How Slovenian Organisations Must Comply with NIS2: ZVINIS, SI-CERT Authority, and the Krško Cross-Border Obligation

Slovenia’s NIS2 transposition arrived six months late — and with extra teeth.

The Zakon o informacijski varnosti (ZInfV-1), which entered into force on 19 June 2025, extends NIS2’s 18-sector scope to include research and higher education institutions, simultaneously transposes the Critical Entities Resilience (CER) Directive into the same legislative instrument, and introduces criminal sanctions of up to 15 years for the most serious failures. Approximately 6,000 to 8,000 Slovenian organisations now fall within scope — from manufacturers like Gorenje and Kolektor to public universities to the uniquely complex case of Nuklearna Elektrarna Krško (NEK), the nuclear power plant shared 50/50 with Croatia that creates cross-border NIS2 coordination obligations found nowhere else in the directive’s implementation across Europe.

This guide covers what ZInfV-1 requires, which authorities enforce it, how the three-phase compliance timeline works, and what the Krško cross-border situation means for energy sector compliance planning. For the broader EU-level picture of what the NIS2 Directive requires, see our complete NIS2 guide. For sector-by-sector scope analysis, see who must comply with NIS2.

What Is ZInfV-1 (ZVINIS)? Slovenia’s NIS2 Transposition Law

The Zakon o informacijski varnosti — officially abbreviated ZInfV-1 and informally referenced under the umbrella shorthand ZVINIS — is Slovenia’s primary instrument for transposing the NIS2 Directive into national law. The act entered into force on 19 June 2025, replacing the earlier 2018 cybersecurity law (ZInfV). It goes further than a straight NIS2 transposition: ZInfV-1 simultaneously implements the Critical Entities Resilience (CER) Directive, making Slovenia one of a handful of EU member states to consolidate both instruments into a single legislative act.

The European Commission had issued a reasoned opinion on 7 May 2025 citing Slovenia’s failure to notify full transposition by the October 2024 EU deadline. The National Assembly completed its legislative process in late May–June 2025, with the law entering force approximately three weeks later.

Two structural choices distinguish ZInfV-1 from a minimum-compliance transposition:

• Expanded sector scope: Research and higher education institutions fall within ZInfV-1’s scope — a category not required by NIS2’s Annex II. This reflects a Slovenian policy choice to bring universities and public research institutes under the same cybersecurity framework as private-sector operators.
• Consolidated CER obligations: Physical security requirements for critical entities sit alongside cybersecurity obligations in the same act. A manufacturer or energy operator that qualifies as both a NIS2 important entity and a CER critical entity must address both regimes through a single compliance programme.

Does ZInfV-1 Apply to Your Organisation?

ZInfV-1 applies to organisations that are both in a covered sector and meet a minimum size threshold. The NIS2 scope framework divides entities into two tiers with different obligation levels:

Entity type	Employees	Annual turnover	Maximum fine
Essential entity	≥250	≥€50 million	€10M or 2% of global turnover
Important entity	≥50	≥€10 million	€7M or 1.4% of global turnover
Municipality	Population >50,000	N/A	Administrative orders; fines rare

Either threshold triggers classification — you do not need to meet both. A company with 60 employees and €8 million in turnover is an important entity based on employee count alone.

Covered sectors include all 18 NIS2 sectors — energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space (Annex I); plus manufacturing (medical devices, computers, electrical equipment, machinery, motor vehicles), postal services, waste management, chemicals, food production and distribution, digital providers, and — unique to Slovenia — research and higher education institutions.

Quick applicability check: If your organisation operates in any of these sectors and has at least 50 employees or €10 million in annual turnover, assume you are in scope and initiate a formal classification exercise. URSIV was planning a dedicated self-assessment wizard for Q3 2025 — check gov.si for availability.

URSIV and SI-CERT: Slovenia’s Two-Track Authority Model

ZInfV-1 assigns NIS2 oversight to two functionally distinct bodies with no overlap in mandate. Understanding which body handles what is essential before the December 2025 registration deadline.

URSIV — the competent authority and enforcement arm

The Urad Vlade Republike Slovenije za informacijsko varnost (URSIV) — Government Information Security Office — serves as Slovenia’s national competent authority and single point of contact under NIS2. URSIV receives entity self-registrations, conducts risk-based supervisory inspections, issues corrective orders, and imposes administrative sanctions including fines, certificate suspensions, and temporary operating bans. It also represents Slovenia in EU-level bodies including the NIS Cooperation Group and coordinates Slovenia’s position in ENISA working groups. Contact: gp.uiv@gov.si; +386 1 478 4778.

SI-CERT — the national CSIRT for incident handling

The Slovenian Computer Emergency Response Team (SI-CERT) is the designated national CSIRT under ZInfV-1 — the body in-scope entities call when a significant cybersecurity incident occurs. SI-CERT operates within ARNES, the Academic and Research Network of Slovenia public institute, making it unusual among EU CSIRTs: most are housed within dedicated government agencies rather than academic network organisations. SI-CERT is financed by URSIV and holds Trusted Introducer accreditation, with membership in FIRST, the EU CSIRTs network, and TF-CSIRT.

Under Article 28 of ZInfV-1, SI-CERT’s obligations to in-scope entities include: accepting and triaging significant incident notifications, issuing security warnings and early alerts, sharing vulnerability data with affected system administrators, providing methodological support during active incidents, and coordinating with pan-European CSIRTs on cross-border incidents. Contact: cert@cert.si; +386 1 479 88 22.

SIGOV-CERT — the government-only parallel channel

Organisations within state and local administration do not report incidents to SI-CERT. A separate entity, SIGOV-CERT, handles cybersecurity incidents in government information systems. Organisations that operate systems serving both private-sector clients and public-sector functions should clarify with URSIV which reporting channel governs each system before an incident occurs — resolving this question under time pressure during an active breach is a compliance risk in itself.

AKOS — digital service provider registry

The Agency for Communication Networks and Services (AKOS) maintains the registry specifically for digital service providers — cloud computing services, online marketplaces, search engines, and social networking platforms. Digital service providers register with AKOS, not URSIV. Contact: akos.box@akos-rs.si.

Article 21 Security Requirements Under ZInfV-1

ZInfV-1 adopts NIS2’s Article 21 security framework, requiring in-scope entities to implement measures proportionate to the risks they face. The directive specifies ten mandatory categories that every covered organisation must address:

1. Risk analysis and information system security policies
2. Incident handling
3. Business continuity, backup management, and disaster recovery
4. Supply chain security — including relationships with direct suppliers and service providers
5. Security in network and information system acquisition, development, and maintenance
6. Policies to assess the effectiveness of cybersecurity risk-management measures
7. Basic cyber hygiene practices and cybersecurity training
8. Cryptography and, where appropriate, encryption
9. Human resources security, access control policies, and asset management
10. Multi-factor authentication, continuous authentication solutions, and secured communications

The framework is deliberately technology-neutral — ZInfV-1 does not mandate specific products or vendors. Organisations must demonstrate risk-based justification for their chosen controls, which means the documentation of decisions is as important as the decisions themselves.

Board-level governance: ZInfV-1’s explicit requirement

ZInfV-1 makes board-level cybersecurity ownership particularly explicit. Senior leadership must formally approve the organisation’s cybersecurity risk-management programme and oversee its implementation — not delegate it entirely to an IT team or a third-party security provider. Supervisory action can arise from failure to meet governance obligations even if no security incident has occurred. For CISOs seeking board engagement, this statutory obligation is a practical lever: the question is no longer whether management should be involved but what form that involvement must take to satisfy URSIV during a supervisory inspection.

Incident Reporting to SI-CERT: The Three-Stage Timeline

When a significant incident occurs — one that causes or could cause severe service disruption, material financial loss, or damage to third parties — ZInfV-1 requires a staged notification sequence. The 24-hour early warning is not a full incident report; it is designed to give SI-CERT situational awareness so it can alert other entities if the incident indicates a wider threat. Organisations that delay notification while conducting internal investigations risk regulatory action even if the incident itself is handled effectively.

Stage	Deadline from awareness	Content required	Recipient
Early warning	Within 24 hours	Incident type, preliminary impact assessment, initial measures taken	SI-CERT (SIGOV-CERT for govt entities)
Full notification	Within 72 hours	Technical description, affected systems, scope and severity of impact	SI-CERT
Final report	Within 1 month	Root cause analysis, remediation steps, lessons learned; board sign-off required	SI-CERT

URSIV may issue sector-specific guidance on what constitutes a “significant” incident threshold in energy, healthcare, and financial services — sectors where disruption thresholds are likely to be defined in absolute (not relative) terms. Until such guidance is published, the conservative approach is to treat any incident affecting core service delivery as potentially notifiable and assess downward from there.

The Krško Cross-Border Puzzle

The Nuklearna Elektrarna Krško (NEK) nuclear power plant presents one of the most complex NIS2 jurisdictional questions in Central Europe — and it sits 15 kilometres inside Slovenia’s border.

Joint ownership, single legal domicile

NEK is equally owned — 50% each — by Slovenia’s GEN Energija and Croatia’s HEP Group (Hrvatska elektroprivreda). The plant is the region’s single largest power generator: it supplies more than a quarter of Slovenia’s electricity and approximately 15% of Croatia’s national demand. Both governments hold treaty obligations governing the plant’s operation, decommissioning, and nuclear waste management, formalised in a bilateral agreement that entered into force in 2003.

Despite this binational ownership, NEK is a Slovenian-registered limited liability company (d.o.o.). Its operating licence is held by the Slovenian Nuclear Safety Administration (SNSA), which serves as the primary national regulator. Additional oversight comes from the IAEA, the European Union, and WANO through periodic expert missions.

NIS2 Article 26 jurisdiction analysis

Under Article 26 of the NIS2 Directive, an entity falls under the jurisdiction of the member state where it is established — meaning where it is legally registered and where cybersecurity risk-management decisions are predominantly taken. NEK satisfies both criteria for Slovenia: it is registered as a Slovenian company, its operational headquarters are in Slovenia, and its licensing and regulatory relationships are Slovenian. Under ZInfV-1, NEK therefore registers with URSIV and reports incidents to SI-CERT. Croatia’s 50% ownership stake does not shift jurisdiction to Croatian NIS2 authorities.

The cross-border coordination obligation

What makes Krško genuinely unusual is not the jurisdictional question — it is the cross-border incident coordination obligation that flows from its binational operational impact. A cybersecurity incident at NEK that disrupts electricity supply would simultaneously affect both Slovenia and Croatia. Under NIS2’s cross-border incident notification protocols and the ENISA-coordinated EU CSIRT network arrangements, SI-CERT would be required to share incident information with Croatia’s designated CSIRT (CERT.hr). This is an operational planning requirement, not merely a regulatory formality.

NEK’s incident response programme must therefore specify two distinct tracks: how the plant’s security team notifies and works with SI-CERT (the Slovenian NIS2 obligation), and how SI-CERT’s cross-border notification duties fit into the plant’s crisis communications workflow with Croatian counterparts. The Krško case illustrates a broader principle for any Slovenian entity with significant operations in another EU member state: single-jurisdiction NIS2 registration does not eliminate cross-border coordination obligations — it creates them.

Manufacturing in Slovenia: Who Falls Under ZInfV-1?

Manufacturing is classified as an important sector under NIS2 Annex II. Slovenian manufacturers meeting the size threshold — at least 50 employees or €10 million in annual turnover — fall within ZInfV-1’s scope as important entities. For manufacturers at or above 250 employees or €50 million turnover, essential-entity obligations apply with higher penalty exposure.

Two well-known Slovenian manufacturers illustrate the compliance landscape:

• Gorenje (Hisense subsidiary), headquartered in Velenje, manufactures home appliances for European and global markets. With a Slovenian workforce exceeding the essential-entity employee threshold and a product line increasingly built around internet-connected devices, Gorenje faces obligations under both Article 21’s supply chain security requirement (review of component and software vendors) and its secure development provisions (security in the product development lifecycle). Integration into the Hisense group supply chain adds multinational vendor-risk assessment complexity.
• Kolektor Group, based in Idrija, produces automotive and industrial components across 13 countries. Its operational technology (OT) systems — managing assembly lines, quality control, and inventory — are increasingly networked with enterprise IT infrastructure, creating the OT/IT boundary risk that ZInfV-1’s technical compliance requirements specifically target.

Beyond sector classification, Slovenian manufacturers should focus on three ZInfV-1 priority areas before the October 2026 organisational compliance deadline:

1. OT/IT network segmentation: Industrial control systems must be isolated from enterprise IT networks where feasible, with documented compensating controls where segmentation is not technically practical. URSIV supervisory inspections are expected to scrutinise OT/IT boundary security specifically.
2. Supply chain security reviews: Periodic assessments of third-party hardware and software vendors are required under Article 21(2)(d), with particular attention to firmware in industrial control systems and embedded software in connected components.
3. Technical validation for essential-tier manufacturers: For manufacturers that qualify as essential entities, URSIV guidance references penetration testing and red-team exercises as part of the Article 21 requirement to assess the effectiveness of security measures.

Your ZInfV-1 Compliance Roadmap

ZInfV-1’s compliance obligations run in three sequential phases. Missing the registration deadline does not extend the later milestones — all three deadlines count from the law’s 19 June 2025 entry-into-force date, not from when an organisation discovers its obligation.

Phase	Deadline	Key obligations	Registered with
1 — Registration	19 December 2025	Self-register as essential or important entity; provide contact details for incident notifications	URSIV (or AKOS for digital service providers)
2 — Organisational compliance	October 2026	Governance framework, risk assessments, security policies, board approval, supplier contract clauses, incident response plan	URSIV (via supervisory inspection)
3 — Technical compliance	October 2027	Technical controls — OT/IT segmentation, MFA deployment, encryption, centralised logging, security testing	URSIV (via supervisory inspection)

Priority actions before 19 December 2025:

1. Classify your entity as essential or important using the sector list and size thresholds above — document your reasoning
2. Map which of your systems and services fall within ZInfV-1’s scope (network and information systems essential to service delivery)
3. Designate an incident notification contact for SI-CERT and establish the internal escalation chain before an incident occurs
4. Obtain board-level sign-off on the compliance programme — this governance obligation applies from day one, not from the October 2026 deadline

Penalties and Enforcement Under ZInfV-1

Entity type	Maximum administrative fine	Additional sanctions
Essential entities	€10 million or 2% of global annual turnover (whichever is higher)	Certificate suspension, temporary operating ban, management liability, corrective orders
Important entities	€7 million or 1.4% of global annual turnover (whichever is higher)	Corrective orders, public transparency obligations
Public sector entities	Administrative fines less common	Management prohibitions, tender exclusion, public transparency orders

Beyond financial sanctions, ZInfV-1 introduces criminal liability — with imprisonment of up to 15 years in the most serious cases. This is among the most severe criminal provisions attached to any EU cybersecurity transposition, reflecting the Slovenian legislature’s decision to treat critical infrastructure security failures as potentially equivalent in gravity to other serious criminal offences. CISOs and senior managers at essential entities should note that personal criminal liability may attach to individual decision-makers who deliberately or negligently fail to implement required measures — not only to the organisation as a legal entity.

Frequently Asked Questions

Is SI-CERT the same body as URSIV?
No. URSIV is the regulatory authority — it enforces compliance, receives registrations, and imposes administrative sanctions. SI-CERT is the operational CSIRT — it receives incident notifications, provides technical assistance during active incidents, and shares threat intelligence with the European CSIRT network. Think of URSIV as the regulator and SI-CERT as the 24/7 incident response contact. They are separate organisations with separate mandates.

We have operations in both Slovenia and Croatia. Which NIS2 authority governs us?
Jurisdiction under Article 26 of NIS2 is determined by the location of your main establishment — where cybersecurity decisions are predominantly made and documented. If that is Slovenia, you register with URSIV and report to SI-CERT under ZInfV-1. If it is Croatia, the Croatian Cybersecurity Act (ZKS) and Croatian authorities apply. Entities with genuinely distributed governance should seek legal advice on establishing a documentable main establishment before the December 2025 registration deadline, since the registration itself constitutes a jurisdictional declaration.

Does ZInfV-1 apply to Slovenian public universities?
Yes. Unlike the NIS2 baseline, ZInfV-1 includes research and higher education institutions within scope. Universities and public research institutes meeting the size threshold must register with URSIV, implement Article 21 security measures, and comply with SI-CERT incident reporting obligations. This was a deliberate legislative expansion beyond what NIS2 required — universities cannot argue exemption on the basis that the EU directive did not include them.

When is the self-registration deadline for organisations already in scope?
Organisations that fell within ZInfV-1’s scope on its entry-into-force date (19 June 2025) must self-register with URSIV (or AKOS, for digital service providers) by 19 December 2025. Organisations that become in scope after that date must register within 30 days of falling under the law’s application.

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.

Sources

1. European Commission Digital Strategy — NIS2 Directive Implementation in Slovenia
2. SI-CERT — About SI-CERT
3. Copla — NIS2 Directive Regulations and Implementation in Slovenia
4. ISMS.online — NIS 2 Compliance Slovenia
5. CMS Law — Data Protection and Cybersecurity Laws in Slovenia
6. HC-Center — ZInfV-1 Compliance: Navigating NIS2 Obligations in Slovenia
7. European Commission — NIS2 Directive FAQs (Article 21, 23, 26)
8. Wikipedia — Krško Nuclear Power Plant
9. World Nuclear Association — Nuclear Power in Slovenia
10. Cyberday.ai — NIS2 in Slovenia: Guide to Zakon o informacijski varnosti
11. ENISA — Cybersecurity of Critical Sectors (NIS2 sector classification)