Current status of implementation

The Slovak Act implementing the NIS Directive will come into effect on 1 January 2018 (please note that the Bill is in the early stages of legislative procedure).

Implementation Act

The New Act on Cyber security amending further Acts, the Act No. 145/1995 Coll. on Administration Fees as amended; the Act No. 73/1998 Coll. on the State Service of the Police Corps, the Slovak Information Service, the Prison and Judicial Guards of the Slovak Republic and the Rail Police as amended; the Act No. 319/2002 Coll. on the Defence of the Slovak Republic as amended; the Act No. 321/2002 Coll. on the Armed Forces of the Slovak Republic as amended; the Act No. 553/2003 Coll. on the remuneration of some employees in the performance of their work in the public interest as amended; the Act No. 215/2004 Coll. on the protection of classified information as amended; the Act No. 45/2011 Coll. on Critical Infrastructure as amended; and the Act No.  55/2017 Coll. on State Service as amended.

Determination of operators of essential services (Art. 5 NIS)

The Bill defines operators of essential services as public authorities, legal persons or sole traders operating the essential services, each administrator of public information systems is also registered with the register of operators of essential services. The operators of essential services will be identified in the following sectors: a) banking; b) supply and distribution of drinking water; c) transport; d) digital infrastructure; e) energetics; f) chemical industry; g) finance; h) public administration/government; i) electronic communications; and j) health.
Reporting obligations

Operators of essential services must notify any incident with significant impact without undue delay (via a single cyber security information system). If the operator of essential services uses an operator of digital services to provide the essential services, the obligation to notify any incident with significant impact is transferred to the operator, i.e. the operator of the digital services will be responsible for this notification (Sec. 24).

A digital service provider is obliged to notify any security incident, regardless of the impact (Sec. 25).

The Bill also permits voluntary reporting of security incidents (Sec. 26).

Sanctions regime

The authority can impose a fine on a natural person of EUR 100- EUR 5,000.

The legal entity/operator of the essential services or a digital service provider may be sanctioned and fined between EUR 300 and 1% of annual turnover (provided it does not exceed EUR 300,000).

The authority will also be authorised to impose fines between EUR 300 and EUR 100,000 to anyone, who does not provide the required information relating to national cyber security strategy.

When determining the amount of fines, the authority will take into account the seriousness of the administrative offense/tort, in particular the manner of committing it, the duration, consequences and circumstances in which it was committed (Sections 30 and 31).

Competent authorities

The National Security Authority is responsible for cyber security. The Authority as the central government body is  governed by several acts in the performance of its duties (e.g. Constitution of the Slovak Republic, legally binding acts of the European Union, international treaties binding the Slovak Republic, laws and other generally binding legal regulations,  resolutions of the Government of the Slovak Republic,   its status and organisational regulations and other internal regulations of the Authority). The Authority is also the single point of contact for national security.
Jurisdictional applications

If a digital service provider or its representative is seated in or providing its services in the Slovak Republic then Slovak laws are binding (Sec. 23).
Remarks (if any)

It is clear that every company doing business in critical sectors and providing targeted services will need to reflect the requirements of the NIS Directive in their systems and processes.

Even the Authority, as one of the "creators" of the Bill, has acknowledged a negative impact, especially on small and medium-sized enterprises.

The intention is clear: to unify and ensure a high level of network security and information systems across the European Union.

Last reviewed 28.02.2018