12 March 2026 Update - The transposition of NIS 2 in Slovenia
Slovenia has completed the formal legislative transposition of Directive (EU) 2022/2555 (NIS 2) through the adoption of a new cybersecurity statute known as the Information Security Act (ZInfV-1 – Zakon o informacijski varnosti). The law replaces the earlier cybersecurity legislation and establishes a comprehensive national framework aligned with the NIS 2 Directive.
Before the NIS 2 reform, cybersecurity governance in Slovenia was regulated by the Information Security Act (ZInfV) adopted in 2018, which implemented the original NIS Directive (Directive 2016/1148). This earlier framework imposed cybersecurity obligations on operators of essential services and digital service providers and established incident-reporting mechanisms coordinated at the national level.
Oversight of the national cybersecurity system is coordinated by the Government Office for Information Security (URSIV), which acts as the central authority responsible for cybersecurity policy, incident coordination, and supervisory activities in Slovenia.
Although the 2018 act provided the foundation for cybersecurity governance, its scope reflected the narrower regulatory model of NIS 1 and therefore required significant expansion to comply with the broader requirements of NIS 2.
Under Article 41 of Directive (EU) 2022/2555, Member States were required to adopt national implementing measures by 17 October 2024. Slovenia did not meet this deadline, and the legislative process continued into 2025.
The Slovenian government approved the final draft of the new cybersecurity legislation in April 2025 and submitted it to the National Assembly under an urgent procedure.
The decisive milestone occurred when the National Assembly of Slovenia adopted the new Information Security Act (ZInfV-1) on 23 May 2025.
The law was subsequently published in the Official Gazette on 4 June 2025 and entered into force on 19 June 2025, thereby formally transposing the NIS 2 Directive into Slovenian national law.
The new Information Security Act is a comprehensive reform of the national cybersecurity system. The law replaces the earlier framework entirely and modernises Slovenia’s cybersecurity governance architecture.
It introduces the classification model required by the NIS 2 Directive, distinguishing between essential entities and important entities. These entities must implement cybersecurity risk management measures, maintain incident reporting systems, and comply with supervisory oversight by national authorities.
The new law also significantly expands the number of organisations subject to cybersecurity regulation. Estimates indicate that the number of regulated entities may increase from roughly 1,000 organisations under the previous regime to approximately 6,000–8,000 entities under the NIS 2 framework.
Following the entry into force of the new law in June 2025, Slovenia moved into the operational implementation phase. This includes the creation of national registries of regulated entities, the development of incident-reporting platforms, and the adoption of technical cybersecurity requirements applicable to organisations falling within the scope of the law.
The Slovenian cybersecurity governance system remains centred on the Government Office for Information Security (URSIV), which acts as the national authority responsible for implementing and supervising the NIS 2 framework. Operational incident response is coordinated by SI-CERT, while sector specific regulators such as AKOS participate in supervising entities within their respective sectors.
EU - Transposition, Member States