News
HKV » Blog
All articles
Blog

New Cybersecurity Act: Expanded Regulation and Obligations for Operators of Essential Services.

Dalibor Palatický
Richard Jacko
21. February 2025

On 1 January 2025, the new Act No. 69/2018 Coll. on Cybersecurity and on Amendments and Supplements to Certain Acts (“Cybersecurity Act”) entered into force in Slovakia. This Act transposes Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS2 Directive). This legislation significantly expands the range of entities subject to cybersecurity obligations. Companies and organisations operating in regulated sectors should pay close attention to whether they fall under the definition of Operators of Essential Services (OES), as this status entails new requirements and regulatory measures.

Who is considered an Operator of Essential Services?

The new Cybersecurity Act introduces rules for identifying OES, with an exhaustive list of entities provided directly in Section 17(1) of the Cybersecurity Act.

In determining whether an entity falls under the scope of the new Cybersecurity Act, the key factor is whether it qualifies as an OES, even though the Cybersecurity Act does not explicitly define the term “essential service.”

With the entry into force of the new Cybersecurity Act, an OES is considered to be any organisation operating in sectors critical to the functioning of the economy and society as defined in Annexes 1 or 2 of the Cybersecurity Act and meeting specific size criteria. These sectors include energy, transport, finance, healthcare, water management, digital infrastructure, public administration, space technologies, postal and courier services, waste management, chemical production, food industry, and research.

The decisive factor is whether the business meets the size criteria — specifically, whether it qualifies as a medium-sized or large enterprise. A medium-sized enterprise employs fewer than 250 employees and has an annual turnover or balance sheet total not exceeding EUR 50 million. A large enterprise employs 250 or more employees and has an annual turnover or balance sheet total exceeding EUR 50 million. Conversely, micro-enterprises (with fewer than 10 employees and turnover under EUR 2 million) and small enterprises (fewer than 50 employees and turnover under EUR 10 million) are generally excluded from this regulation.

The term “enterprise” refers to any entity engaged in economic activity, regardless of its legal form (e.g., sole traders, family businesses, partnerships, associations).

A second key criterion is whether the business carries out any of the activities listed in Annexes 1 or 2 of the Cybersecurity Act:

  • Annex 1 specifies sectors with a high level of criticality (e.g. energy – generation, transmission, distribution, supply, or trade of electricity; rail transport – responsible for the establishment, management, and maintenance of railway infrastructure, including traffic control; healthcare – healthcare service providers).
  • Annex 2 covers other critical sectors (e.g. production, processing, and distribution of food, manufacturing of motor vehicles, trailers, and semi-trailers).

The regulation also applies to enterprises regardless of size if they perform any of the activities specified in Annexes 1 or 2 and simultaneously carry out activities defined under Section 17(1)(c) of the Cybersecurity Act.

The Cybersecurity Act also eliminates the distinction between Operators of Essential Services and Providers of Digital Services, creating a unified regulatory framework. OES are further categorised into two groups:

  • Key Entities – operating critical essential services.
  • Important Entities – other operators of essential services.

New Obligations for Operators of Essential Services

Companies that qualify as OES must comply with strict cybersecurity requirements:

  • Obligation to notify the NSA by 3 March 2025 – If an organisation carries out activities under Section 17(1) of the Cybersecurity Act, it must notify the National Security Authority of the Slovak Republic (NSA) within 60 days of commencing such activities, therefore the deadline will expire on 3 March 2025 (Section 17(2)). Failure to comply may result in sanctions.
  • Obligation to adopt and implement security measures – Within 12 months of registration in the OES registry, the organisation must adopt, comply with, and implement general security measures, at a minimum in the scope defined under Section 20 of the Cybersecurity Act, to ensure cybersecurity and resilience (Section 19(1)).
  • Obligation to report changes to registered data – Any changes to registered data (excluding reference data) must be reported to the NSA via the Unified Cybersecurity Information System within 14 days of the change (Section 17(6)).
  • Obligation to notify the commencement of critical essential services – The organisation must notify the NSA when it starts any activity classified as a critical essential service (Section 18(2)).
  • Obligation to report third-party agreements on security measures – If the organisation enters into an agreement with a third party for the implementation of security measures or notification obligations, it must inform the NSA, including any subsequent termination of such agreements (Section 19(7)).
  • Obligation to report major cybersecurity incidents – The organisation must report any major cybersecurity incident to the NSA in accordance with deadlines set by law (Section 24(1)).
  • Obligation to implement and regularly review security measures – The organisation must implement technical and organisational measures to manage cybersecurity risks, regularly review and update them, and ensure compliance with applicable security standards.
  • Obligation to secure supply chains – The organisation must ensure that its suppliers and partners meet the required cybersecurity standards.

Sanctions for Non-Compliance

Non-compliance with these obligations can lead to serious consequences. Penalties for failing to notify the NSA of OES status or for not implementing required security measures can reach up to EUR 10 million or 2% of the company’s annual global turnover. In cases of repeated or intentional breaches, the NSA may impose further administrative measures, including bans on certain sector activities.

The new Cybersecurity Act represents a significant shift in Slovakia’s cybersecurity regulation. Its aim is to enhance the resilience of companies against increasing cyber threats and ensure the stability of critical services. While the new obligations may pose challenges, they ultimately strengthen the protection of sensitive data and digital infrastructure, improving the security of the overall ecosystem.

It is therefore essential for businesses to act promptly and ensure compliance with the new rules to avoid penalties and safeguard their operations.

 

If you have any questions, feel free to contact us at office@hkv.sk. Our team of experts is ready to assist you with any inquiries.

 

 

More articles by this author
Právne správy
Amendment to the Public Procurment Act
Právne správy
The New Act No. 108/2024 Coll. on Consumer Protection
Právne správy
Reform of construction legislation