Who Regulates Cyber-Security for Slovak Organisations? The NBÚ’s Expanding Authority
Slovakia’s approach to cyber regulation has reached a point of singular clarity. The Národný bezpečnostný úrad (NBÚ)-the National Security Authority-now serves as the legal backbone and practical guide for all things NIS 2 within the country. Gone are the days of partial measures, ambiguous notifications, or guesswork over which agency to contact: NBÚ defines not just the letter, but the workflow of national cyber-security. For any organisation operating in Slovakia-large, small, or somewhere in between-your first and final word on cyber compliance begins here.
Ambiguity disappears overnight when a nation points to a single, named authority responsible for your compliance journey.
The Evolving NBÚ Landscape and Ministerial Overlap
While NBÚ calls the shots, Slovakia’s regulatory fabric remains nuanced. Sector ministries-think Health, Finance, Energy-continue to carry weight, setting sector-specific rules for organisations under their direct influence. This dual structure means organisations may be answering to both the NBÚ and a sector ministry, especially on technical specifications, supplier risk, or reporting cadence. Overlap is now the operational norm; compliance teams must map how NBÚ’s baseline integrates with sector mandates.
The Transposition Solution: Act No. 366/2024 Coll.
Slovakia’s transposition of NIS 2-embodied in Act No. 366/2024 Coll.-removes any lingering grey zones. Effective from November 2024, this law brings the EU directive home, establishing black-and-white criteria by which organisations determine if they are “in scope”. The compliance universe for Slovak entities is now universal, explicit, and embedded in a single legislative act.
Suddenly, sector boundaries and one-off interpretations have no standing-the law is a named, testable reality.
Mapping Compliance: NBÚ First, Sectors Second
For most organisations, NBÚ is your daily compass-register there, file your incident, evidence your controls. In regulated sectors, however, you must dual-map expectations: NBÚ for the national big picture and your sectoral ministry for specialist requirements. Here, leadership teams must ensure their compliance matrix shows the correct split-a clear NBÚ primary column and a sector overlay column, with pathways and document flows tied to each authority.
Imagine an executive dashboard: at the top, the NBÚ, with key sectoral ministries branching underneath, all converging on your organisations first line of defence. Compliance now depends on having this dual-flow clearly mapped-a live reference for any director, auditor, or external regulator.
Book a demoHow Does CSIRT.SK Protect Slovak Businesses Day and Night?
When a cyber incident strikes in Slovakia, the response arc is immediate and transparent, thanks to the workhorse of the nation’s resilience framework: CSIRT.SK. Operating as Slovakia’s nationally mandated CSIRT under the NBÚ, this team is more than a technical service-it is the 24/7 orchestrator of incident response, escalation, and (perhaps most importantly) documentation compliance for every Slovak entity.
National resilience isn’t made in isolation-it’s stress-tested during live incident escalation.
Coordinating National Incident Response
The scope of CSIRT.SK extends well beyond triage. It is the primary gatekeeper for all notifiable incidents in Slovakia, managing the country’s interface with the EU’s CSIRT network and guaranteeing a clear escalation path from “potential risk” to “board-level crisis.” Where a cyber incident meets the threshold for regulatory attention, CSIRT.SK steps in – validating initial threat notifications, guiding evidence collection, managing preservation, and serving as the legal report recipient. This means compliance isn’t just a checkbox exercise; each incident is mapped, time-stamped, and logged through a national nerve centre.
Sector Nuance-And Escalation Architecture
The situation grows more complex for regulated sectors: healthcare, digital infrastructure, and energy operators often have their own sector-focused CSIRTs operating alongside CSIRT.SK. In these sectors, escalation architecture requires meticulous mapping; your playbook must detail the trigger points for both national and sector CSIRTs, evidenced by detailed logs of who was notified, what information was sent, and how the escalation protocol played out. Smart compliance teams pre-map this in their crisis management workflow, ensuring no ambiguity on who is responsible when the seconds count.
Boardroom Integration: Compliance Through the Crisis Lifecycle
It’s not enough for the CISO to know CSIRT.SK’s number; compliance now expects board-level directors to recognise, approve, and own the organisation’s crisis lifecycle. This means notification timelines, root cause investigations, and audit trails must be pre-aligned with CSIRT.SK’s requirements. Failure to integrate these steps is not just a technical risk-it’s a legal liability that can cost board members dearly.
Regulators now look for a live connection-a direct line-between national CSIRTs and executive responsibility.
Master NIS 2 without spreadsheet chaos
Centralise risk, incidents, suppliers, and evidence in one clean platform.
NIS 2 Law in Force: Legacy Security Alone Offers No Shield
Slovakia’s passage of Act No. 366/2024 Coll. forcibly resets the compliance field. What was once a realm of “suggested good practise” is now a regime of clear, obligation-driven law. Registration with NBÚ is now a statutory requirement for covered organisations, and every board member is brought into the spotlight, personally accountable for failures to meet NIS 2 expectations. The early compliance deadlines are real: March 2025 to register, and a phased compliance review horizon stretching through December 2026.
Registration, Action, and Real Deadlines
NBÚ registration is the first actionable hurdle. Missing the March 2025 deadline exposes organisations to direct regulatory review-with no more “grey zone” safe harbours. Covered entities must move beyond passive “wait and see” attitudes. Every CISO, data privacy officer, and operations director must be proactive-registration, gap analysis, and live process attestation all come before a regulator’s first inquiry.
Legacy Certifications: Not a Shield Against NIS 2
Certifications like ISO 27001, even when freshly framed, are explicitly not enough. NIS 2 demands operational proof: living SoA crosswalks, dynamic evidence, and daily board involvement. Your previous certificates must be re-mapped into the NIS 2 legal framework, as regulators and auditors will not accept legacy evidence as a shield. This legal reset disrupts complacency and rewards only those teams who operationalise the new requirements.
Certification is no longer a badge for the wall-it’s routine, demonstrable, in-the-moment evidence.
Early, Proactive Compliance: The Credibility Signal
Organisations that act early-registering, performing readiness checks, and embedding live attestation-send a message of credibility to auditors and partners alike. In the compliance economy, hesitation is risk, but early action is reputational currency.
What Risks Do Boards Face Under Slovakia’s Incident Reporting Regime?
Few changes in Slovakia’s cyber-security landscape are as significant for senior leadership as the new regime of personal, board-level accountability. The NIS 2 Directive (as codified in Act No. 366/2024 Coll.) doesn’t just make directors responsible for their organisation’s incident reporting; it makes them personally liable, with the real and present threat of statutory fines up to €10M or 2% of global turnover.
24-hour/72-hour Rule: Board-Level Accountability
Organisations must now report qualifying incidents to CSIRT.SK (or NBÚ) within 24 hours, update within 72 hours, and provide follow-up documentation-the clock starts ticking the moment an incident is detected. This is not a compliance afterthought; it is a regime where accountability travels from IT team detection, to CISO evaluation, to director sign-off-without interruption.
Board-Attested Evidence: From IT to Statutory Director
Documentation discipline must now rise to meet the new liability landscape. Gone are the days of unsigned paper logs-every incident, drill, or control change must be signed and timestamped by a named director. These digital traces form a core part of your “defendable spine” in the event of regulatory review. Any absence or ambiguity in this audit trail is no longer just a technical gap, but a legal vulnerability for your leadership team.
“Naming and Shaming” – The New Reputation Penalty
Beyond fines and statutory reprisal, the law now enables regulators to publish noncompliance-meaning missteps in reporting, escalation, or approval discipline risk being splashed across the public domain. For boards, this is a reputational risk no longer safely ignored.
In the spotlight, it’s better to be early, clear, and documented-than late, vague, and at risk.
Be NIS 2-ready from day one
Launch with a proven workspace and templates – just tailor, assign, and go.
Which Sectors Face Extra Scrutiny-and What Triggers Regulator Attention?
Sector nuance defines the new NIS 2 reality in Slovakia. Who you are matters as much as what you do: sectors like healthcare, energy, and digital infrastructure are under specific, elevated obligations-both in compliance burden and proof requirements.
Healthcare: Live-Drilled Resilience
Healthcare entities face compulsory “live” resilience-meaning, not just policies on paper, but real, evidenced continuity drills, board-level reviews, and documented cross-sectoral coordination. The law’s baseline expectations are compounded by ministry mandates, and failure in a single dimension escalates risk for the entire chain.
Energy: ICS Controls and Borderless Playbooks
Energy sector operators must choreograph intricate compliance routines that map not just national norms, but EU-level and sectoral ministry demands. Documentation of industrial control systems (ICS), incident playbooks, and mapped escalation routes must be accurate and available-any gap is a regulatory tripwire.
Digital Service Providers: Coordinating Authorities
Digital providers-including cloud, managed services, and digital infrastructure-face overlapping regulatory authorities. In practise, this requires clear compliance maps showing lines of duty for each business segment, with supply-chain and partner evidence joined-up for every service line. Failure of documentation or gap in reporting in a single area draws scrutiny across the entire operation.
Sectoral authorities care most about what’s most fragile; boards must know exactly where their greatest external risks lie.
Audit-Ready Table for Compliance Operations:
| Expectation | Real-World Actions | ISO 27001 / Annex A Reference |
|---|---|---|
| Drill, continuity logs, and approvals ready | Maintain drill/test schedule, board review | A.5.29, A.5.30 |
| Incidents board-approved, timed, and logged | Timed reports, digital signatures | A.5.24, A.5.27 |
| Supply chain and partner linkage mapped | Central audit of partner risk, supply evidence | A.5.19, A.5.20 |
What Evidence Do Auditors Require? The ISO Bridge Is Necessary, Never Sufficient
For compliance leaders in Slovakia, understanding what auditors now demand is central to success. Gone is the era when an ISO certificate or audit sign-off was the endgame; today, compliance is proven only through live, mapped, and role-attributed evidence, maintained continuously and responsive to both NBÚ law and ISO control requirements.
What Auditors Want to See
- Living SoAs: Real-time evidence chains mapped to every control, with digital approval signatures-not just static PDFs.
- Evidence Chains: Board-level sign-off on incidents, drills, supplier reviews, and risk updates, all signed and timestamped.
- Compliance Mapping: Up-to-date crosswalks between NIS 2-specific reporting and legacy policies, with supporting operational files and logs. External auditors will want to see the story from incident to board response, fully joined and attributed.
ISMS.online-Mapping the NBÚ/SK-CERT Evidence Chain
ISMS.online automates this mapping. The platform generates Slovak-optimised evidence templates, phased multi-tier sign-off, and dynamic SoA links-from each incident, control, or supply chain review, through to real-time board-level attestation (isms.online). This means your compliance posture becomes routine, defensible, and always audit-ready.
ISO 27001 Bridge Table
| Expectation | Real-World Actions | ISO 27001 / Annex A Reference |
|---|---|---|
| Board sign-off | Digital approval, timestamped logs | A.5.24, A.5.27 |
| Supply chain mapped | Due diligence, evidence traced | A.5.19, A.5.20 |
| Incidents registered | Log/traceable workflow | A.5.25, A.5.26 |
Traceability Mini-Table-From Trigger to Evidence
| Trigger | Risk Update | Control / SoA Link | Evidence Logged |
|---|---|---|---|
| Major incident notification | Update risk register | A.5.24 (SoA: “INC”) | Registered, board-signed incident log |
| New sector regulation | Update policy/control | A.5.25 (SoA: “LAW”) | Policy update, board-minuted approval |
| Third-party supplier breach | Supplier risk review | A.5.19, A.5.20 (SoA: “SUP”) | Audit report, mapped supplier trace |
| Change in supplier risk status | Supplier risk update | A.5.20 (SoA: “SUPRISK”) | Updated risk register, review log |
| Annual policy attestation | Update evidence table | A.5.36 | Board-attested policy minutes |
Only organisations who can surface direct, live evidence for each operational risk prove true compliance.
All your NIS 2, all in one place
From Articles 20–23 to audit plans – run and prove compliance, end-to-end.
What Are the Most Common Compliance Pitfalls-and How Do You Avoid Them?
Experienced compliance professionals in Slovakia recognise that the devil of NIS 2 is not embedded in technical controls or paperwork, but in operational realness. Teams stumble most when they treat compliance as an annual snapshot rather than a living, daily pulse.
Hidden Danger Zones
- Missed notification windows: Internal confusion over escalation responsibility.
- Supplier risk drift: Outdated risk reviews after contract or threat changes.
- Legacy audits as proof: Certificates saved but never mapped to real-time operations.
The Success Pattern: Live Drills, Board Logs, Dynamic Mapping
The best practitioners run real drills, maintain dynamic role-maps, and use platforms built for live NIS 2/CSIRT workflows. Policy reviews and risk checks become routine, mapped events-part of the business calendar, not retro-waved at audit time. Documentation isn’t a trailing indicator; it’s an operational asset.
Compliance Traceability Table
| Trigger | Required Action | Control Link | Evidence Example |
|---|---|---|---|
| Detected incident | Log, escalate, notify | A.5.24–A.5.27 | Timestamped incident and decision log |
| Third-party risk event | Supplier risk review | A.5.19–A.5.20 | Updated SoA, mapped update |
| Annual policy review | Director sign-off | A.5.36 | Board review minutes, attestation record |
| Supplier risk status change | Updated risk record | A.5.20 | New risk entry, signed review |
| Management review | Audit/SoA refresh | A.5.35, A.5.36 | Audit cycle minutes, evidence crosswalk |
Routine wins: Make your compliance rhythm visible, mapped, and attributed-evidence is your only insurance.
Ready to Prove Slovak NIS 2 Compliance? Operationalise with ISMS.online Now
NIS 2 compliance in Slovakia is not a once-a-year achievement but a regulated, board-attested process-mapped in law, demanded at every deadline, and stress-tested in daily routines. ISMS.online is engineered to operationalise every part of this framework, powering leading healthcare, energy, and digital sector entities to registration, audit, and attestation with mapped, sector-specific templates (isms.online).
Why ISMS.online: Action, Mapping, Attestation
- Sector-Calibrated Templates: Map NBÚ and sectoral ministry requirements into standardised workflows; real-world evidence mapped with no manual overlay.
- Timed, Attributed Reviews: Build a compliance record that captures who signed, when, on what evidence; every audit-ready trace is role-attributed and time-stamped.
- Dynamic Evidence Packs: Tailored evidence collections reflect your board, sector, and regulator’s exact needs-timeline dashboards show every upcoming milestone.
Picture a compliance timeline: NBÚ registration → completed gap analysis → monthly evidence rhythm → documented management/board reviews → sector-specific or March 2025 milestone → final December 2026 lock date. In healthcare, energy, and digital sectors, evidence cycles become the backbone of a resilient compliance programme-timed, tuned, and defensible.
What you log today, you’ll defend to a regulator tomorrow-compliance is your living business card.
Act Ahead-And Win Reputation, Not Just Avoid Penalties
With ISMS.online, operational compliance happens before the deadline, not during a crisis. Our platform helps you surface compliance routines for healthcare and energy war rooms or digital platform board reviews, ensuring all critical milestones are met and each stakeholder-board, regulator, or partner-sees your evidence, not your excuses.
The next compliance step your team takes will shape your reputation for years ahead. Book a compliance war room consult or request a Slovak NIS 2 action plan-see how mapped, board-ready evidence cycles transform trust with regulators in 2025 and beyond.
Book a demoFrequently Asked Questions
Who is Slovakia’s NIS 2 authority, and how does this reshape compliance and legal risk for your organisation?
The Národný bezpečnostný úrad (NBÚ) is Slovakia’s designated National Competent Authority (NCA) under NIS 2, wielding the core statutory power to oversee compliance, cyber incident reporting, and all evidence filings for regulated sectors. This isn’t just a bureaucratic update-it redefines your daily obligations: every regulated organisation (from digital service providers to hospitals and energy districts) is now legally required to register with NBÚ, submit incident reports, and maintain ongoing digital evidence directly through this central portal (European Commission – NIS2 Slovakia). Sector ministries (e.g., Health, Transport) still add their own rules, but these do not override NBÚ’s primacy: if a compliance gap, missed filing, or unsigned evidence log occurs, the NBÚ is the statutory authority that issues penalties and triggers audits-making registration and compliance a non-negotiable legal channel, not simply another IT checklist. Missing NBÚ mandates exposes both organisations and executives to fines, board-level scrutiny, and even public naming for severe failings.
What practical changes should you expect?
- All registration, incident notifications, and routine cyber filings now route through a single NBÚ digital portal.
- NBÚ sets explicit, non-negotiable deadlines and reporting formats for evidence and incident filings.
- Interactions with sector ministries supplement requirements but never replace NBÚ’s oversight or signature demands.
- Any audit or regulatory inquiry will be mapped directly against your NBÚ submissions, and documentation gaps result in immediate non-compliance findings-risking both financial and reputational penalties.
What is CSIRT.SK’s (SK-CERT) exact role, and what makes their incident reporting model non-negotiable for Slovak NIS 2 entities?
CSIRT.SK acts as Slovakia’s central Computer Security Incident Response Team under NIS 2-authorised by law, operating under NBÚ supervision, and recognised by ENISA (SK-CERT official – About Us). Their role: receive, timestamp, and triage all serious cyber incidents, enforce incident reporting deadlines, and ensure audit-ready logs. For any breach, attack, or outage that could impact essential services or regulated infrastructure, the first and only statutory escalation point is SK-CERT-not your local IT desk or sector-specific CSIRT (if one exists). The law mandates:
- An alert to SK-CERT within 24 hours of discovering an incident, followed by a detailed technical and business impact report within 72 hours.
- Use of SK-CERT’s digital reporting and submission templates; sector CSIRTs may help, but cannot override or replace SK-CERT’s process.
- Digitally signed, timestamped communications by a statutory representative-informal escalations or IT-only logs aren’t legally valid.
Regulators cross-check SK-CERT’s submission history against your audit trail. A single missed, late, or unsigned alert can trigger fines, public notices, or management-level enforcement.
Every major security event must pass through the same channel – SK-CERT is the audit-proof ledger for your crisis response.
When did Slovakia implement NIS 2-and what are your new compliance milestones and hard deadlines?
NIS 2 became Slovak law with the promulgation of Act No. 366/2024 Coll. in November 2024, taking full effect from January 1, 2025 (CyberUpgrade: NIS 2 Slovakia). Here’s what your compliance timeline must look like:
| Deadline | Required Action | Non-compliance Risk |
|---|---|---|
| March 2025 | NBÚ (re-)registration | Flagged audit, instant legal exposure |
| Jan–Dec 2026 | Living control & evidence reviews | Legacy certs invalid; evidence must update |
| Ongoing | 24/72-hour incident filing | Every lapse traceable by NBÚ/SK-CERT |
Every organisation in scope-essential or important-must register with NBÚ and keep evidence chain up to date for all controls, incidents, and asset changes. Prior ways of presenting annual certifications or static policies will not survive an NBÚ or SK-CERT review. Every event, risk, and audit finding is timestamped against the new law.
What new legal duties now rest directly on Slovak boards and executives under NIS 2? What is your liability if these are missed?
NIS 2 in Slovakia assigns personal legal responsibility to board members and statutory executives for all cyber compliance failings (Lansky & Partners – Amendment Analysis). This means every major incident notification, risk, and supplier control must not only be logged, but also digitally signed by a statutory official. Missed registration, unsigned incident or risk logs, or any reporting errors may result in:
- Fines up to €10 million or 2% of global turnover; these penalties are organisation-wide, but boards may be publicly named (Havel Partners – 2025 Cyber Obligations).
- Board-level and personal reputation risk for “material non-compliance”-NBÚ and CSIRT.SK audits are now public.
- Mandatory evidence of board sign-off, verified by digital timestamp, for each critical control, incident, and compliance submission.
Boardroom compliance has shifted from annual paper reviews to “rolling” oversight-NBÚ can audit at any time, and leadership must ensure proof chains are real-time, digitally attributed, and role-mapped.
Every digital signature and timestamped record is both a shield and a chain of accountability-a single unlogged incident now creates instant legal exposure.
Which industries face the most severe compliance traps under NIS 2 in Slovakia, and what are their sector-specific pitfalls?
Immediate compliance pressure bears down on healthcare, energy, and digital services, each with unique structural risks:
| Sector | Unique Compliance Stress Points | Most Common Audit Gaps |
|---|---|---|
| Healthcare | Ageing IT, incomplete cross-ministry drills | Unsigned board records, failed incident logs |
| Energy | OT/IT alignment, cross-border audits | Siloed risks, supplier review deficits |
| Digital | NBÚ/EU dual oversight, asset volatility | Outdated policy maps, missed incident filings |
- Healthcare: is especially vulnerable due to legacy systems and thinly stretched teams-the standard for “participation” (cross-ministry drills) is now routine, not annual. The lack of digitally signed, time-linked evidence logs is a top cited failure (ITPro: NIS2 Compliance Struggles).
- Energy: organisations must show every operational risk links directly to IT-side evidence and supply chain review-otherwise, audits expose disconnected controls and international compliance flags.
- Digital providers: are uniquely accountable to both Slovak and EU authorities; asset changes, incidents, and staff onboarding must be mapped in near real time, as dual audits may audit months apart using the same NBÚ evidence base (Platform of Invention: NIS 2 Impact).
How does ISO 27001 fit under Slovak NIS 2-and what forms of evidence must you actually show auditors?
ISO 27001 remains foundational for risk management, but Slovak NBÚ and SK-CERT auditors expect dynamic, mapped digital evidence for every control-certificates or policies alone no longer suffice (Lex Mundi – Slovakia Guide). Auditors now require:
ISO 27001/NIS 2 Evidence Table
| Expectation | Operational Step/Clause | Required Evidence |
|---|---|---|
| Board sign-off | SoA/Clause A.5.7, Board review 9.3 | Timestamped, digitally signed registers |
| Supply chain proof | Clause A.5.19, A.5.21 (supplier) | Role-attributed, up-to-date review logs |
| Incident linkage | A.8.8 (vuln mgmt), A.5.29 (BCM) | Cross-mapped incident/policy/audit logs |
Traceability Example
| Trigger | Risk Update | Control/SoA Link | Evidence Logged |
|---|---|---|---|
| Malware hit | Asset log, risk update | A.8.8, A.5.29 | Board minutes, SoA update |
| Supplier | Third-party risk surge | A.5.21, A.5.20 | Supplier review, SoA crosswalk |
Cloud reports or stale certifications are explicitly rejected as sole evidence. Instead, mapped, role-attributed event chains-living audit logs, signed and timestamped by responsible leaders-are now mandatory.
A board that can’t trace every risk to a logged, signed, digital record is gambling with the organisation’s licence to operate.
Which compliance errors and pitfalls most often trigger audit failures and fines-and how does a platform like ISMS.online help prevent them?
The most frequent root causes of failed audits and regulatory fines in Slovakia:
- Missed or unsigned incident reports: Incomplete digital signatures from statutory representatives invalidate the organisation’s legal reporting, creating instant risk.
- Gaps in supplier and third-party evidence mapping: Unlinked controls weaken the integrity of supply chains, and missing audit logs cost contracts and reputation.
- Static or theoretical evidence: Relying on certificates, periodic PDFs, or once-a-year logs will fail modern NBÚ audits; continuous, real-time, workflow-integrated records are now demanded.
How modern compliance platforms enable success:
Platforms such as ISMS.online automate registration, asset and incident mapping, and continuous evidence assignment, ensuring logs are digitally attributed and signed by statutory leaders. Role-specific evidence assignment, automatic deadline reminders, and real-time reporting flows make audit failures a vanishing exception, not the rule. Your organisation benefits by aligning workflows to evolving Slovak legal and sectoral requirements-proving every compliance event is mapped, attributed, signed, and ready for instant review.
How does ISMS.online support real-time audit readiness and continuous Slovak NIS 2 compliance for all sectors?
ISMS.online provides mapped task journeys, digital evidence templates, and compliance dashboards synced to Slovak NIS 2 obligations. Teams can manage NBÚ/CSIRT registration, asset tracking, risk logs, policy mapping, and incident reporting in a unified environment-ensuring that every event is role-assigned, timed, and stored in a legally compliant format ((https://www.isms.online/)).
- Dynamic evidence packs update automatically after every asset, policy, or incident change, guaranteeing no audit gaps.
- Board sign-offs are captured directly within workflow events; evidence assignment is always aligned with NBÚ and sectoral templates.
- Automated reporting and evidence logs push regulatory trust up and compliance stress down, transforming compliance from a last-minute scramble into a continuous posture of resilience.
Move from scramble to certainty: With ISMS.online, compliance leaders and executives gain a “living ledger” that always stands ready for review-from the NBÚ, CSIRT.SK, sectoral authorities, or the board itself.
Modern compliance leadership means never gambling on a paper trail-a digital, attributed chain is now your business’s best defence and trust signal.
