NIS2 Slovenia Compliance Guide: Cybersecurity Act (ZKV-1), URSIV Enforcement, and SI-CERT Incident Reporting for 2026

Slovenia transposed the EU NIS2 Directive through the Cybersecurity Act (Zakon o kibernetski varnosti, ZKV-1), which was adopted in late 2024 and entered into force on 1 January 2025. The law replaces Slovenia’s earlier 2018 Act on Information Security Measures in State Bodies and establishes a modern framework covering both public and private sector cybersecurity obligations. URSIV (Uprava Republike Slovenije za informacijsko varnost / Office of the Republic of Slovenia for Information Security) serves as the national competent authority and Single Point of Contact, while SI-CERT — Slovenia’s well-established national CSIRT operated by ARNES (Academic and Research Network of Slovenia) — handles incident reporting and response coordination. As one of the EU’s smaller Member States and a former Yugoslav republic bordering Croatia, Austria, Hungary, and Italy, Slovenia’s NIS2 approach reflects both its compact institutional landscape and its position at the crossroads of Central and Southeastern European cybersecurity cooperation.

This guide covers Slovenia’s NIS2 transposition, URSIV enforcement, SI-CERT incident reporting, entity classification, sector-specific requirements, penalties, implementation milestones, and practical steps for compliance.

Slovenia’s NIS2 Transposition: Where Things Stand

The Legal Framework

Slovenia implemented NIS2 through a comprehensive new Cybersecurity Act that supersedes the limited NIS1-era framework:

• Cybersecurity Act (Zakon o kibernetski varnosti, ZKV-1): Adopted by the National Assembly in late 2024, entering into force on 1 January 2025. The Act contains comprehensive provisions covering entity classification, risk management obligations, incident reporting, supervisory authority powers, penalties, personal liability, and mutual assistance with EU Member States. It replaces the 2018 Act on Information Security Measures in State Bodies (Zakon o ukrepih za zagotavljanje informacijske varnosti v državnih organih) which was limited to public sector entities.
• Cybersecurity Strategy of the Republic of Slovenia: Updated in 2024 to align with NIS2 directives and establish national cybersecurity priorities through 2030.
• Decree on the Implementation of the Cybersecurity Act: Secondary legislation providing detailed guidance on entity designation criteria, incident reporting procedures, security measure specifications, and supervisory fee structures (expected Q2–Q3 2026).

Slovenia completed transposition around the EU deadline period. While the European Commission issued a Reasoned Opinion on 7 May 2025 to several Member States, Slovenia’s ZKV-1 adoption places it among those that substantially completed transposition, though the secondary legislation framework is still being finalized.

Key Dates and Timeline

Milestone	Date	Status
NIS2 Directive adopted	January 2023	—
Draft ZKV-1 published for public consultation	Q1 2024	Complete
ZKV-1 adopted by National Assembly	Late 2024	Complete
ZKV-1 enters into force	January 1, 2025	Complete
URSIV begins entity registration process	Q1 2025	Ongoing
SI-CERT NIS2 reporting portal operational	Q2 2025	Ongoing
EU transposition deadline reference	17 October 2024	Near-complete
EC transposition review	May 2025	Under review
Decree on Implementation expected	Q2–Q3 2026	Pending
First entity designation notices	Q3 2026	Upcoming
Full supervisory regime operational	Q4 2026	Expected

Important: ZKV-1 is in force as of 1 January 2025, but the detailed implementing decree is still being developed. Entities should treat the substantive obligations of ZKV-1 as binding and begin compliance preparations immediately, rather than waiting for the secondary legislation.

Comparison with Other EU Countries

Slovenia’s approach shares characteristics with several EU states in our country guide series:

• Croatia (NCSC-HR/CERT.hr): Former Yugoslav neighbor, similar small-state challenges and regional cooperation dynamics
• Austria (NISG 2026): Northern neighbor, more mature cybersecurity infrastructure — useful reference for best practices |
• Hungary (SZTFH/NKI): Eastern neighbor, comparable multi-authority coordination needs
• Slovakia (NBU/SK-CERT): Fellow small Central European state, similar institutional concentration approach
• Malta (MITA): Comparable small EU member state with single-authority model
• Czech Republic (NUKIB): Central European reference with more developed supervisory capacity

Key Regulatory Bodies

URSIV — Office of the Republic of Slovenia for Information Security

URSIV (Uprava Republike Slovenije za informacijsko varnost) is Slovenia’s central NIS2 authority:

• National Competent Authority (NCA) for both essential and important entities
• Single Point of Contact (SPOC) for EU-level NIS2 coordination, cross-border cooperation, and EU CSIRTs Network representation
• Supervisory authority with powers to conduct on-site inspections, request documentation, order audits, and assess penalties
• Policy leader — develops national cybersecurity strategy and issues binding guidance
• Entity registration authority — maintains the national registry of essential and important entities

URSIV was established under the earlier 2018 Act and has been significantly empowered by ZKV-1, expanding its jurisdiction from public-sector-only to all in-scope entities.

Contact:

• Address: Tobačna ulica 5, 1000 Ljubljana, Slovenia
• Email: ursiv@gov.si
• Phone: +386 1 478 8900
• Website: https://ursiv.gov.si

SI-CERT — National CSIRT

SI-CERT is Slovenia’s national Computer Security Incident Response Team, operated by ARNES (Academic and Research Network of Slovenia):

• National CSIRT since 1997 — one of the oldest national CSIRTs in Europe
• Full member of FIRST and Trusted Introducer accredited
• Incident handling for all essential and important entities under NIS2
• Vulnerability coordination — processes responsible vulnerability disclosures affecting Slovenian entities
• Threat intelligence sharing with EU CSIRTs Network and international partners
• Security advisory publication — alerts on emerging threats relevant to Slovenian infrastructure
• Cross-border coordination — interfaces with CERT-EU, ENISA, and neighboring national CSIRTs (CERT.hr, A-CERT)

Contact:

• Email: cert@arnes.si (general) | incident@arnes.si (incident reporting)
• Phone: +386 1 479 8800
• Website: https://www.cert.si
• PGP Key: Available on SI-CERT website
• Business Hours: 08:00–20:00 CET, Monday–Friday; emergency line available 24/7 for critical incidents

ARNES — Academic and Research Network of Slovenia

ARNES operates SI-CERT and provides the institutional infrastructure for Slovenia’s national CSIRT capabilities:

• Established in 1992 as Slovenia’s national research and education network
• Hosts and operates SI-CERT under contract with URSIV
• Provides network security monitoring and threat detection for the research and education sector
• Supplies technical capacity for the national incident response infrastructure

Sectoral Competent Authorities

Slovenia uses a lightweight multi-authority model with sectoral coordination for specific sectors:

Authority	Sector	Coordination Role
URSIV	Digital infrastructure, ICT services, public administration	Primary competent authority
Bank of Slovenia (Banka Slovenije)	Banking, financial market infrastructure	Sectoral regulator for financial entities
Securities Market Agency (ATVP)	Investment firms, financial services	Sectoral regulator for securities markets
Energy Agency of Slovenia (AGRS)	Electricity, gas, oil, district heating	Sectoral regulator for energy
Ministry of Infrastructure (MzI)	Transport, spatial planning	Sectoral authority for transport
Ministry of Health (MZ)	Healthcare, medical devices	Sectoral authority for health
Agency for Communication Networks and Services (AKOS)	Electronic communications	Telecom sector regulator

Key distinction: Unlike Hungary or Germany’s more formal multi-authority models, Slovenia’s sectoral coordination is primarily advisory and cooperative rather than granting independent supervisory powers. URSIV retains primary NIS2 enforcement authority across all sectors, consulting sectoral authorities on sector-specific matters.

Which Entities Are Affected?

Essential Entities

Under ZKV-1, Slovenia designates essential entities in these sectors:

• Energy: Electricity operators (Elektro Slovenija, distribution companies), natural gas, petroleum, district heating
• Transport: Ljubljana Jože Pučnik Airport, Port of Koper, Slovenian Railways (SŽ), road transport operators
• Banking: Credit institutions licensed by the Bank of Slovenia
• Financial Market Infrastructure: Ljubljana Stock Exchange, payment systems operators
• Health: University Medical Centre Ljubljana, regional hospitals, clinical laboratories, medical device suppliers
• Drinking Water: Public water supply operators
• Wastewater: Public wastewater treatment operators
• Digital Infrastructure: .si ccTLD registry (operated by ARNES), DNS providers, cloud computing providers, data centres, CDNs
• ICT Service Management: Managed security providers, managed IT service providers
• Public Administration: Government bodies, agencies, and municipalities above population thresholds
• Space: Ground station infrastructure supporting EU space programmes

Important Entities

Slovenia identifies important entities from additional sectors:

• Postal and Courier Services: Pošta Slovenije, private courier operators
• Waste Management: Waste collection and treatment operators
• Chemical Manufacturing: Production and distribution of hazardous substances
• Food Production: Large-scale food processing and distribution
• Manufacturing: Designated manufacturing sectors (pharmaceuticals, electronics, automotive components)
• Digital Providers: Online marketplaces, search engines, social media platforms
• Research Organisations: Slovenian research institutes, University of Ljubljana faculties with critical research infrastructure

Size Thresholds

Slovenia applies standard NIS2 size thresholds:

Criterion	Essential Entities	Important Entities
Employees	≥250	≥50
Annual turnover	≥€50 million	≥€10 million

Entities covered regardless of size:

• Qualified trust service providers
• .si ccTLD registry
• DNS service providers
• Public electronic communications providers
• Cloud computing service providers
• Data centre operators
• Entities designated by URSIV as sole providers of essential services

Slovenia-Specific Designation Criteria

Given Slovenia’s small market, URSIV has indicated it will apply supplementary criteria recognizing that:

• Sole-provider situations are more common in small markets — URSIV may designate entities that are the only provider of a specific service in Slovenia regardless of size
• Regional criticality — entities providing essential services to specific Slovenian regions (e.g., transport in alpine areas, water supply in Karst regions) may be designated
• Cross-border service provision — entities providing services that cross into Austria, Italy, Croatia, or Hungary may face designation based on cross-border impact potential

Entity Designation Process

URSIV follows a notification and verification process:

1. Self-assessment — Entities should determine whether they fall within NIS2 scope based on sector, size, and supplementary criteria
2. Registration with URSIV — In-scope entities must register through the URSIV portal
3. URSIV review — Verification of entity classification against legal criteria
4. Formal designation notice — URSIV issues binding classification as essential or important entity
5. Compliance transition period — Designated entities receive a compliance timeline (expected 12 months from designation)

Slovenia-Specific Requirements (Beyond NIS2 Minimums)

Slovenia’s ZKV-1 introduces several provisions beyond NIS2 minimum standards:

Cross-Border Coordination Emphasis

Given Slovenia’s position at the intersection of Alpine, Mediterranean, and Central European regions, ZKV-1 places unusual emphasis on cross-border incident coordination:

• Mandatory cross-border impact assessment — entities must assess whether incidents affect neighboring Member States (Austria, Italy, Croatia, Hungary) as part of their incident reporting
• Bilateral CSIRT cooperation agreements — URSIV/SI-CERT has formal cooperation frameworks with A-CERT (Austria), CERT.hr (Croatia), and other neighboring CSIRTs
• EU Strategy for the Danube Region alignment — Slovenia’s NIS2 framework references cybersecurity cooperation under the Danube Region strategy

Research and Education Sector Protection

Slovenia’s strong research tradition leads ZKV-1 to include enhanced protections for research infrastructure:

• Designated research organisations must implement measures protecting research data integrity and scientific instrument control systems
• ARNES/SI-CERT provides dedicated research cybersecurity support programmes
• University research entities with critical European Research Infrastructure Consortium (ERIC) participation may receive enhanced designation

Municipal Cybersecurity Programme

ZKV-1 establishes a municipal cybersecurity support programme for smaller local government bodies:

• Municipalities below the size threshold receive voluntary guidance and support from URSIV
• A national framework for municipal cybersecurity baseline controls is under development
• Joint procurement frameworks for municipal security tools and services

Penalties and Enforcement

Entity-Level Fines

Slovenia’s penalties align with NIS2 maximum thresholds:

Violation Type	Entity Category	Maximum Fine
Risk management breach	Essential	Higher of €10,000,000 or 2% of total worldwide annual turnover
Risk management breach	Important	Higher of €7,000,000 or 1.4% of total worldwide annual turnover
Non-compliance with corrective measures	Both	Corrective orders and escalating penalties
Failure to register with URSIV	Both	Up to €50,000
Failure to report incidents	Both	Up to €500,000

Personal Liability for Management

ZKV-1 includes personal liability provisions for senior management:

Violation	Maximum Fine
Management member failing to approve cybersecurity risk management measures	Up to €40,000 per violation
Management member failing to oversee implementation	Up to €25,000 per violation
Non-cooperation with supervisory authority	Up to €15,000 per violation
Repeated violations	Escalating penalties including potential management ban

Board-level approval of cybersecurity risk management measures is mandatory, with decisions required to be documented in board minutes as due diligence evidence.

Enforcement Posture

URSIV is building its supervisory capacity following the ZKV-1 entry into force. The implementing decree (expected Q2–Q3 2026) will provide detailed enforcement procedures. URSIV has indicated an initial cooperative approach prioritizing:

• Entity registration completion
• Guidance issuance and stakeholder education
• Building inspection and audit capabilities
• Establishing coordination with sectoral authorities

As URSIV’s capacity matures through 2026, enforcement intensity is expected to increase, particularly for entities that have not registered or are demonstrably non-compliant.

Compliance Requirements

Article 21 Risk Management Measures

Slovenian essential and important entities must implement measures covering the 10 NIS2 Article 21 areas:

1. Risk analysis and information security policies — documented risk assessments and security strategies updated annually
2. Incident handling — prevention, detection, analysis, response, and recovery procedures
3. Business continuity — crisis management, disaster recovery, backup procedures, and crisis communication plans
4. Supply chain security — assessment of ICT suppliers and service providers, vendor risk management, concentration risk analysis
5. Security in network and information systems — secure acquisition, development, and maintenance practices
6. Vulnerability handling and disclosure — vulnerability management processes and coordinated disclosure policies
7. Cryptography and encryption — data encryption at rest and in transit, key management practices
8. Human resources security — training, awareness, background checks, and access management
9. Access control — least privilege, MFA for privileged access, periodic access reviews
10. Physical security — premises and data center protection measures

Incident Reporting Requirements

Slovenian entities must report significant incidents to SI-CERT following the standard NIS2 three-stage reporting timeline:

Reporting Stage	Timeline	Content
Early Warning	Within 24 hours	Initial notification — whether suspected unlawful/criminal offense, whether possible cross-border impact, indicators of compromise
Incident Notification	Within 72 hours	Severity assessment, impact analysis, containment status, technical information
Final Report	Within 30 days	Detailed root cause analysis, cross-border impact assessment, remediation measures, lessons learned

Cross-border emphasis: Given Slovenia’s geographic position, entities must specifically assess and report on cross-border impact affecting Austria, Italy, Croatia, and Hungary as part of the early warning and incident notification stages.

Where to report:

• Email: incident@arnes.si
• PGP-encrypted email using SI-CERT public key
• Phone: +386 1 479 8800 (08:00–20:00 CET)
• Emergency 24/7 line for critical incidents
• URSIV portal: Online submission for registered entities

Supply Chain Security

ZKV-1 requires Slovenian entities to assess and manage cybersecurity risks across their supply chain, with emphasis on:

• Cross-border vendor dependencies — many Slovenian entities rely on service providers headquartered in Austria, Italy, or Germany
• Small vendor ecosystem — Slovenia’s compact market means few domestic alternatives for specialized ICT services
• Concentration risk — URSIV guidance highlights the risk of single-vendor dependencies in a small market
• Contractual cybersecurity requirements — entities must ensure binding security obligations in all critical vendor agreements

This aligns with our guide on NIS2 supply chain and third-party risk management.

Implementation Roadmap for Slovenian Entities

Phase 1 — Immediate (April–June 2026)

1. Register with URSIV through the official portal — confirm entity classification and sector designation
2. Complete self-assessment — determine whether the entity is an essential or important entity based on sector, size, and supplementary criteria
3. Designate cybersecurity governance — assign board-level responsibility and appoint a security officer
4. Identify cross-border dependencies — map services and vendors operating across Slovenia’s borders
5. Conduct initial asset inventory — catalogue all network and information systems

Phase 2 — Foundation (July–September 2026)

1. Conduct gap analysis against NIS2 Article 21 measures (see our NIS2 gap analysis guide)
2. Establish incident reporting procedures — register with SI-CERT, test reporting channels and 24-hour escalation capability
3. Begin risk assessment — cybersecurity risk analysis proportionate to entity size and sector risk profile
4. Review supply chain security — assess cross-border vendor dependencies, update contracts with cybersecurity clauses
5. Deploy baseline security controls — MFA, encryption, logging, vulnerability management, access control

Phase 3 — Full Compliance (Q4 2026–2027)

1. Implement all Article 21 measures — technical and organizational controls meeting ZKV-1 requirements
2. Test incident reporting — conduct tabletop exercises including cross-border impact assessment scenarios
3. Complete business continuity and disaster recovery testing
4. Prepare for URSIV supervision — document policies, procedures, and evidence (see our NIS2 audit preparation guide)
5. Monitor implementing decree — await finalization of URSIV’s detailed enforcement guidance
6. Participate in SI-CERT exercises — engage in national and cross-border cybersecurity exercises

Cyber Insurance Implications for Slovenian Entities

Why Slovenian Entities Need Cyber Insurance

Slovenia’s NIS2 enforcement creates significant liability exposure, particularly for entities in the small domestic market:

• Maximum penalties up to €10M — substantial relative to Slovenia’s GDP and entity sizes
• Personal liability for management — directors and officers face individual fines up to €40,000
• Cross-border incident exposure — Slovenian entities’ cross-border dependencies amplify the cost of incidents affecting neighboring states
• Small market concentration risk — few alternative vendors mean supply chain failures have outsized impact
• Business interruption from corrective orders or system shutdowns during incident response
• Dual-reporting burden — entities with cross-border operations may face reporting obligations in multiple jurisdictions

What Underwriters Should Ask

When underwriting Slovenian entities under NIS2, insurers should seek:

1. Entity classification — Is the insured designated as an essential or important entity by URSIV?
2. URSIV registration status — Is the entity registered and has it received formal designation?
3. Cross-border dependencies — What percentage of critical ICT services are provided by non-Slovenian vendors?
4. Cross-border incident history — Any incidents that affected or were coordinated with Austrian, Croatian, or Italian counterparts?
5. Sole-provider status — Is the entity the only provider of a specific service in Slovenia?
6. SI-CERT reporting history — Has the entity previously reported incidents to SI-CERT?
7. Supply chain concentration — How many critical vendors serve the entity, and what is the geographic distribution?
8. Management training — Has leadership completed cybersecurity governance training per ZKV-1 requirements?
9. Business continuity maturity — Has the entity tested BCP/DR plans including cross-border scenarios?
10. Municipal cybersecurity participation — If a municipality, is the entity participating in URSIV’s voluntary municipal programme?

Coverage Considerations

For Slovenian entities, cyber insurance policies should specifically address:

• Regulatory investigation costs under ZKV-1 enforcement actions and URSIV supervisory proceedings
• Personal liability extensions — D&O coverage for management individual fines up to €40,000
• Cross-border incident costs — legal and forensic expenses for incidents requiring coordination with Austrian, Croatian, Italian, or Hungarian authorities
• Business interruption during URSIV-mandated system reviews or corrective orders
• Incident response retainers — pre-approved forensic, legal, and PR teams familiar with SI-CERT reporting procedures
• Supply chain losses — particularly critical given Slovenia’s reliance on cross-border vendors (see supply chain attack loss scenarios)
• Data restoration costs following ransomware or destructive attacks
• Crisis management — reputational harm coverage especially for entities in Slovenia’s tourism-dependent economy

Use our cyber insurance buying guide to compare coverage options and our NIS2 compliance checker to assess your current compliance status.

Key Takeaways

1. Slovenia transposed NIS2 through the Cybersecurity Act (ZKV-1), which entered into force on 1 January 2025 — replacing the 2018 public-sector-only framework with comprehensive coverage of both public and private entities
2. URSIV serves as the national competent authority and SPOC with primary enforcement powers across all sectors, while sectoral authorities play a cooperative advisory role
3. SI-CERT (operated by ARNES) is Slovenia’s national CSIRT — one of Europe’s oldest, established in 1997, providing incident reporting and response coordination
4. Cross-border coordination is a distinctive emphasis — Slovenia’s geographic position requires enhanced attention to incidents affecting Austria, Italy, Croatia, and Hungary
5. Standard NIS2 penalty framework applies — up to €10M or 2% global turnover for essential entities, plus personal management liability up to €40,000
6. Small market dynamics — sole-provider situations, cross-border vendor dependencies, and market concentration create unique compliance challenges
7. The implementing decree is still pending — entities should comply with ZKV-1’s substantive provisions now rather than waiting for secondary legislation
8. Cyber insurance is essential for Slovenian entities facing NIS2 liability exposure, particularly those with cross-border operations and single-vendor dependencies

---

For more NIS2 compliance resources, explore our NIS2 compliance checklist, penalties guide, and technical measures requirements. Compare your country’s approach with our essential vs important entity classification guide.