Slovenia has officially transposed the NIS2 directive into national law through the new Information Security Act (ZInfV-1), which came into force in June 2025. For many organisations, this creates a sense of urgency mixed with a sense of confusion. Let’s help you clear some of that up.
This article breaks down the key questions:
- What are the implications of ZInfV-1 for Slovenian companies
- What’s the timeline and how can your company prepare for compliance?
NIS2 directive in Slovenia
The NIS2 directive and the Slovenian legislation, the ZInfV-1 act, transposing it, raise the bar for digital resilience within critical sectors. Organisations that are subject to the directive are required to implement new technical, as well as operational mechanisms for risk management, with the end-goal of ensuring nation-wide cybersecurity.
The ZInfV-1 Act will have a strong influence on the Slovenian business landscape by prompting companies to:
- Introduce risk management mechanisms
- Become better prepared for cyber threats
- Minimise the financial and operational risks associated with cyberattacks.
- Enhance their overall cybersecurity.
The law introduces significant changes for both the public and private sectors and sets out a broad range of requirements, including early notification of incidents (no later than 24 hours after identification), incident reporting, business continuity and disaster recovery planning. Given the breath of these obligations, organisations should take steps toward achieving compliance, if they have not already do so. This raises the question – how much time do you have?
The race to NIS2 compliance has started
The question of “how much time do we have to meet the ZInfV-1 requirements?” is among the most frequently asked questions addressed by the Slovenian government in the ZInfV-1 FAQ. Below, we quote their explanation:
“Article 62 of ZInfV-1 specifies the timeline for adopting risk management measures. The first paragraph states that essential and important entities must implement risk management measures for information and cybersecurity, as defined in Articles 21 and 22 of the law, within eighteen months of the law’s entry into force. The second paragraph further stipulates that essential entities designated as providers of essential services under Article 6 of the previous ZInfV must implement the risk management measures from Articles 21 and 22 within one year of the new law’s enactment. Until this deadline, these entities remain subject to the security requirements, documentation, measures, oversight provisions, and penalties of the “old” ZInfV.”
Although 12 and 18-month timelines may appear generous, the scope and complexity of the requirements demand that organisations start preparing now.
How to prepare?
The first and most critical step is to map out key business processes and IT services that are essential for delivering your core services. Take a look at your IT environment and determine which systems, applications, and third-party providers are directly involved in supporting these functions. A clear view of your digital ecosystem will help determine what needs to be protected and how disruptions could impact service delivery.
Furthermore, you should:
Think about business continuity
One of the key elements of NIS2 is business continuity, which refers to ensuring that business-critical systems and application continue to function optimally in the event of unforeseen incidents, including cyberattacks. Technologies such as disaster recovery (DR) and backup solutions play a central role here. A well-defined DR plan ensures that your systems can be restored quickly while regular, secured backups help prevent permanent data loss.
Adopt a multi-layered approach to security
Technical controls are another key part of NIS2. With that in mind, consider implementing multi-layered security measures, such as firewalls, intrusion prevention/detection systems and multi-factor authentication to protect access to networks and sensitive systems.
Build a culture of security awareness
Preparing for NIS2 means building a culture of security awareness and accountability. This includes assigning internal responsibilities for cybersecurity, documenting processes, and establishing clear communication and response protocols for handling incidents. Regular training, internal audits, and close collaboration between IT, compliance, and leadership teams will help ensure your organization meets NIS2/ZInfV-1 requirements requirements.
NIS2/ZInfV-1 compliance: We can help
HC Center can support your companies in key areas of compliance with specialised IT and cloud solutions, evaluation and implementation support and managed services.
Please get in touch with security experts to learn more about our NIS2 solutions and services.
