The NIS 2 Directive (EU Directive 2022/2555) was intended to introduce uniform cybersecurity rules across the EU. However, the reality is different. From our practical experience — having implemented NIS 2 for dozens of clients across various sectors and several countries — we know that each Member State has ‘tailored’ the directive to suit its own needs. For multinational corporations, this means one thing: what applies in Romania or the Czech Republic may not be sufficient in Slovakia, and vice versa.
Who is affected by NIS 2 — and how can you find out?
The first hurdle? ‘Self-identification’ itself — determining whether your company falls under the obligations of NIS 2.
In practice, we have repeatedly encountered situations where companies are unable to answer with certainty the seemingly simple question: ‘Are we a regulated entity under NIS 2?’
Whilst some countries, including Slovakia, do provide a self-assessment tool or the option to request methodological guidance from the National Security Authority (“NSA“), these are not legally binding, and responsibility under the Act rests with the company itself and its directors. At the same time, the methodological guidelines often refer to European regulations, which may be implemented or interpreted differently in a given EU Member State.
As an example, we cite companies that are unaware that they fall within the definition of a food business, or companies that are manufacturers in the automotive sector. The production of chemical substances and managed ICT services also give rise to interpretation issues. In the latter case, for example, companies are unaware that if a group or conglomerate does not have its main place of business in a single country, each company must file a notification in every country where it operates.
Care must also be taken when determining the size of an organisation. Even a newly established company which, at the time of its incorporation, has 0 employees and a turnover of 0 EUR may fall under the NIS 2 regulation, particularly if it is part of a group.
| Please note: Even if your company does not fall directly under NIS 2, your customers or business partners probably do — and they will require you to meet security standards. According to ENISA, as many as 62% of cyber-attacks on organisations exploited trust in a supplier, and in 66% of cases, the suppliers were not even aware that they had been compromised. NIS 2 may therefore affect you indirectly — and ignoring this reality could cost you business partners. |
NIS 2 and cross-border operations — can an operator of essential services be subject to the jurisdiction of the NSA in more than one country?
Yes.
A specific practical example: Article 26(1)(a) of NIS 2 stipulates that providers of public electronic networks or publicly available electronic services are subject to the jurisdiction of the state in which they provide their services. But what does this actually mean for a company that operates across borders but has a place of business in only one country?
The Slovak Cyber Security Act (Act No. 69/2018 Z. z.) is based on the general rule that entities with their registered office in Slovakia are subject to Slovak regulation. There are specific exceptions to this rule for certain services (e.g. managed services), under which entities are subject to Slovak regulation provided they have their principal place of business in Slovakia.
However, where a company provides public electronic communications networks or services from abroad, it does not fall under either of the above rules.
If the NIS 2 Directive were strictly applied, the company would be required to fulfil its notification obligation in Slovakia — to notify the NSA of its regulated activities.
It is important to make this clear: the company’s obligations do not end with notifying the NSA of its activities — on the contrary, they are only just beginning.
The company becomes a full-fledged operator of essential services — indeed, as an essential entity. This requires having complete security documentation in accordance with the Slovak Cyber Security Act and undergoing a cybersecurity audit by a certified auditor. From our experience, we know that this phase tends to take clients by surprise — the scope of obligations is significantly greater than most companies expect. The legislation does not specify how a Slovak auditor is to conduct an audit of foreign security documentation.
In some countries, such a company — or a foreign company in general — may encounter difficulties even at the stage of notification.
This is because the forms for notifying the commencement of activities falling under NIS 2 are not standardised across the EU (!).
For example, in the Czech Republic, foreign companies are required to have a representative holding a Czech identity document, and not only the company itself but also the representative must file a notification with the NSA.
Foreign companies, as well as local companies with foreign directors, may face new technical requirements and challenges in effectively setting up access to national portals.
These differences between countries are why, when implementing NIS 2, it is crucial to have an adviser at your side with practical experience across multiple jurisdictions — not just theoretical knowledge of the directive.
If you are part of an international group, it is not enough to comply with NIS 2 in Slovakia alone. In every country where you operate, you must assess separately whether you fall under the local NIS 2 regulations and notify within the relevant timeframes — in Slovakia, within 60 days of commencing operations with the NSA.
Notification at the NSA is just the start – what comes next?
Key deadlines you should note in your diary
- Notification of activities with the NSA — within 60 days of commencing regulated activities
- Implementation of security measures (appointment of a cybersecurity manager, risk analysis, security documentation) — within 12 months of registration
- Audit if you are an essential entity / Self-assessment of the effectiveness of measures if you are an important entity — within 24 months of registration
If you already have some security measures in place, we recommend starting with a cybersecurity GAP analysis — a comprehensive assessment of where you stand and what you need to achieve full compliance with NIS 2. From our experience with clients of various sizes and across different sectors, we know that the results are often surprising — in some companies, we have identified non-compliance with up to 99% of the legal requirements. If you have not yet implemented any security measures, start with a risk analysis.
Although it is not necessary to have a designated cybersecurity manager at the time of notification, we recommend not leaving this requirement until later.
In practice, we have also encountered situations where, in particular, group companies automatically resort to outsourcing the role of cybersecurity manager because their regional or group CISO does not speak Slovak, even though they are able to fill this position internally — often more effectively and with a deeper understanding of corporate processes. We recommend first assessing internal capabilities against statutory requirements and setting up processes correctly.
Supply chain risk management under NIS 2
Part of the security measures — which may be entirely new to some companies — is the obligation to manage risks within their supply chain. If you are a regulated entity, you must identify all key suppliers whose services or products are directly related to the availability, confidentiality and integrity of your networks and information systems. Based on a risk analysis, you will then assess with which suppliers it is necessary to conclude a written agreement on security measures — not only with new suppliers, but also within existing relationships.
From our experience, we know that supplier contracts are precisely the area where companies have the greatest gaps. Existing contracts generally do not contain the clauses required by the Cyber Security Act, and amending them is often a time-consuming and negotiation-intensive process, particularly for group companies. We recommend starting to review your supplier relationships as soon as possible — this is not just a matter of paperwork, but of genuinely reducing the risk of a cyber incident originating from your supplier.
Whether you are unsure whether you fall under the NIS 2 regulation or need legal advice on notification, a gap analysis, risk analysis, security documentation, drafting contracts with suppliers, or appointing a cybersecurity manager — our team has practical experience across multiple countries and sectors. Please do not hesitate to contact us.
Penalties for breaching NIS 2 that you cannot ignore
Fines under the Slovak Cyber Security Act are not symbolic — they are set in accordance with European rules and can amount to a percentage of global turnover:
| Entity / breach | Maximum fine |
|---|---|
| Essential entity — breach of fundamental obligations | EUR 10,000,000 or 2% of global annual turnover, whichever is higher |
| Important entity — breach of fundamental obligations | EUR 7,000,000 or 1.4% of global annual turnover, whichever is higher |
| Failure to comply with the notification obligation | up to EUR 500,000 |
The sooner you begin implementing NIS 2, the lower the risk. The LYNX legal team for IP & IT law will provide you with comprehensive support — from legal assessment, through notification with the National Security Authority (NSA), GAP analysis, risk analysis and security documentation, right through to the review of supplier contracts and the establishment of the role of the cybersecurity manager. We have carried out dozens of successful implementations across Slovakia and other EU countries, where LYNX is present.
Reach out to our IP, IT and Data team for further support.
Author: Michala Mihályová, Senior Associate, LYNX Slovakia
Sources: Act No. 69/2018 Coll. on Cyber Security, as amended; Directive (EU) 2022/2555 (NIS 2); National Security Authority (NSA)
