The Slovak Act implementing the NIS Directive will come into effect on 1 January 2018 (please note that the Bill is in the early stages of legislative procedure).
The New Act on Cyber security amending further Acts, the Act No. 145/1995 Coll. on Administration Fees as amended; the Act No. 73/1998 Coll. on the State Service of the Police Corps, the Slovak Information Service, the Prison and Judicial Guards of the Slovak Republic and the Rail Police as amended; the Act No. 319/2002 Coll. on the Defence of the Slovak Republic as amended; the Act No. 321/2002 Coll. on the Armed Forces of the Slovak Republic as amended; the Act No. 553/2003 Coll. on the remuneration of some employees in the performance of their work in the public interest as amended; the Act No. 215/2004 Coll. on the protection of classified information as amended; the Act No. 45/2011 Coll. on Critical Infrastructure as amended; and the Act No. 55/2017 Coll. on State Service as amended.
Operators of essential services must notify any incident with significant impact without undue delay (via a single cyber security information system). If the operator of essential services uses an operator of digital services to provide the essential services, the obligation to notify any incident with significant impact is transferred to the operator, i.e. the operator of the digital services will be responsible for this notification (Sec. 24).
A digital service provider is obliged to notify any security incident, regardless of the impact (Sec. 25).
The Bill also permits voluntary reporting of security incidents (Sec. 26).
The authority can impose a fine on a natural person of EUR 100- EUR 5,000.
The legal entity/operator of the essential services or a digital service provider may be sanctioned and fined between EUR 300 and 1% of annual turnover (provided it does not exceed EUR 300,000).
The authority will also be authorised to impose fines between EUR 300 and EUR 100,000 to anyone, who does not provide the required information relating to national cyber security strategy.
When determining the amount of fines, the authority will take into account the seriousness of the administrative offense/tort, in particular the manner of committing it, the duration, consequences and circumstances in which it was committed (Sections 30 and 31).
It is clear that every company doing business in critical sectors and providing targeted services will need to reflect the requirements of the NIS Directive in their systems and processes.
Even the Authority, as one of the "creators" of the Bill, has acknowledged a negative impact, especially on small and medium-sized enterprises.
The intention is clear: to unify and ensure a high level of network security and information systems across the European Union.
Last reviewed 28.02.2018
NIS Directive and the energy sector: a patchwork of national implementations
Cyber security: the regulators bare their teeth
D Day for NISD as the EU's Network and Information Systems Directive (NISD) is implemented on May 9, 2018
What is NISR and who is impacted?
What exactly is a Digital Service Provider in the context of NIS Directive? Could you be a DSP and not know it?
NISR: Key deadline ahead as UK DSPs must register by November 1, 2018
NISD: First key deadline as Essential Operators required to register by August 10, 2018
As the implementation date of the NIS Directive approaches we ask: are Digital Service Providers (DSPs) aware of their compliance obligations?
Last month, we launched our 5th Global Women’s Development Programme with 20 associates from across the firm. The p… https://t.co/Z99ScgyKzW
We are now only a week away from our Annual TechLaw Event where we will discuss practical tips and some of the lega… https://t.co/4s8t7pAkza
The EC is proposing to regulate digital operational resilience for the #financialsector which could impact ICT serv… https://t.co/QVt1h6aqZc