On January 1, 2025, Act No. 366/2024 Coll. (the “Amendment”), which amends Act No. 69/2018 Coll. on Cybersecurity, as amended (the “Cybersecurity Act”), became effective.

The Amendment transposes into Slovak law Directive (EU) 2022/2555 of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, the so-called NIS 2 Directive.

First of all, the Amendment extends the scope of the Cybersecurity Act to a wider range of entities required to comply with cybersecurity rules.

As also the Explanatory Memorandum provides, providers (operators) of essential services are now categorized based on their importance as critical essential service providers and other providers of essential services.

In line with the NIS 2 Directive, the Amendment also introduces an entity size criterion (“size-cap rule”) for determining the entities falling within the scope of the Cybersecurity Act (entities which qualify as medium-sized enterprises or entities exceeding the ceilings for medium-sized enterprises). However, the Cybersecurity Act regulates also other entities, regardless of their size, provided they are so-called critical entities or meet the statutory criteria.

An entity that identifies itself as an essential service provider is required to notify the National Security Authority of this fact within 60 days by filling out a form in the Central Government Portal; the Authority thereafter registers the entity in the Register of Essential Service Providers.

In order to make it easier for an entity to determine whether it is an essential service provider, the National Security Authority has prepared an online tool, which is available in the Slovak language at the following link: