NIS2 in Slovakia — transposition status and what’s changed

Slovak Annex I essential entities concentrate around energy (Slovenské elektrárne and the regional grid + heat operators), drinking-water utilities, banking (Tatra banka, VÚB, Slovenská sporiteľňa), public administration, and regional healthcare providers. Annex II important entities span manufacturing, food production, postal services, waste management — the parts of the Slovak industrial base that quietly underpin the supply chains of larger central-European customers.

The practical consequence is that thousands of mid-market Slovak entities are now in scope without ever having operated a formal cybersecurity programme. Most do not have a dedicated CISO. Most do not have a GRC team. Most are now expected to hold the same shape of evidence that a multinational holds, scaled appropriately — and most are working out what that means in the same year that their customers also work it out.

Act 366/2024 closely mirrors the directive but introduces Slovak-specific threshold rules and a registration regime. Covered entities self-determine whether they are in scope under the staff/turnover/sector tests; once in scope, they must enter the national cybersecurity register within statutory windows. NBÚ maintains the register and publishes practitioner guidance in Slovak — the binding text is the Slovak guidance, not English summaries.

Incident notification follows the directive cadence (24-hour early warning, 72-hour incident notification, one-month follow-up), with Slovak-specific templates in the NBÚ portal. Sector-specific NBÚ guidance for OT-heavy sectors — utilities, manufacturing — tends to be more prescriptive than the directive baseline, particularly around supply-chain assurance evidence.

Slovak supplier inventories typically run 40–60% non-Slovak Tier 1 — heavy reliance on Czech, German, and Austrian software and IT vendors. Sub-processor visibility into multinational ICT providers headquartered outside Slovakia is a recurring practical gap; you can collect a SOC 2 from the parent, but documenting which sub-processors actually touch your data takes patience and the right contract clauses.

Mid-market Slovak entities lack the in-house GRC capacity to rapidly assess multinational supplier compliance, so the work falls on already-stretched IT leads. Manufacturing supply chains add another wrinkle: SCADA, PLC, and MES vendors often have not historically faced cybersecurity-first procurement, and bringing them up to NIS2 evidence standards is a 6–12-month conversation rather than a one-quarter exercise.

Built in Bratislava by a practitioner who has worked through the Slovak transposition with mid-market entities, Supply Chain Assurance is calibrated for the segment Act 366/2024 quietly pulled into scope without enterprise GRC infrastructure. Slovak-language UI is on the post-stabilisation roadmap (Slovak first per brand voice §16). NBÚ-aligned evidence templates are being calibrated against the regulator’s published guidance.

Cross-border supplier inheritance is handled — the same evidence library serves Slovak NBÚ obligations and the upstream Czech / Austrian / German buyer obligations a Slovak supplier inherits. For mid-market buyers without a CISO, the Qualified Manager retainer puts a NIS2-qualified practitioner on the board paper at a fixed monthly fee — the brief practitioner conversation we have most often is whether that retainer or the one-off Exposure Assessment is the right starting point.