NIS2/ZoKB: A guide to obligations and solutions

NIS2 – What is it about?

NIS2 is the European Directive on cybersecurity (Directive (EU) 2022/2555), building upon the original NIS Directive. Its aim is to strengthen the resilience of digital infrastructure across EU member states by introducing unified rules for the protection of networks, systems, and data. It sets stricter requirements for risk management, incident reporting and supply chain security.

ZoKB – Slovak legislation

The Slovak Republic has prepared an amendment to Act No. 69/2018 Coll. on Cybersecurity (ZoKB) as part of the transposition of the NIS2 Directive.

Decree 227/2025 Coll. on security measures under the Cybersecurity Act effective from 1 September 2025.

Decree 226/2025 Coll. of the National Security Authority establishing details on reporting effective from 1 September 2025.

Who does it concern?

The directive affects approximately 6,000 entities in the Slovak Republic operating across 15 sectors:

Essential entities:

• Energy
• Healthcare
• Transport
• Banking
• Digital infrastructure
• Public administration
• Space industry

Important entities:

• Digital service providers
• Postal services
• Waste management
• Food industry
• Manufacturing
• Chemicals
• Research

An entity falls under NIS2/ZoKB if it operates essential service (prevádzkovateľ základnej služby - PZS) or a critical essential service (prevádzkovateľ kritickej základnej služby - PKZS).

The directive is based on the principle of self-identification. Once an entity identifies itself as subject to the directive, it must notify the authority within 60 days of commencing the relevant activity.

Not sure if NIS2 applies to your company?

Find out quickly and easily with our online NIS2 compliance calculator (which is for now available only in the Slovak language):

Check your NIS2 status

Timeline

• The NIS2 directive became effective in the EU on 17.1.2023.
• The amendment to Act No. 69/2018 Coll. on Cybersecurity (ZoKB) becomes effective on 1.1.2025.
• PZS under Act No. 69/2018 Coll. as amended until 31.12.2024, may until 31.12.2026 adopt and implement security measures according to regulations effective from 1.1.2025, also by adopting and implementing security measures according to regulations effective until 31.12.2024.
• PZS is obliged to implement security measures within 12 months from the date of registration.
• PZS is obliged to carry out the first audit performed by a certified auditor within 2 years from registration in the PZS register.
• An operator of an essential service that does not provide a critical service may also perform the audit as a so-called self-assessment, carried out by a cybersecurity manager within 2 years from registration in the PZS register.

Failure to notify the start of regulated activity under the Cybersecurity Act is an administrative offense. The National Security Authority (NBÚ) may impose a fine ranging from €300 to €500,000.

How can Forvis Mazars help?

• Ensure compliance with Act No. 69/2018 Coll.
• Asset identification and evaluation, risk analysis
• Development of security policies and guidelines
• Consulting support
• Audit under Act No. 69/2018 Coll.
• Internal cybersecurity audit
• Cybersecurity training
• GAP analysis of documentation against legal requirements
• Implementation of an information security management system in accordance with ISO 27001

Do you have questions about your NIS2 obligations? Reach out to our advisors for expert support.