Critical Infrastructure Protection

13. apríla 2025

Critical Infrastructure Protection at the European Union Level

Member States of the European Union have the obligation to transpose and implement European Union legislation into their national law, specifically Directive of the European Parliament and of the Council (EU) 2022/2557 of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC on the identification and designation of European critical infrastructures (CER Directive), which is supplemented by Commission Delegated Regulation (EU) 2023/2450 of 25 July 2023 supplementing Directive (EU) 2022/2557 of the European Parliament and of the Council by establishing a list of essential services necessary for the maintenance of vital societal functions or economic activities. The goal of the CER Directive for the Slovak Republic is to ensure the provision of essential services in the market in an uninterrupted manner to increase the resilience of critical entities providing such services.

Translation:

Transposition of the CER Directive resulted in...

🔹 CHANGED the philosophy from protection of critical infrastructure elements to resilience of critical entities operating critical infrastructure and ensuring continuity of essential service delivery

🔹 REPEALED Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection

🔹 HARMONIZED minimum rules for EU Member States and measures for critical entities

Given the constantly increasing risks of cyber attacks, which are often linked to attacks on critical infrastructure, and also to increase the security of IT systems, financial markets, and data protection, the following regulations have been adopted at the European level: Regulation of the European Parliament and of the Council (EU) 2022/2554 of 14 December 2022 on digital operational resilience for the financial sector (DORA Regulation) and Directive of the European Parliament and of the Council (EU) 2022/2555 on measures to ensure a high common level of cybersecurity across the Union (NIS2 Directive). European legislation creates close synergies and aims to increase the common resilience of financial, key, important, and critical entities while reducing the duplicate burden placed on the business environment.

Critical Infrastructure Protection at the Slovak Republic Level

The current geopolitical context is characterized by an escalating number of extraordinary events, also related to climate change, shortage of drinking water, escalating number of incidents on critical infrastructure, growing instability due to military conflict (between Russia and Ukraine) or recurring migration crises, the still lingering effects of the COVID-19 pandemic, and last but not least, the ever-increasing number of hybrid activities on a global scale. In this sequence of events, there is a higher degree of consistency in the need for citizens and state administration bodies to rely on critical infrastructure and the uninterrupted provision of essential services by critical entities. Such services are key to preserving vital societal functions, economic activities, public health, safety, or the environment and should be provided in an uninterrupted manner in the internal market. From the above, there is a need to ensure the resilience of critical entities providing these services. The Slovak Republic must take measures to strengthen such resilience and mitigate any disruptions in the provision of essential services. Such disruptions can otherwise have serious consequences not only for the citizens of the Slovak Republic but also the European Union, our economy, and confidence in our democratic system, where threats can affect the functioning of the market, especially in the context of growing interdependence between sectors within the state and across borders.

Translation:

INTERDEPENDENCE between SECTORS and SUBSECTORS

🔹 PROTECTION of critical infrastructure + CONTINUITY of essential service delivery = RESILIENCE

1. In an increasingly interconnected world, resilience to threats to the security environment has become a priority.

2. The security environment includes various critical aspects including physical infrastructure, IT systems, personnel, and sensitive data.

3. Protecting this environment requires a comprehensive approach addressing potential threats and vulnerabilities.

Sectors/Subsectors listed: Gas and Oil; Transport; Banking; Financial Market Infrastructure; Digital Infrastructure; Public Administration; Environment; Food; Space; Healthcare; Electricity

SR Legislation

The Slovak Republic completed the transposition process of the CER Directive by publishing ACT NO. 367/2024 Coll. ON CRITICAL INFRASTRUCTURE AND ON AMENDMENTS TO CERTAIN ACTS effective from January 1, 2025, in the Collection of Laws of the Slovak Republic. The Critical Infrastructure Act assesses the risks and importance of the resilience of critical entities that continuously ensure the provision of essential services through the protection of their critical infrastructures. The security environment and risk assessment include all elements that contribute to the resilience of critical entities and the stability of providing essential services. These include physical assets such as buildings, facilities, and equipment, as well as intangible assets such as information, data, and personnel. Awareness of the interconnectedness of these elements is key to developing effective security measures.

Identification of a Critical Entity

Essential service is a new term introduced by the CER Directive into national legislation. Not every provider of an essential service will also be a critical entity, but only one that will be identified as a critical entity based on the law directly by the central authority. The law does not establish a reporting obligation or an obligation for critical entities to "self-identify".

Translation:

Am I a CRITICAL ENTITY?

  1. Do I provide at least one essential service according to Annex No. 1 of Act No. 367/2024 Coll. on critical infrastructure and on amendments and supplements to certain acts?

✅ YES ↓                                                                                                                                                                         ❌ NO → You are not a critical entity

  1. Is my critical infrastructure, through which I provide the essential service, located within the territory of the Slovak Republic?

✅ YES ↓                                                                                                                                                                          ❌ NO → You are not a critical entity

  1. Do I meet the final criterion¹ so that the central state authority can identify me as a critical entity?

✅ YES → You will be notified by the central authority no later than July 17, 2026 📄 The list of critical entities will be published after July 17, 2026

Contacts for further information

PhDr. František Hajduk, PhD. – department of international cooperation
email address: frantisek.hajduk@minv.sk
tel.: +421 (2) 4859 3016

Ing. Veronika Hurychová – department of international cooperation
email address: veronika.hurychova@minv.sk
tel.: +421 (2) 4859 3266

Source: „Ochrana kritickej infraštruktúry.“ minv, April 13, 2025. https://www.minv.sk/?Ochrana_kritickej_infrastruktury_1.

Accessed 13. 4. 2025

Stanovisko Asociácie kritickej infraštruktúry SR Reakcia na článok Denníka E z 30. apríla 2026

1. mája 2026
Asociácia kritickej infraštruktúry SR (ďalej len „asociácia") považuje za potrebné reagovať na článok publikovaný v Denníku E, ktorý vo viacerých bodoch nepresne interpretuje činnosť asociácie, jej členskú základňu, ako aj povahu projektov realizovaných niektorými členskými subjektmi. Nižšie uvádzame vecné stanovisko k jednotlivým tvrdeniam.

Introducing the sectors of critical infrastructure: Finance

30. apríla 2026
The area of critical infrastructure in the Slovak Republic is regulated by Act No. 367/2024 Coll. on Critical Infrastructure and on the Amendment and Supplementation of Certain Acts, which defines the individual sectors, sub-sectors and essential services necessary for the functioning of the state. The Critical Infrastructure Association of the Slovak Republic gradually presents the individual sectors with the aim of bringing closer their importance, their functioning and their impacts on the everyday life of society. This time we focus on the finance sector.

Predstavujeme sektory kritickej infraštruktúry: Financie

30. apríla 2026
Oblasť kritickej infraštruktúry v Slovenskej republike upravuje zákon č. 367/2024 Z. z. o kritickej infraštruktúre a o zmene a doplnení niektorých zákonov, ktorý definuje jednotlivé sektory, podsektory a základné služby nevyhnutné pre fungovanie štátu. Asociácia kritickej infraštruktúry Slovenskej republiky postupne predstavuje jednotlivé sektory s cieľom priblížiť ich význam, fungovanie a dopady na každodenný život spoločnosti. Tentokrát sa zameriame na sektor financií .

From a Vilnius Warehouse to the Leipzig DHL Ramp: A Trial That Is Changing the View on the Protection of European Logistics Infrastructure

29. apríla 2026
On 17 April 2026, a trial began at the District Court in Vilnius that is shifting the European debate on the protection of critical infrastructure from the technical level to a very concrete one. Five men are charged with sending, in July 2024, in cooperation with the Special Tasks Department of the Russian military intelligence service GRU, incendiary parcels via DHL and DPD from Vilnius to the air hub in Leipzig, to Poland and to the United Kingdom. The head of the German counter-intelligence service BfV stated that only a flight delay prevented an in-flight detonation that could have destroyed a cargo aircraft. 

Z vilniuského skladu na rampu lipského DHL: proces, ktorý mení pohľad na ochranu európskej logistickej infraštruktúry

29. apríla 2026
Na Okresnom súde vo Vilniuse sa 17. apríla 2026 začal proces, ktorý posúva európsku diskusiu o ochrane kritickej infraštruktúry z roviny technickej do roviny veľmi konkrétnej. Päť mužov je obvinených z toho, že v júli 2024 v spolupráci s Oddelením špeciálnych úloh ruskej vojenskej spravodajskej služby GRU posielali zápalné zásielky cez DHL a DPD z Vilniusu do leteckého uzla v Lipsku, do Poľska a do Veľkej Británie. Šéf nemeckej kontrarozviedky BfV uviedol, že len omeškanie letu zabránilo detonácii vo vzduchu, ktorá mohla zničiť dopravné lietadlo.

Cyber Resilience Act enters the operational phase: what was said at KYBER2026 and what Slovakia must complete before 11 September 2026

28. apríla 2026
The KYBER2026 conference of the National Security Authority and SK-CERT, held on 27 and 28 April 2026 at Hotel Sitno Vyhne, confirmed what operators of essential services and critical entities had already suspected since the beginning of the year. 2026 is not a year of preparation — it is a year of demonstrable functionality. At the centre stands Regulation (EU) 2024/2847 of the European Parliament and of the Council on cyber resilience, which reaches its first hard milestone on 11 September 2026: mandatory reporting of actively exploited vulnerabilities and significant incidents through ENISA's Single Reporting Platform.

Cyber Resilience Act vstupuje do prevádzkovej fázy: čo zaznelo na KYBER2026 a čo musí Slovensko stihnúť do 11. septembra 2026

28. apríla 2026
Konferencia KYBER2026 Národného bezpečnostného úradu a SK-CERT, ktorá sa konala 27. a 28. apríla 2026 v hoteli Sitno Vyhne, potvrdila to, čo prevádzkovatelia základných služieb a kritických subjektov tušili už od začiatku roka. Rok 2026 nie je rokom prípravy, ale rokom preukázateľnej funkčnosti. V centre stojí nariadenie Európskeho parlamentu a Rady číslo 2024/2847 o kybernetickej odolnosti, ktoré dosiahne 11. septembra 2026 prvý ostrý míľnik, povinné hlásenie aktívne zneužívaných zraniteľností a závažných incidentov cez Single Reporting Platform agentúry ENISA.

Memorandum between the Critical Infrastructure Association of the SR and Slovak Investment Holding opens space for sustainable investments in critical infrastructure

24. apríla 2026
The Critical Infrastructure Association of the Slovak Republic (AKI SR) and Slovak Investment Holding, a. s. concluded a memorandum of cooperation on 23 April 2026, the aim of which is to create a framework for the support of investments and the financing of projects in the field of critical infrastructure in Slovakia. The memorandum confirms the shared interest of both parties in developing strategic, developmental and innovation projects with a focus on increasing the resilience of critical infrastructure and securing essential services. The cooperation will concentrate in particular on the identification of suitable projects, the exchange of expert knowledge, as well as the interconnection of public and private sources of financing. An important part of the cooperation is also the use of expert capacities and practical experience in the preparation and implementation of projects, in particular in the areas of infrastructure and innovation. “We see room for projects that will have a long-term impact and, at the same time, financial sustainability. In areas of public interest, such as critical infrastructure or innovation, we can bring knowledge of the environment, the identification of projects and the interconnection of partners, so that high-quality and feasible solutions come into being,” stated Tibor Straka, President of AKI SR. According to his words, it is crucial that the cooperation brings concrete results: “It is important for us that this cooperation is sustainable in the long term and brings measurable results that will have a real benefit for Slovak critical infrastructure.” At the same time, the memorandum creates space for systematic expert cooperation, consultations and further joint activities aimed at the support of investments and the development of critical infrastructure. Both parties declare their interest in actively participating in projects that will contribute to the modernisation of infrastructure, the more efficient use of resources and the strengthening of the investment environment in Slovakia.

Memorandum medzi Asociáciou kritickej infraštruktúry SR a Slovak Investment Holding otvára priestor pre udržateľné investície do kritickej infraštruktúry

24. apríla 2026
Asociácia kritickej infraštruktúry Slovenskej republiky (AKI SR) a Slovak Investment Holding, a. s. uzavreli 23. apríla 2026 memorandum o spolupráci, ktorého cieľom je vytvoriť rámec pre podporu investícií a financovanie projektov v oblasti kritickej infraštruktúry na Slovensku. Memorandum potvrdzuje spoločný záujem oboch strán rozvíjať strategické, rozvojové a inovačné projekty so zameraním na zvýšenie odolnosti kritickej infraštruktúry a zabezpečenie základných služieb. Spolupráca sa bude sústreďovať najmä na identifikáciu vhodných projektov, výmenu odborných poznatkov, ako aj prepájanie verejných a súkromných zdrojov financovania. Dôležitou súčasťou spolupráce je aj využitie odborných kapacít a praktických skúseností pri príprave a realizácii projektov, najmä v oblastiach infraštruktúry a inovácií. „ Vidíme priestor pre projekty, ktoré budú mať dlhodobý dopad a zároveň finančnú udržateľnosť. V oblastiach verejného záujmu, ako sú kritická infraštruktúra či inovácie, vieme priniesť znalosť prostredia, identifikáciu projektov a prepájanie partnerov tak, aby vznikali kvalitné a realizovateľné riešenia,“ uviedol prezident AKI SR Tibor Straka. Podľa jeho slov je kľúčové, aby spolupráca prinášala konkrétne výsledky: „Je pre nás dôležité, aby táto spolupráca bola dlhodobo udržateľná a prinášala merateľné výsledky, ktoré budú mať reálny prínos pre slovenskú kritickú infraštruktúru.“  Memorandum zároveň vytvára priestor pre systematickú odbornú spoluprácu, konzultácie a ďalšie spoločné aktivity zamerané na podporu investícií a rozvoj kritickej infraštruktúry. Obe strany deklarujú záujem aktívne sa podieľať na projektoch, ktoré prispejú k modernizácii infraštruktúry, efektívnejšiemu využívaniu zdrojov a posilneniu investičného prostredia na Slovensku.

When the Supplier Is the Single Point of Failure: The ChipSoft Attack and a Lesson for Slovak Healthcare

22. apríla 2026
A ransomware attack on ChipSoft, the supplier of the electronic health records system used by approximately 70 to 80 percent of Dutch hospitals, paralysed a substantial part of the national healthcare system within a matter of hours. The event reaches far beyond the borders of the Netherlands. It confirms that the concentration of sensitive infrastructure in the hands of a single software supplier is becoming a systemic vulnerability of critical infrastructure.