Barbora Balunová, L/R/P advokáti, s.r.o. (source: Linda Kisková Bohušová)
The new year has barely started and we have already witnessed unprecedented cyberattacks on our country’s IT systems. The response must be an effective combination of legislative, organizational, and strategic measures that will strengthen Slovakia's security. The amendment to the Cybersecurity Act, which took effect on January 1, 2025, is a partial response to modern threats. It strengthens security requirements and oversight of strategic sectors. We spoke with energy law expert Barbora Balunová from the law firm L/R/P advokáti about how these changes have affected the energy sector.
The Need for Enhanced Cybersecurity
Earlier this year, Slovakia experienced one of the most severe cyberattacks in its history. Hackers targeted the Slovak Geodesy, Cartography and Cadastre Office, leading to a paralysis of cadastral services, with serious consequences not only for citizens but also for institutions and local governments. The cyberattack triggered a domino effect – the unavailability of cadastral services significantly slowed the real estate market, banks froze mortgage loans without access to current data, and cities and municipalities were equally paralyzed without necessary information. This incident highlighted the vulnerability of critical state systems and the need to strengthen cybersecurity in Slovakia.
The latest amendment to Act No. 69/2018 on Cybersecurity significantly raises the required level of cybersecurity and incorporates principles from the Network and Information Security Directive 2 (NIS2 Directive) into national legislation. "One of the main goals of the NIS2 Directive is to extend the scope of cybersecurity to more sectors and types of organizations. The European Union has long advocated for stricter security requirements and measures to protect IT infrastructure, as well as increased oversight of their compliance. Potential cyberattacks, e.g., on energy infrastructure, could have devastating effects on the economy, lives and health of people living in the EU. Therefore, in dealing with cyber incidents, EU states should now act in unity and cooperate more closely and effectively," says energy law and regulation expert Barbora Balunová.
The amendment aims to reduce risks associated with rapid technological development, digitalization, and increase the overall level of cybersecurity across key sectors of our country's economy. The change in the regulation of cybersecurity and the resilience of key entities and entire sectors against current cyber threats is thus transposed from European to Slovak law thanks to the amendment.
Who do the Changes Affect?
The key changes introduced by the amendment include expanding the scope of the law to new entities, identifying a regulated entity based on its sector classification, adjusting incident reporting, applying security measures based on risk analysis, adjusting supply chain security, coordinated vulnerability disclosure, auditing, and self-assessment or certification of ICT product and service security.
The amendment significantly expands the obligations for companies operating in the energy sector. "Among the energy companies that may be affected by the registration requirement are, for example, electricity and gas traders and suppliers, including LNG, heat producers, DSO operators, aggregators, operators of natural gas storage or LNG facilities. The precise lists of entities in the energy sector and other sectors with a high level of criticality are specified in the appendices of the amendment," says Balunová.
Changes Affect Significant Players in the Energy Sector
The amendment to the law designates a wider range of entities operating in sectors critical or essential for societal functioning. Sectors with a high level of criticality include energy, transport, finance, healthcare, water and environment, digital infrastructure, ICT service management (among businesses), public administration, and space. The amendment also affects other important economic sectors, such as waste management or the production of products, including technological equipment used in energy facilities, gas networks, electricity transmission and distribution systems, or heat distribution.
"The most significant change introduced by the Cybersecurity Act amendment is the shift in approach to identifying obligated entities, known as critical entities and also basic service operators. For critical entities, the assessment process is lengthy, demanding, and involves several state authorities. A basic service operator, on the other hand, undergoes a process of ‘self-identification’ and subsequently has the obligation to register in the register of operators maintained by the National Security Authority," Balunová explains.
The regulation identifies basic service operators based on specific criteria, including sectoral criteria and assessment of size. The National Security Authority's website contains an informative questionnaire where entities can initially verify whether they may be classified as a basic service provider under the amended Cybersecurity Act. An entity meeting the criteria for registration as a basic service operator must report to the National Security Authority within 60 days, which in turn is obliged to enter it into the register within 30 days.
New Obligations after Registration with the NSA
With registration, the operator incurs various obligations, such as an annual deadline to implement necessary security measures, with their implementation to be completed no later than March 2026.
Basic service operators are also required to promptly report significant incidents and cyber threats. The aim is to enhance the level and quality of shared information, thereby streamlining the reporting of threats, vulnerabilities, last-minute mitigations, and cybersecurity incidents. This will contribute to increased awareness of cyber threats and the ability of entities to prevent them.
Another obligation for basic service operators is cyber auditing, where in some cases, self-assessment suffices. The first independent audit must be conducted within 24 months from the date of registration in the register.
Deterrent Sanctions
The changes will also affect the sanctioning mechanism, leading to more efficient enforcement of fines and the introduction of a new form of administrative sanctioning.
If a company neglects its notification obligation, it risks a significantly high fine, up to 500 000 euros. "Apart from the deterrently high statutory penalties, the most serious negative consequence of neglecting duties and vigilance in the event of a cyberattack will be the paralysis of the enterprise, damage to its reputation, incurring property damage, and potential threats to human life and health," concludes Balunová.
This article has been brought to you by L/R/P advokáti.
