Cyber Resilience Act enters the operational phase: what was said at KYBER2026 and what Slovakia must complete before 11 September 2026

28. apríla 2026

The KYBER2026 conference of the National Security Authority and SK-CERT, held on 27 and 28 April 2026 at Hotel Sitno Vyhne, confirmed what operators of essential services and critical entities had already suspected since the beginning of the year. 2026 is not a year of preparation — it is a year of demonstrable functionality. At the centre stands Regulation (EU) 2024/2847 of the European Parliament and of the Council on cyber resilience, which reaches its first hard milestone on 11 September 2026: mandatory reporting of actively exploited vulnerabilities and significant incidents through ENISA's Single Reporting Platform.

What was said at KYBER2026


The conference was opened by Roman Konečný, Director of the National Security Authority, who summarised the state of Slovak cybersecurity and outlined priorities for 2026. Jaroslav Ďurovka from the National Cyber Security Centre, together with Marek Vlášek from the Inspection and Supervision Division, presented the Cybersecurity Report for 2025, which recorded a year-on-year increase in reported incidents and a shift in the attack profile from opportunistic campaigns toward targeted operations against public administration and critical infrastructure.


Milan Pikula, Director of SK-CERT, addressed practical incident handling and the relationship between NSA Decree No. 227 of 2025 and sector-specific decrees. Martin Senčák, in his capacity as the National Cybersecurity Certification Authority, delivered a session on the Cyber Resilience Act and the obligations of manufacturers of products with digital elements. Further panels covered the transition to post-quantum cryptography, coordinated vulnerability disclosure (CVD), and the operation of the unified cybersecurity information system, known as JISKB. The shared conclusion of the conference was that 2026 is the first year in which the National Security Authority holds the full supervisory toolkit under Act No. 366/2024 on Cybersecurity.


Three hard deadlines before the end of the year


Operators and manufacturers must keep three specific dates in view. First, on 11 June 2026, the rules for conformity assessment bodies under the Cyber Resilience Act begin to apply — a prerequisite for the functioning of the CRA certification regime. Second, by 17 July 2026, central state administration bodies must, under Sections 7 and 8 of Act No. 367/2024 on Critical Infrastructure, identify critical entities in accordance with Directive (EU) 2022/2557 of the European Parliament and of the Council, known as the CER Directive. Third, on 11 September 2026, the mandatory 24-hour, 72-hour, and 14-day reporting regime for manufacturers through ENISA's Single Reporting Platform enters into full force.


Additional milestones on 30 August 2026 and 30 October 2026 relate to harmonised standards under the CRA. Entities that integrate or manufacture products with digital elements — including industrial control systems, smart meters, OT components, and network devices — must have not only their technical processes in place by September, but also their contractual and organisational arrangements. Fines under the CRA reach up to 15 million euros or 2.5 percent of global turnover. The proposed revision of the Cybersecurity Act, COM(2026) 11, envisages sanctions of up to 7 percent of turnover for breaches of ICT supply chain obligations.


What this means for the Slovak supply chain


One week before the KYBER2026 conference, SK-CERT published a cluster of critical advisories illustrating why ICT supply chain security is at the centre of attention. Between 13 and 17 April 2026, warnings were issued for vulnerabilities in Cisco products with a CVSS score of 9.9, in Schneider Electric with a CVSS score of 9.0 with direct impact on OT and ICS environments, in Microsoft Patch Tuesday, in Fortinet, in Tenable Identity Exposure, and in actively exploited Adobe and Nginx UI products. Each of these advisories triggers obligations under NSA Decree No. 227 of 2025 — security updates and vulnerability management — as well as a potential reporting obligation under NSA Decree No. 226 of 2025.


The threat environment corresponds accordingly. A joint advisory from 18 intelligence and cyber agencies issued on 7 April 2026, co-signed by the National Security Authority together with the Slovak Information Service and Military Intelligence, described a campaign by Unit 26165 of Russian GRU, known as APT28, using compromised SOHO routers for adversary-in-the-middle attacks against Outlook Web Access and Microsoft 365. Operation Neusploit, documented in CERT-EU Cyber Brief 26-03, targeted public administration in Slovakia, Ukraine, and Romania specifically through exploitation of vulnerability CVE-2026-21509 in RTF attachments. Slovakia is a named target, not collateral damage.


"2026 is the turning point that separates documentary compliance from demonstrable functionality. Those who have not tested by September whether they can report an actively exploited vulnerability within twenty-four hours, who have not aligned NSA Decree No. 227 of 2025 with the obligations of the Cyber Resilience Act, and who have not identified their critical dependencies before 17 July 2026, will not pass a real supervisory inspection. The Cyber Resilience Act, NIS 2, and CER are not abstract regulatory documents — they are a response to specific tactics of state actors that we observe in the Slovak cyber space every month," says Tibor Straka, President of the Critical Infrastructure Association of the Slovak Republic (AKI SR).


Practical recommendations for operators


For operators of critical infrastructure, KYBER2026 yields several concrete steps. First, updating supply chain mapping according to component criticality and geographic origin — relevant to every future certification scheme under the European ICT Certification Framework (ECCF). Second, reviewing contractual incident reporting mechanisms to ensure compatibility with the deadlines set under NIS 2 and with the 24-hour deadline for reporting actively exploited vulnerabilities under the CRA. Third, preparing internal procedures for coordination with SK-CERT and the National Security Authority in the event of significant incidents.


AKI SR — the Critical Infrastructure Association of the Slovak Republic — as a professional platform and strategic partner of the National Security Authority, provides its members with methodological support for aligning CRA, NIS 2, and CER obligations, interpretation of Acts No. 366/2024 and 367/2024, assistance in preparing reports under Decrees 226/2025 and 227/2025, and links to public-sector financial instruments. KYBER2026 demonstrated that the time for preparation has shortened. The next five months will determine which entities will have a functional compliance regime in place on 11 September 2026 — and which will respond only after the first supervisory inspection.

Cyber Resilience Act vstupuje do prevádzkovej fázy: čo zaznelo na KYBER2026 a čo musí Slovensko stihnúť do 11. septembra 2026

28. apríla 2026
Konferencia KYBER2026 Národného bezpečnostného úradu a SK-CERT, ktorá sa konala 27. a 28. apríla 2026 v hoteli Sitno Vyhne, potvrdila to, čo prevádzkovatelia základných služieb a kritických subjektov tušili už od začiatku roka. Rok 2026 nie je rokom prípravy, ale rokom preukázateľnej funkčnosti. V centre stojí nariadenie Európskeho parlamentu a Rady číslo 2024/2847 o kybernetickej odolnosti, ktoré dosiahne 11. septembra 2026 prvý ostrý míľnik, povinné hlásenie aktívne zneužívaných zraniteľností a závažných incidentov cez Single Reporting Platform agentúry ENISA.

Memorandum between the Critical Infrastructure Association of the SR and Slovak Investment Holding opens space for sustainable investments in critical infrastructure

24. apríla 2026
The Critical Infrastructure Association of the Slovak Republic (AKI SR) and Slovak Investment Holding, a. s. concluded a memorandum of cooperation on 23 April 2026, the aim of which is to create a framework for the support of investments and the financing of projects in the field of critical infrastructure in Slovakia. The memorandum confirms the shared interest of both parties in developing strategic, developmental and innovation projects with a focus on increasing the resilience of critical infrastructure and securing essential services. The cooperation will concentrate in particular on the identification of suitable projects, the exchange of expert knowledge, as well as the interconnection of public and private sources of financing. An important part of the cooperation is also the use of expert capacities and practical experience in the preparation and implementation of projects, in particular in the areas of infrastructure and innovation. “We see room for projects that will have a long-term impact and, at the same time, financial sustainability. In areas of public interest, such as critical infrastructure or innovation, we can bring knowledge of the environment, the identification of projects and the interconnection of partners, so that high-quality and feasible solutions come into being,” stated Tibor Straka, President of AKI SR. According to his words, it is crucial that the cooperation brings concrete results: “It is important for us that this cooperation is sustainable in the long term and brings measurable results that will have a real benefit for Slovak critical infrastructure.” At the same time, the memorandum creates space for systematic expert cooperation, consultations and further joint activities aimed at the support of investments and the development of critical infrastructure. Both parties declare their interest in actively participating in projects that will contribute to the modernisation of infrastructure, the more efficient use of resources and the strengthening of the investment environment in Slovakia.

Memorandum medzi Asociáciou kritickej infraštruktúry SR a Slovak Investment Holding otvára priestor pre udržateľné investície do kritickej infraštruktúry

24. apríla 2026
Asociácia kritickej infraštruktúry Slovenskej republiky (AKI SR) a Slovak Investment Holding, a. s. uzavreli 23. apríla 2026 memorandum o spolupráci, ktorého cieľom je vytvoriť rámec pre podporu investícií a financovanie projektov v oblasti kritickej infraštruktúry na Slovensku. Memorandum potvrdzuje spoločný záujem oboch strán rozvíjať strategické, rozvojové a inovačné projekty so zameraním na zvýšenie odolnosti kritickej infraštruktúry a zabezpečenie základných služieb. Spolupráca sa bude sústreďovať najmä na identifikáciu vhodných projektov, výmenu odborných poznatkov, ako aj prepájanie verejných a súkromných zdrojov financovania. Dôležitou súčasťou spolupráce je aj využitie odborných kapacít a praktických skúseností pri príprave a realizácii projektov, najmä v oblastiach infraštruktúry a inovácií. „ Vidíme priestor pre projekty, ktoré budú mať dlhodobý dopad a zároveň finančnú udržateľnosť. V oblastiach verejného záujmu, ako sú kritická infraštruktúra či inovácie, vieme priniesť znalosť prostredia, identifikáciu projektov a prepájanie partnerov tak, aby vznikali kvalitné a realizovateľné riešenia,“ uviedol prezident AKI SR Tibor Straka. Podľa jeho slov je kľúčové, aby spolupráca prinášala konkrétne výsledky: „Je pre nás dôležité, aby táto spolupráca bola dlhodobo udržateľná a prinášala merateľné výsledky, ktoré budú mať reálny prínos pre slovenskú kritickú infraštruktúru.“  Memorandum zároveň vytvára priestor pre systematickú odbornú spoluprácu, konzultácie a ďalšie spoločné aktivity zamerané na podporu investícií a rozvoj kritickej infraštruktúry. Obe strany deklarujú záujem aktívne sa podieľať na projektoch, ktoré prispejú k modernizácii infraštruktúry, efektívnejšiemu využívaniu zdrojov a posilneniu investičného prostredia na Slovensku.

When the Supplier Is the Single Point of Failure: The ChipSoft Attack and a Lesson for Slovak Healthcare

22. apríla 2026
A ransomware attack on ChipSoft, the supplier of the electronic health records system used by approximately 70 to 80 percent of Dutch hospitals, paralysed a substantial part of the national healthcare system within a matter of hours. The event reaches far beyond the borders of the Netherlands. It confirms that the concentration of sensitive infrastructure in the hands of a single software supplier is becoming a systemic vulnerability of critical infrastructure. 

Keď je dodávateľ jediným bodom zlyhania: útok na ChipSoft a lekcia pre slovenské zdravotníctvo

22. apríla 2026
Ransomvérový útok na spoločnosť ChipSoft, dodávateľa elektronickej zdravotnej dokumentácie pre približne 70 až 80 percent holandských nemocníc, ochromil za niekoľko hodín podstatnú časť národného zdravotníckeho systému. Udalosť má presah ďaleko za hranice Holandska. Potvrdzuje, že koncentrácia citlivej infraštruktúry u jediného softvérového dodávateľa sa stáva systémovou zraniteľnosťou kritickej infraštruktúry. 

Nuclear Fuel as Critical Infrastructure: Slovakia Is Building Supply Chain Sovereignty

15. apríla 2026
On 9 April 2026, Slovenské elektrárne, the Czech ČEZ, the Finnish Fortum and the Hungarian MVM Paks NPP signed a contract with the company Framatome for the development of the VERA-440 fuel assembly, which is a 100 % European fuel for VVER-440 reactors. The total value of the project reaches approximately 50 million euros, of which 10 million comes from the EU SAVE programme (Safe and Alternative VVER European) with 17 partners from 7 Member States and Ukraine. The commercial deployment of a sovereign European fuel is expected after 2035. This is not just an energy story. It is an event in the field of critical infrastructure security.

Jadrové palivo ako kritická infraštruktúra: Slovensko buduje suverenitu dodávateľského reťazca

15. apríla 2026
Dňa 9. apríla 2026 podpísali Slovenské elektrárne, česká ČEZ, fínska Fortum a maďarská MVM Paks NPP zmluvu so spoločnosťou Framatome na vývoj palivového článku VERA-440, čo je 100 % európske palivo pre reaktory VVER-440. Celková hodnota projektu dosahuje približne 50 miliónov eur, z čoho 10 miliónov pochádza z programu EÚ SAVE (Safe and Alternative VVER European) so 17 partnermi zo 7 členských štátov a Ukrajiny. Komerčné nasadenie vlastného európskeho paliva sa predpokladá po roku 2035. Toto nie je len energetická správa. Je to udalosť v oblasti bezpečnosti kritickej infraštruktúry.

Attack on the Chinese Supercomputing Centre: When the Attacker Becomes the Target

13. apríla 2026
An actor operating under the name “FlamingChina” claims to have obtained more than 10 petabytes of data from China’s National Supercomputing Centre in Tianjin, including military simulations, weapons system schematics and classified research materials. Regardless of whether the declared volume is real or overstated, the incident raises a question that reaches beyond geopolitics: how are the sovereign computing capacities of states protected, and why are supercomputers becoming a strategic target? 

Útok na čínske superpočítačové centrum: keď sa terčom stáva sám útočník

13. apríla 2026
Aktér vystupujúci pod menom „FlamingChina“ tvrdí, že z čínskeho Národného superpočítačového centra v Tchien-ťine získal vyše 10 petabajtov dát vrátane vojenských simulácií, schém zbraňových systémov a klasifikovaných výskumných materiálov. Bez ohľadu na to, či je deklarovaný objem reálny alebo nadhodnotený, incident otvára otázku, ktorá presahuje geopolitiku. Ako sú chránené suverénne výpočtové kapacity štátov a prečo sa superpočítače stávajú strategickým terčom. 

When the Lights Go Out: Blackout as a Test of Modern Society's Resilience

8. apríla 2026
A large-scale power outage is no longer a hypothetical scenario. Recent months have brought a series of incidents showing that the stability of Europe's electricity systems is exposed to a combination of threats on a scale we have not previously encountered. The discussion of blackouts is therefore shifting from technical circles into the broader strategic framework of critical infrastructure protection.