The Slovak Act on Cybersecurity has been in force since April 2018. The new Act transposes into the Slovak legal system a piece of European Union legislation on cybersecurity, the Directive on Security of Network and Information Systems (the NIS Directive). This directive is the first piece of EU-wide legislation that provides legal measures to boost the EU’s overall level of cybersecurity.

The Cybersecurity Act applies to both the public and private sectors in Slovakia and its main goal is to enforce a strategy for dealing with cyber threats.

The Act differentiates between two types of organizations:

  1. operators of essential services, and
  2. digital service providers.

Operators of essential services are legal entities from various sectors such as energy suppliers, transport providers, banks and credit providers, providers of postal services, financial market infrastructure (such as stock exchanges), manufacturers of medical products, healthcare providers, drinking water suppliers and distributors who exceed the criteria specified in Annex No. 1 of the Cybersecurity Act and the criteria published by the Regulation of National Security Authority (the NSA).

Digital services providers are legal entities or natural person-entrepreneurs that provide a digital service, employ at least 50 employees, and have an annual turnover or overall annual balance of over EUR 10,000,000.

Under the temporary and final provisions of the Act, those who qualify as operators of essential services or as digital service providers are obliged to notify the NSA on the date they exceed the criteria, but at the latest six months after this Act comes into force. Since the Act came into force in April 2018, the deadline for notification is October 2018. The NSA will then add the service to the list of Essential services by 9 November 2018 and its operator in the registry of operators of essential services; this also applies to digital services and their providers.

Within two years of this Act coming into force (April 2020), registered entities will be obliged to adopt the security measures specified in the Act. Among other duties, they will be required to report incidents to the competent authority when there has been a substantial impact on the provision of their services. A breach of such duties may result in a fine of up to 300,000 EUR.