First, determine whether the new legislation applies to you and if you are a provider of regulated services
Just as in the Czech Republic, companies in Slovakia must determine, whether they fall under the new legislation and whether they are operators of regulated services. If you conduct business in Slovakia, you have likely chosen one of the following approaches:
- Operating under a Czech (or other foreign) entity
- Operating through branch offices
- Operating through subsidiaries
Which of these cases requires registration? To simplify the legal theory and interpretation – the registration obligation applies only to subsidiaries based in Slovakia. Foreign parent companies and branch offices are not subject to registration in Slovakia.
For a long time, there was little news regarding Slovakia’s new cybersecurity regulation. While the Czech National Cyber and Information Security Agency regularly presents updates and operates under the scrutiny of experts, Slovakia’s National Security Authority (NBÚ) has been more reserved in sharing information. It was therefore somewhat surprising when, at the end of November last year, an amendment to Slovakia’s Cybersecurity Act was approved, set to take effect on January 1, 2025. Many Czech companies operate in Slovakia. What practical impact does this legislative shift have on them now that Slovakia has taken the lead in cyber legislation?
The criteria for classification are outlined in two annexes to the law. The first lists sectors with a high level of criticality, while the second covers other critical sectors. These categories and the regulated services described within them may sound familiar, as they closely mirror the annexes of the NIS2 Directive.
Company size determination is consistent across the EU, including the Czech Republic (we covered this in more detail in this article, specifically in point 3). To navigate regulated services more easily, you can use the guidance, published by the Slovak NBÚ.
Are you a provider in Slovakia? Register!
If you conclude that you are a provider of regulated services, you must register with the Slovak NBÚ within 60 days of commencing the service (or from the amendment’s effective date). What does this mean in practice?
At the time of writing, Slovakia’s centralized cybersecurity information system has not yet been launched. This system is intended to serve as the primary communication tool with the Slovak NBÚ, including registration processes.
Until the portal is operational, companies are instructed to use a form available on the NBÚ website. This form can be submitted via email or through Slovakia’s electronic mailbox system (like the Czech Republic’s data mailbox system).
What information do you need for the registration form?
- The sector, sub-sector, and type of regulated service provider (as specified in the relevant decree). You can use the NBÚ’s online tool for guidance: Indikatívna pomôcka na určenie subjektu ako poskytovateľa základnej služby
- Company name, registered address, and contact details, including email addresses, public IP addresses, and phone numbers
- Whether you are an operator of a critical essential service
- Identification details of your cybersecurity manager
- A list of EU member states where you operate or provide services
- If you provide services related to public communication networks (e.g., DNS, TLD management, data centres), additional requirements will apply. In such cases, we recommend reviewing the obligations directly in the law.
Registration must be completed within 60 days from either the start of operations or the amendment’s effective date. The final deadline falls on Saturday, March 1. As a practical cutoff date, we recommend completing the registration by Friday, February 28.
How much time is left to register?
The law sets minimal obligations – is that really all?
The amendment does not introduce extensive obligations, especially compared to the Czech legal framework, which defines detailed requirements through decrees. Slovakia is expected to follow a similar approach, with additional obligations outlined in upcoming decrees. However, these have not yet been issued and are expected to be available by the end of Q1 2025.
Pár postřehů na závěr
We are not providers of regulated services in Slovakia – do we even need to care about this amendment?
Cybersecurity is about protecting your own security. You may also be preparing to comply with Czech regulations and decrees – or not. Does this mean you can completely ignore the Slovak legislation?
Even if you are not a regulated entity, Slovak customers may still require you to comply with cybersecurity standards. Cybersecurity clauses are increasingly common in public procurement contracts. In such cases, we recommend reviewing the scope of contractual obligations and negotiating with the contracting authority to limit them to the relevant aspects of the contract. Remember that cybersecurity requirements in these cases are tied to the regulated services of your client – meaning that the primary focus should be on securing assets essential to their operations.
