Critical Infrastructure Protection
Critical Infrastructure Protection at the European Union Level
Member States of the European Union have the obligation to transpose and implement European Union legislation into their national law, specifically Directive of the European Parliament and of the Council (EU) 2022/2557 of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC on the identification and designation of European critical infrastructures (CER Directive), which is supplemented by Commission Delegated Regulation (EU) 2023/2450 of 25 July 2023 supplementing Directive (EU) 2022/2557 of the European Parliament and of the Council by establishing a list of essential services necessary for the maintenance of vital societal functions or economic activities. The goal of the CER Directive for the Slovak Republic is to ensure the provision of essential services in the market in an uninterrupted manner to increase the resilience of critical entities providing such services.
Translation:
Transposition of the CER Directive resulted in...
🔹 CHANGED the philosophy from protection of critical infrastructure elements to resilience of critical entities operating critical infrastructure and ensuring continuity of essential service delivery
🔹 REPEALED Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection
🔹 HARMONIZED minimum rules for EU Member States and measures for critical entities
Given the constantly increasing risks of cyber attacks, which are often linked to attacks on critical infrastructure, and also to increase the security of IT systems, financial markets, and data protection, the following regulations have been adopted at the European level: Regulation of the European Parliament and of the Council (EU) 2022/2554 of 14 December 2022 on digital operational resilience for the financial sector (DORA Regulation) and Directive of the European Parliament and of the Council (EU) 2022/2555 on measures to ensure a high common level of cybersecurity across the Union (NIS2 Directive). European legislation creates close synergies and aims to increase the common resilience of financial, key, important, and critical entities while reducing the duplicate burden placed on the business environment.
Critical Infrastructure Protection at the Slovak Republic Level
The current geopolitical context is characterized by an escalating number of extraordinary events, also related to climate change, shortage of drinking water, escalating number of incidents on critical infrastructure, growing instability due to military conflict (between Russia and Ukraine) or recurring migration crises, the still lingering effects of the COVID-19 pandemic, and last but not least, the ever-increasing number of hybrid activities on a global scale. In this sequence of events, there is a higher degree of consistency in the need for citizens and state administration bodies to rely on critical infrastructure and the uninterrupted provision of essential services by critical entities. Such services are key to preserving vital societal functions, economic activities, public health, safety, or the environment and should be provided in an uninterrupted manner in the internal market. From the above, there is a need to ensure the resilience of critical entities providing these services. The Slovak Republic must take measures to strengthen such resilience and mitigate any disruptions in the provision of essential services. Such disruptions can otherwise have serious consequences not only for the citizens of the Slovak Republic but also the European Union, our economy, and confidence in our democratic system, where threats can affect the functioning of the market, especially in the context of growing interdependence between sectors within the state and across borders.
Translation:
INTERDEPENDENCE between SECTORS and SUBSECTORS
🔹 PROTECTION of critical infrastructure + CONTINUITY of essential service delivery = RESILIENCE
1. In an increasingly interconnected world, resilience to threats to the security environment has become a priority.
2. The security environment includes various critical aspects including physical infrastructure, IT systems, personnel, and sensitive data.
3. Protecting this environment requires a comprehensive approach addressing potential threats and vulnerabilities.
Sectors/Subsectors listed: Gas and Oil; Transport; Banking; Financial Market Infrastructure; Digital Infrastructure; Public Administration; Environment; Food; Space; Healthcare; Electricity
SR Legislation
The Slovak Republic completed the transposition process of the CER Directive by publishing ACT NO. 367/2024 Coll. ON CRITICAL INFRASTRUCTURE AND ON AMENDMENTS TO CERTAIN ACTS effective from January 1, 2025, in the Collection of Laws of the Slovak Republic. The Critical Infrastructure Act assesses the risks and importance of the resilience of critical entities that continuously ensure the provision of essential services through the protection of their critical infrastructures. The security environment and risk assessment include all elements that contribute to the resilience of critical entities and the stability of providing essential services. These include physical assets such as buildings, facilities, and equipment, as well as intangible assets such as information, data, and personnel. Awareness of the interconnectedness of these elements is key to developing effective security measures.
Identification of a Critical Entity
Essential service is a new term introduced by the CER Directive into national legislation. Not every provider of an essential service will also be a critical entity, but only one that will be identified as a critical entity based on the law directly by the central authority. The law does not establish a reporting obligation or an obligation for critical entities to "self-identify".
Translation:
Am I a CRITICAL ENTITY?
- Do I provide at least one essential service according to Annex No. 1 of Act No. 367/2024 Coll. on critical infrastructure and on amendments and supplements to certain acts?
✅ YES ↓ ❌ NO → You are not a critical entity
- Is my critical infrastructure, through which I provide the essential service, located within the territory of the Slovak Republic?
✅ YES ↓ ❌ NO → You are not a critical entity
- Do I meet the final criterion¹ so that the central state authority can identify me as a critical entity?
✅ YES → You will be notified by the central authority no later than July 17, 2026 📄 The list of critical entities will be published after July 17, 2026
Contacts for further information
PhDr. František Hajduk, PhD. – department of international cooperation
email address: frantisek.hajduk@minv.sk
tel.: +421 (2) 4859 3016
Ing. Veronika Hurychová – department of international cooperation
email address: veronika.hurychova@minv.sk
tel.: +421 (2) 4859 3266
Source: „Ochrana kritickej infraštruktúry.“ minv, April 13, 2025. https://www.minv.sk/?Ochrana_kritickej_infrastruktury_1.
Accessed 13. 4. 2025
Asociácia kritickej infraštruktúry SR rokuje o financovaní nákladov na odolnosť kritických subjektov
