Companies face increasingly sophisticated cyber threats that can jeopardize their daily operations, customer trust, partnerships, and even the very existence of their business not only in Slovakia. In response, the EU has introduced the NIS II (Network and Information Security) Directive. This Directive significantly impacts Slovak companies and their cybersecurity obligations. How should they prepare for these changes?

One of the key changes in NIS II is the expansion of its scope to multiple sectors and types of companies. The obligation to secure the company against attacks will thus affect many more companies.

Target of attack – “data is gold”

Entrepreneurs today handle vast amounts of sensitive data (e.g., financial data, patents, or plans) in their daily operations. Without adequate protection, such data can be easily misused, leading to theft of funds, extortion (e.g., through ransomware), or, in extreme cases, business interruption. Companies involved in innovation, product development, or technology should prioritize cybersecurity and the protection of their intellectual property.

The threat of becoming the victim of an attack affects not only large international corporations but also small and medium-sized enterprises, which may be perceived as easier targets with lower protection. The most well-known trio of cyberattacks are malware attacks, including ransomware attacks, phishing attacks exploiting human factors, and DDoS attacks aimed at disabling internet services.

Since 2024, the frequency and sophistication of ransomware has dramatically increased. Cyber attackers are increasingly targeting high-value sectors such as critical infrastructure, healthcare, telecommunications, and financial services. For a better perspective, in July 2024, various insurance companies reported a nearly 50% increase in attacks compared to 2023. The year 2024 also saw an unprecedented level of ransom demands in ransomware attacks. The average ransom amount per attack exceeded $5.2 million, driven in part by a record payment of $75 million in March 2024. These were the interim results published on the website of TRM, a company specialising in blockchain and effective attack countermeasures.

However, it is small and medium-sized enterprises that often face existential problems due to ransomware. The reason is not only the high ransom amounts but also the operational paralysis caused by attacks on their systems. Globally, these small and medium-sized enterprises account for approximately 46% of all cyberattacks. These attacks targeted enterprises with fewer than 1,000 employees, with phishing being the most common type of attack.

Moreover, 47% of enterprises with fewer than 50 employees do not have a real budget allocated for cybersecurity. Worse still, the same figures indicate that 51% of small-sized enterprises have not implemented the necessary cybersecurity measures in practice.

With the growing popularity of AI tools and the availability of language models such as ChatGPT, MS Copilot, or Grok, new opportunities have opened up for attackers. These new tools enhance phishing emails, automate various phases of phishing campaigns, and generate content in different languages. The sophistication of attacks is also increasing due to the use of proprietary generative models like WormGPT. Unlike standard AI models that contain safety measures and filters, WormGPT lacks these restrictions, allowing attackers to create malicious content without any ethical or safety constraints.

Compliance with the legal regulatory framework

In response to these challenges, the EU is acting with notable precision compared to the rest of the world. Among several digital “novelties” in legal regulation, the revised NIS II (Network and Information Security) Directive has been introduced to strengthen cybersecurity across the EU. Once transposed into national law, this Directive will significantly impact Slovak companies and their cybersecurity obligations.

The NIS II Directive builds on the original NIS Directive (from 2016) and expands the framework for network and information systems security across the EU. The goal is to enhance the resilience of critical infrastructure and the digital economy against cyberattacks throughout the EU.

One of the key changes in NIS II is the expansion of its scope to multiple sectors and types of companies (including deepening within the original sectors). In addition to the original areas of energy, healthcare, transport, and digital infrastructure, the new obligations will also apply to companies in water supply, public services, space, waste management, postal services, food production, manufacturing (including chemical production), and digital infrastructure. In addition, NIS II introduces stricter requirements for incident reporting, risk management, and corporate cybersecurity obligations.

Changes in regulation also in Slovakia

Slovak companies falling under the scope of the NIS II Directive must take action. The transposition of NIS II into national law, in the form of an amendment to the Cybersecurity Act, was approved by the National Council of the Slovak Republic at the end of November 2024. Within the statutory time limit, businesses (under the revised definition of essential service providers (ESP), designated by law and registered in the ESP register) will be required to adopt appropriate measures to manage cyber risks and protect critical systems.

Implementation of security measures

Companies will be obliged to implement adequate technical, organizational, and personnel measures to protect their information systems. These measures include managing access to sensitive company data/systems, securing networks, regular vulnerability testing, data encryption, and backups.

Risk management

Companies will be obliged to regularly analyse and assess cybersecurity risks. This assessment helps identify system vulnerabilities and enables the adoption of effective measures to remove them.

Incident reporting

There is also a change in notification obligations. This early warning system helps mitigate the impact of attacks on critical infrastructure and supports coordination between the public and private sectors, as well as among EU Member States.

Audit and oversight

Companies will also be obliged to regularly assess the resilience of their systems, either through self-assessment or third-party audits.

Challenges for Slovak companies

These changes naturally entail many challenges. Implementing new measures and technologies can be expensive, especially for small enterprises. These costs include not only the purchase of technologies but also the costs of outsourcing duties that the entrepreneur cannot fulfil by itself.

Proper identification and management of cyber risks can also be complex for small enterprises. It is therefore important to consider the possibility of engaging expert consultations or outsourcing selected cybersecurity tasks. This is not only because non-compliance with legal requirements exposes the entrepreneur to the risk of high fines or other related sanctions (in the case of administrative offences for failing to implement and adhere to security measures, the regulator may impose a fine of up to EUR 7,000,000 or up to 1.4% of the global turnover of the ESP; the decisive criterion will be the higher of such amounts. Also, for an ESP operating a critical essential service, the fine can be up to EUR 10,000,000 or 2% of the total annual turnover).

Implementing legal requirements also brings many benefits to companies. Implementing cybersecurity measures reduces the risk of a successful attack and increases resilience to potential cyber threats.

Within sectoral regulation, the required level of security may also be indirectly demanded from the obliged entity through subcontracting provisions for the subcontractor. The implemented measures thus increase the credibility of your company in relation to business partners. Compliance with legal framework requirements also reduces the risk of sanctions and fines, improves the company’s reputational image, and ultimately opens doors for entrepreneurs to collaborate within the EU, whose legal regulation is harmonized as a whole.

How not to miss the train

For companies, it is crucial to start preparing for the implementation of new requirements as soon as possible. The list of requirements for individual entities is quite extensive, depending on the sector and the significance assigned to the entity by the regulation. The first step should be to conduct an audit of current security measures and identify weaknesses. This audit should also include a risk and threat analysis.

Cybersecurity is not just a matter of technology but also of people. Employees are the most sensitive link in the security chain. Educating employees about security practices, such as identifying phishing attacks, using strong passwords, and handling sensitive data correctly, as well as the company’s security policies and measures, is essential. Regular updates in light of legal requirements are also necessary.

For companies without internal cybersecurity experts, it is advisable to collaborate with external consultants or cybersecurity service providers.

Data backup and creating recovery plans after an attack are key to minimizing damage in the event of a cyberattack. When backing up, it is good to follow the 3-2-1 rule – create three copies of the data you want to protect, on two different types of data carriers, and keep one copy offsite.

NIS II brings new challenges and, through its transposition into national legislation, also opportunities for Slovak companies. The urgency of investing in protecting company systems and data can pay off in the future in the form of saved costs on damage repair and reputational risk. Strict rules (NIS II Directive or the amendment to the Cybersecurity Act) should be seen as tools to increase resilience to threats, a step towards a safer digital future in the EU. Slovak companies that comply with these new standards will gain a competitive advantage and protection against growing cyber threats.