NIS2 in Slovenia: What Organizations Need to Know

NIS2 significantly expands cybersecurity requirements for Slovenian organizations. As someone who works closely with companies preparing for these requirements, I can tell you that the impact is far broader than most realize. The directive is not just an update to the original NIS directive — it is a fundamental rethinking of how the EU approaches cybersecurity regulation.

Who Is Affected

The scope of NIS2 is dramatically larger than its predecessor. In Slovenia, the directive is being transposed through the Zakon o informacijski varnosti (ZInfV), with URSIV serving as the competent authority.

• Essential entities: Organizations in energy, transport, health, banking, water supply, and digital infrastructure. In Slovenia, this includes electricity distributors, hospital networks, major banks, and telecommunications providers.
• Important entities: Manufacturing, food production, waste management, postal services, chemicals, and digital providers. Many Slovenian manufacturing companies that never considered themselves cybersecurity-relevant now fall under these requirements.
• Supply chain requirements: Even if your organization is not directly in scope, you may be affected if you supply to essential or important entities. This has significant implications for Slovenia's extensive SME ecosystem.
• Size thresholds: Generally, medium-sized enterprises (50+ employees or 10M+ EUR turnover) and large enterprises are in scope. Certain entities are covered regardless of size, including qualified trust service providers and DNS service providers.

Key Requirements

NIS2 mandates a comprehensive approach to cybersecurity risk management. Organizations must implement measures proportionate to the risks they face.

• Risk management measures: A formal risk assessment process identifying threats, vulnerabilities, and potential impacts. This must be documented and regularly updated.
• Incident reporting: An early warning to URSIV within 24 hours of a significant incident, full notification within 72 hours, and a final report within one month.
• Supply chain security: You must assess cybersecurity risks in your supply chain, including direct suppliers and service providers.
• Business continuity planning: Documented plans for maintaining operations during and after a cybersecurity incident.
• Vulnerability handling: A structured process for identifying, documenting, and remediating vulnerabilities.

Penalties

The penalty framework is designed to ensure cybersecurity is treated as a board-level concern.

• Essential entities face fines up to 10 million EUR or 2% of global annual turnover.
• Important entities face fines up to 7 million EUR or 1.4% of global turnover.
• Personal liability for management: Senior management can be held personally liable for failures to comply. Board members and executives who ignore cybersecurity risk do so at personal legal and financial risk.

The Slovenian Implementation Context

Slovenia's approach to NIS2 transposition has its own characteristics. URSIV has been developing implementation guidance, but many organizations report uncertainty about how requirements will be enforced locally. SI-CERT continues to play a critical role in incident coordination, complementing URSIV's regulatory function.

The intersection with ZVOP-2, Slovenia's GDPR implementation, creates additional complexity. Organizations processing personal data must ensure their cybersecurity measures satisfy both NIS2 and data protection requirements. The Informacijski pooblaščenec and URSIV have somewhat overlapping jurisdictions that organizations must navigate carefully.

Preparation Steps

Based on my experience helping Slovenian organizations prepare, I recommend the following approach.

1. Determine if you are in scope: Review sector lists and size thresholds. If you supply to essential or important entities, you may have indirect obligations.
2. Gap analysis: Compare your current security posture against NIS2 requirements. A penetration test gives you an honest assessment of actual security, not just documented security.
3. Implement missing controls: Prioritize based on risk. You need a credible plan with timelines and resource allocation.
4. Establish incident response: The 24-hour reporting requirement means you cannot figure out your process during an actual incident. Practice with tabletop exercises.
5. Document everything: Compliance is about demonstrating controls, not just having them. Documentation of policies, risk assessments, and security testing is essential.