down the rules and scope of the cyber security audit and details of the accreditation of bodies verifying compliance is currently under discussion in the intradepartmental comments procedure. Current wording of the draft Decree provides for a cyber security audit each two years and after each change with a significant effect on the implemented security measures. The audit is to be carried out by an individual—an auditor who is certified by an accredited certification body. Such certification is to be made based on an application that contains the requirements prescribed by law, and the certificate is to be issued with a validity of no more than three years with a renewal option. The auditor’s authority includes establishing the duration of the audit so as to sufficiently verify if adopted security measures are effective. At the end of the audit the auditor issues a final audit report with an assessment of the audit results and the evidence used to make the assessment. Essential service operators are obliged to present to the NSA within 30 days of completion of the cyber security audit the final audit report and the rectification measures, including specific time limits. Costs of the audit are to be borne by the essential service operator.
In the area of cyber security, the National Security Authority also carries out inspections, issues decisions imposing measures, and imposes sanctions for minor or other administrative offences. The NSA may impose a penalty from EUR 300 up to 1% of overall annual turnover for the preceding financial year, but no more than EUR 300,000. In a future Decree the NSA will define requirements for the accreditation of compliance verification bodies, for the expertise and qualifications to be held by auditors, for the content and scope of the final audit report, and for the outcome of cyber security audit.