Current status of implementation


The NIS Directive has not been implemented in Slovenia yet. Draft law has been prepared and is going through the  legislative process. On 8 September 2017 the Ministry of Government Administration (MJU) published draft of Act on Information Security, which will transpose the NIS Directive into national legislation. The draft law is currently  in governmental proceedings. Once the text is agreed at governmental level it will be sent to the National Assembly for adoption. 

Implementation Act


The Act on Information Security (draft bill). 

Determination of operators of essential services (Art. 5 NIS)

Pursuant to Art. 5 of the NIS Directive, the draft bill specifies the criteria to identify operators of the following essential services: a) energy, b) digital infrastructure, c) water management and distribution, d) healthcare, e), transportation f) banking, g) financial markets infrastructure, h) food supply and i) environmental protection. Operators of essential services can be legal persons, entrepreneurs or public bodies, which (i) operate one of the following essential services (further described by Government Ordinance to be adopted in 6 (six) months following the adoption the Information Security Act); and (ii) are designated as such by the competent national authority (i.e. “Slovenian Information Security Administration”). 
Reporting obligations


Pursuant to the draft bill, operators of essential services must immediately report to the competent authority (National Computer Security Incident Response Team - "National CSIRT") any security incident that has a significant impact on the provision of essential services.

The draft bill also foresees the same obligation for the providers of digital services that provide such services in the EU and state administration authorities. 

Sanctions regime


Article 38 of the draft bill provides for fines in misdemeanour proceedings from EUR 500 to EUR 10,000 for medium and large companies, in particular in the following cases:

Operators of essential services

  • fail to properly designate a point of contact in a timely manner
  • fail to implement appropriate technical and organisational measures to prevent disruptions of availability etc.
  • fail to properly report a security incident
  • fail to properly implement a decision of competent national authority.

Article 39 of the draft bill provides for fines in misdemeanour proceedings from EUR 10,000 to EUR 50,000 for medium and large companies and from EUR 500 to EUR 10,000 for other companies, in particular in the following cases:

Providers of digital services

  • fail to implement technical and organisational measures to tackle risks for the security of the network and information systems
  • fail to properly report a security incident.

Article 40 of the draft bill provides for fines in misdemeanour proceedings from EUR 200 to EUR 2,000, in particular in the following cases:

The responsible person of the state administration authority

  • fails to implement appropriate technical and organisational measures to prevent disruptions of availability.
  • fails to properly report a security incident
  • fails to properly implement the decision of competent national authority.
Competent authorities

The Slovenian Information Security Administration (Uprava RS za informacijsko varnost) and the National CSIRT, a national response centre primarily responsible for examining security incidents are the competent authorities. The draft bill also provides for the establishment of the state administration authorities´ CSIRT. The Slovenian Information Security Administration operates under the authority of the Ministry of Government Administration. Such authorities will commence operating on 1 January  2019.
Jurisdictional applications

The draft bill contains no explicit jurisdictional provisions, except in one case: according to Article 6 para. 2 the Slovenian Information Security Administration must consult with the respective EU member state before issuing its decision regarding a designation of a certain operator of essential services, if the operator provides essential services in the Republic of Slovenia as well as in another EU member state.
Remarks (if any)

The proposed draft bill is the first of its kind in the field of cyber security in Slovenian legislature. Nonetheless, some progress in this field was made in 2016 when the Government adopted the Cyber Security strategy, which outlined future policy and measures relating to cyber security. In April 2017, the Government also adopted a decision temporarily granting the operational tasks in the field of cyber security to the Office of the Government of Republic of Slovenia for Protection of Classified Information. The Office will retain this jurisdiction until 1 January 2019, when the Slovenian Information Security Administration and respective CSIRT will begin operating, as proposed under the draft bill.


Last reviewed 28.02.2018