Blog

NIS2 Directive

29. apr 2024

The NIS2 Directive is a legislative instrument of the European Union (EU) focused on improving cybersecurity across the entire Union. This directive is an important part of the EU’s efforts to strengthen resilience and response capabilities against cyber threats that may affect critical information infrastructures, such as energy networks, healthcare systems, financial services, and others. The NIS2 Directive introduces enhanced cooperation and information sharing among EU Member States in order to improve responses to cyber threats and increase the resilience of the Union as a whole.

Each EU Member State is required to transpose this directive into its national legislation no later than 18 October 2024. Slovakia is implementing it through an amendment to Act No. 69/2018 Coll. on Cybersecurity. According to available information, the amended Act is expected to enter into force on 1 January 2025.

The NIS2 Directive significantly expands the number of entities to which it applies. Entities will now be classified as essential (key) and important entities. Based on this classification, they will be required to apply and implement appropriate security measures. The NIS2 Directive lists all sectors and subsectors that must comply with this European cybersecurity regulation. The list is provided at the end of this article.

The directive is mandatory for public or private entities in the specified sectors or subsectors if they meet the following criteria:

50 or more employees and an annual turnover of at least €10 million or a balance sheet total of more than €10 million.

The directive also applies to certain entities that do not meet these criteria; in other words, the size and turnover of the entity are not always decisive.
These include:

1. Services operating as:

providers of public electronic communications networks,
providers of publicly available electronic communications services,
providers of confidential services,
registries of top-level domains.

2. Entities whose service disruption could have a significant impact on public order.

3. Entities whose service disruption could represent a significant systemic risk.

4. Entities that are dependent on a sector in a Member State.

5. Public administration entities.

You can verify whether your organization falls under the scope of NIS2 directly in the registers of the National Security Authority (NBÚ).

The NIS2 Directive will also automatically apply to all entities already registered as Operators of Essential Services and Digital Service Providers.

The list of sectors falling under NIS2 and their classification is based on information obtained from publicly available presentations of the National Security Authority and the Cybersecurity Competence and Certification Centre. Sectors marked in red indicate newly added sectors. The classification of entities as essential or important may not be final.

Act No. 69/2018 Coll.	NIS Directive 1.0	NIS Directive 2.0
Act No. 69/2018 Coll.	NIS Directive 1.0	essential entities	important entities
banking	banking	banking
transport	transport	transport
digital infrastructure	digital infrastructure		digital service providers
electronic communications
energy	energy	energy
financial market infrastructures	financial market infrastructures	financial market infrastructures
postal services			postal and courier services
industry			manufacture and distribution of chemicals
			manufacture of computer, electronic, and optical products
			manufacture of machinery and equipment
			manufacture of motor vehicles
			manufacture of transport equipment
water and atmosphere
supply and distribution of drinking water	supply and distribution of drinking water	supply and distribution of drinking water
public administration		public administration
healthcare	healthcare	healthcare	medical manufacturing
		wastewater	waste management
		ICT service management	production, processing, and distribution of food
		space	research

RNDr. Daniel Schikor

Cybersecurity Manager