Slovakia NBÚ’s 3-Stage NIS2 Enforcement Escalation: From Binding Orders to €10M Fines and Management Bans

Since January 2025, when Act No. 366/2024 Coll. brought Slovakia’s Cybersecurity Act into alignment with the NIS2 Directive, the Národný bezpečnostný úrad (NBÚ) has held live enforcement authority over more than 3,500 organisations classified as essential or important entities. The March 2025 registration deadline gave the authority its first complete picture of who is in scope. The December 2026 full-compliance deadline is approaching — and NBÚ inspections are already running against that clock.

Most guidance on Slovak NIS2 enforcement stops at the headline numbers: €10,000,000 for essential operators, €7,000,000 for important ones. That framing misses the mechanism. A fine is the end of a process, not the beginning — and organisations that understand the full three-stage escalation have a fundamentally different compliance posture than those planning only to avoid the largest penalty. This article maps that process, from NBÚ’s first supervisory contact through to financial penalties and management bans, and explains what the appeals route to the Správny súd actually looks like.

Who Falls Under NBÚ Supervision: Essential vs. Important Entities in Slovak Law

Act No. 366/2024 Coll. creates two enforcement tiers that correspond to the EU NIS2 Directive’s essential and important entity distinction, though Slovak legislation uses its own terminology:

EU NIS2 Entity Type	Slovak Law Designation	Maximum Fine
Essential entity	Operator of critical essential services	€10,000,000 or 2% of global annual turnover — whichever is higher
Important entity	Operator of essential services	€7,000,000 or 1.4% of global annual turnover — whichever is higher

The scope covers organisations in energy, transport, banking, healthcare, digital infrastructure, wastewater, drinking water, and manufacturing, among other sectors. Slovakia’s implementation brought approximately 3,500 organisations into the NBÚ register by March 2025. For a complete overview of who qualifies as essential or important under Slovak law, see our Slovakia NIS2 compliance guide.

The “whichever is higher” rule matters in practice. For a financial group classified as a critical essential services operator with €800 million in global annual turnover, 2% equals €16 million — but the statutory cap of €10 million applies. For a smaller operator with €100 million in global turnover, 2% yields €2 million, well below the ceiling. The percentage alternative only exceeds the cap when global turnover surpasses €500 million for essential operators; the same threshold applies at 1.4% for important operators.

Stage 1 — NBÚ’s Inspection and Audit Powers

The NIS2 Directive draws a structural line between how essential and important entities are supervised. Under Article 32 and Article 33 of the Directive — transposed directly into the Slovak Cybersecurity Act — essential entities face comprehensive ex ante and ex post supervision; important entities face ex post supervision only. In practical terms: NBÚ can initiate a supervisory action against an essential entity without waiting for an incident. For important entities, a trigger is needed — typically a reported breach, a third-party notification, or a suspected violation. The full framework for how member states deploy these powers is explained in our guide to NIS2 supervisory measures.

For entities subject to ex ante supervision, the inspection toolkit set out in Article 32(2) includes: on-site inspections and off-site supervision (including random checks conducted by trained staff), targeted and regular security audits by independent certified bodies, ad hoc audits triggered by a significant incident or suspected non-compliance, security scans based on objective risk-assessment criteria, and formal information requests covering cybersecurity policies, control documentation, and implementation evidence.

As of September 2025, Regulation No. 227/2025 Z.z. replaced Slovakia’s previous implementing regulation (No. 362/2018 Z.z.), updating the technical standards NBÚ auditors apply when assessing whether an entity’s security measures satisfy the law. Missing the March 2025 registration deadline was not a bureaucratic oversight — it flagged the entity for immediate audit scrutiny, because NBÚ’s register is the primary scheduling tool for the inspection programme. Entities not yet registered face not just a procedural fine but direct audit exposure from the moment of omission.

The Fine Tiers: What Determines the Amount

Article 34 of the NIS2 Directive, reflected in Act No. 366/2024 Coll., sets ceilings — not the actual fine NBÚ will impose. The authority determines the amount based on the proportionality factors set out in Article 32(7) of the Directive, which Slovak law adopts wholesale:

• Seriousness — whether the violation exposed regulated services or personal data to real risk, and whether that risk materialised
• Duration — how long the non-compliance persisted before discovery or remediation began
• Intent and negligence — whether the failure reflects deliberate non-compliance, systemic neglect, or an honest gap in the entity’s risk programme
• Degree of responsibility — whether management was aware of the deficiency and failed to act
• Prior violations — whether NBÚ has previously identified the same entity in non-compliance
• Level of cooperation — entities that self-report, cooperate fully with the investigation, and begin documented remediation quickly receive materially better outcomes than those that obstruct or delay

The cooperation factor is the most immediately controllable lever available to an affected entity. NBÚ’s enforcement discretion allows meaningful differentiation between an organisation that discovers a control gap, reports it to SK-CERT, and initiates documented remediation — and one that discovers the same gap, conceals it, and is found out during an inspection. For first-time violations with good-faith remediation, the actual fine is typically well below the statutory maximum.

Slovak law also carries lower-tier fines for specific operational violations. Failure to register, failure to commission the required audit, and failure to file an incident report within the statutory window each carry separate financial exposure of up to €500,000, independently of the main penalty tiers. A healthcare provider that fails to file a 72-hour incident notification risks that operational fine in addition to any Article 21 compliance penalty if the incident review reveals deeper control failures.

For context on how Slovakia’s approach sits within the broader EU enforcement picture, see our NIS2 penalties overview.

Stage 2 — Pre-Fine Sanctions: Binding Orders, Service Suspension, and Public Disclosure

Financial penalties are the endpoint of an escalating enforcement sequence. Before reaching that point, NBÚ has three intermediate tools that carry operational and reputational weight in their own right — and each operates on a different timeline and mechanism.

Binding instructions are the most common early intervention. NBÚ issues a formal order specifying the remediation required — for example, “conduct a cybersecurity audit within 60 days” or “implement multi-factor authentication across all administrative interfaces by [date]” — with a hard deadline attached. The instruction is legally binding: failure to comply within the stated period constitutes a further violation, compounding the original finding and triggering escalation. The critical point is that NBÚ names both the specific gap and the deadline — the entity no longer controls its own remediation timeline once a binding instruction is in force.

Service suspension is available where an essential services operator continues to operate in violation of a binding instruction. NBÚ may suspend the entity’s authorisation to provide the regulated service until the unlawful situation is rectified. For critical infrastructure operators — energy suppliers, healthcare networks, banking institutions — a suspension is an operational disruption that typically exceeds the deterrent value of the financial fine itself.

Public disclosure operates as a reputational sanction with no financial ceiling. Under Article 32(4), competent authorities may require an entity to publicly disclose aspects of its non-compliance: that it received a binding order, failed an audit, or had its certification suspended. For any entity operating in a regulated sector with client trust obligations — a bank, an insurance group, a digital services provider — public naming of a cybersecurity enforcement action triggers procurement, insurance, and regulatory consequences that can dwarf the fine amount.

An important procedural distinction: subscriber access restrictions can also be imposed, but these require a court decision rather than NBÚ acting unilaterally. That judicial gate adds a layer of oversight for the most operationally disruptive measure in the toolkit.

Stage 3 — Management Liability: Personal Accountability Under Act No. 366/2024

The most consequential measure in NBÚ’s enforcement toolkit is not the €10 million penalty ceiling — it is the power under Article 32(5)(b) of the NIS2 Directive, transposed into Slovak law, to prohibit an individual from exercising their functions as a member of a statutory body. Under Act No. 366/2024 Coll., a CEO, managing director, or equivalent statutory officer can be temporarily banned from performing management functions where serious or persistent non-compliance is identified.

This measure applies only after other enforcement steps have been exhausted. Slovak law explicitly frames the management prohibition as a last resort, applied only after other relevant enforcement measures have been exhausted. In practice, the sequence runs: binding instruction → financial fine → continued non-compliance → management prohibition. An entity that receives and ignores a binding instruction, pays a fine, and still fails to remediate faces having its executive leadership formally barred from managing the organisation.

The personal dimension extends beyond the prohibition itself. Under Act No. 366/2024 Coll., statutory body members carry civil liability for damages arising from cybersecurity failures attributable to their management decisions. Every material incident notification, risk assessment approval, and supply chain security review is expected to carry a named executive’s accountability — not just the organisation’s formal record. Directors who cannot demonstrate active governance engagement — security training records, board-level risk register sign-offs, meeting minutes reflecting cybersecurity oversight — face both the prohibition mechanism and direct civil liability exposure in the event of a significant incident.

The practical implication for boards is unambiguous: NIS2 compliance cannot be fully delegated to IT or security functions. Non-technical directors who have not actively engaged with the organisation’s NIS2 obligations — including understanding what measures Article 21 requires and approving the organisation’s approach — sit at personal risk if enforcement escalates to Stage 3.

Public Sector Exception: Government Bodies Face Corrective Orders, Not Fines

Public bodies in Slovakia that fall within NIS2 scope face the same Article 21 security obligations, the same incident reporting deadlines, and the same audit procedures as private entities — but with one significant enforcement carve-out: monetary administrative fines do not apply to government bodies.

The enforcement toolkit NBÚ deploys against public entities relies instead on corrective orders, binding instructions, and — where the public interest warrants it — public disclosure of non-compliance. The operational disruption from a service suspension order is often as effective for a public body as a financial penalty for a private company, particularly for bodies providing essential public services where any suspension carries political and reputational consequences.

This distinction matters for municipalities, state agencies, regional healthcare operators, and other public-sector entities classified as essential operators. Their compliance exposure is real. The absence of a monetary fine ceiling does not reduce the obligation to implement security measures or report incidents — it removes only one of the enforcement levers NBÚ can deploy against them.

Challenging NBÚ Decisions: The Route Through the Správny súd

NBÚ enforcement decisions — fines, binding instructions, service suspensions, and management prohibitions — are administrative decisions under Slovak law. The path for challenging them follows standard Slovak administrative justice procedure, structured in three stages.

Internal recourse: Slovak administrative procedure law (Act No. 71/1967 Coll. on Administrative Proceedings, supplemented by sector-specific provisions) typically requires an affected party to seek a formal review before proceeding to court. In practice, this means filing a written objection within the period specified in the enforcement decision — typically 15 or 30 days from service. The objection is reviewed within NBÚ or by a designated superior body. If the review upholds the original decision, the judicial route opens.

Judicial review — Správny súd: The entity may then file an administrative action before the competent regional Správny súd (Administrative Court). The court reviews both procedural legality — whether NBÚ followed correct process, gave proper notice, and respected proportionality — and substantive correctness — whether the sanction was proportionate to the actual violation. Proportionality arguments drawing on the Article 32(7) factors of cooperation, duration, and seriousness form the typical foundation for substantive challenges. Courts can annul decisions, reduce fine amounts, or require NBÚ to re-decide.

Cassation — Najvyšší správny súd: An unsuccessful party at the regional level may file a cassation complaint before Slovakia’s Supreme Administrative Court (Najvyšší správny súd), established in 2021. As the highest body in Slovak administrative justice, it sets the precedent that will define the practical limits of NBÚ’s enforcement discretion once NIS2 decisions begin completing the full judicial cycle.

Two practical constraints apply immediately. First, as of mid-2026, no publicly reported NBÚ NIS2 enforcement decisions have completed the full judicial review cycle; the appeals framework is clear, but the actual precedent has not yet emerged. Second — and critically — filing an appeal does not automatically suspend the enforcement decision. An entity that challenges a binding instruction while remaining in non-compliance is compounding the original violation. Any appeal strategy must be accompanied by parallel remediation, not used as a mechanism to delay implementation.

Enforcement Acceleration: Slovakia’s 2025–2026 Audit Timeline

Slovakia’s enforcement trajectory follows a predictable ramp, driven by three milestones that define the boundaries of NBÚ’s active inspection programme.

• January 2025: Act No. 366/2024 Coll. enters into force, giving NBÚ live enforcement authority over approximately 3,500 organisations
• March 2025: Registration deadline for existing operators — completion of the register enables NBÚ to schedule inspections systematically
• September 2025: Regulation No. 227/2025 Z.z. enters into force, replacing the previous implementing regulation and providing updated technical audit standards for NBÚ inspectors
• December 31, 2026: Full-compliance deadline — after this date, entities can no longer argue they are in transition; legacy control gaps must be closed

The 24-month formal audit requirement means that entities registered in March 2025 face their first compulsory external audit by March 2027. But NBÚ’s powers under Article 32 operate continuously — random checks and ad hoc audits triggered by the registration data, incidents reported through SK-CERT, and third-party notifications run on no fixed schedule. An entity found in material non-compliance during a 2025 random inspection cannot use the 2027 formal audit deadline as a defence for the gap discovered.

Compliance Priorities Before NBÚ Investigates

Three actions reduce enforcement exposure before an NBÚ inspection arrives:

1. Verify registration status — entities not in NBÚ’s register at nis2.nbu.gov.sk are in active violation and a priority target for audit scheduling. Registration is the threshold obligation; everything else is secondary.
2. Build a documented evidence trail — on-site inspections assess documentation. An organisation with 80% of required controls implemented but no records to demonstrate that implementation is, from NBÚ’s perspective, unimplemented. Risk assessments, security policies, incident logs, and supply chain assessments must exist as retrievable documents, not institutional knowledge.
3. Engage the board — director sign-off on security measures, training completion records, and board-level risk register approvals create the management engagement record that counters personal liability exposure and improves the proportionality outcome if enforcement proceeds.

Frequently Asked Questions

Does NBÚ have to issue a warning before imposing a fine?

Slovak law treats the escalation sequence — binding instruction, compliance failure, financial sanction — as standard procedure for persistent non-compliance. NBÚ is not required to exhaust every pre-fine measure in every case, but the proportionality requirement under Article 32(7) means that entities demonstrating good-faith remediation effort receive materially lighter outcomes than those that ignore enforcement contact from the start.

Can NBÚ fine an entity for a cyberattack it suffered?

The NIS2 obligation is to implement appropriate risk-management measures proportionate to the risk — not to guarantee zero incidents. An entity that demonstrates it had documented measures in place, reported the incident within the required 24/72-hour windows to SK-CERT, and cooperated with the response process is unlikely to face a fine following an attack. Enforcement exposure arises when a post-incident review reveals a material absence of required controls — the incident becomes the trigger for discovering the underlying compliance gap.

Do foreign-headquartered entities operating in Slovakia face NBÚ jurisdiction?

Yes. NBÚ’s jurisdiction attaches to entities providing services to recipients in Slovakia that meet the sector and size thresholds under Act No. 366/2024 Coll., regardless of where the entity is headquartered. A German manufacturing group with a Bratislava production facility that meets the essential entity thresholds is subject to NBÚ supervision and the full enforcement escalation described above.

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.

Sources

Amendment to the Cyber Security Act as a result of transposition of the NIS 2 Directive into Slovak law — Lansky Law Firm

NIS 2 and its implementation into Slovak law — Lansky Law Firm

Article 32, NIS2 Directive (EU) 2022/2555 — nis-2-directive.com

Article 33, NIS2 Directive (EU) 2022/2555 — nis-2-directive.com

Article 34, NIS2 Directive (EU) 2022/2555 — nis-2-directive.com

NIS2 directive regulations and implementation in Slovakia — Copla Compliance

NIS 2 Compliance in Slovakia: NBÚ Authority, CSIRT Response, and New Legal Deadlines — ISMS.online

NIS2 in Slovakia: Guide to Zákon o kybernetickej bezpečnosti — Cyberday

NIS2 Directive implementation in Slovakia — European Commission