Cyber Resilience Act enters the operational phase: what was said at KYBER2026 and what Slovakia must complete before 11 September 2026
The KYBER2026 conference of the National Security Authority and SK-CERT, held on 27 and 28 April 2026 at Hotel Sitno Vyhne, confirmed what operators of essential services and critical entities had already suspected since the beginning of the year. 2026 is not a year of preparation — it is a year of demonstrable functionality. At the centre stands Regulation (EU) 2024/2847 of the European Parliament and of the Council on cyber resilience, which reaches its first hard milestone on 11 September 2026: mandatory reporting of actively exploited vulnerabilities and significant incidents through ENISA's Single Reporting Platform.
What was said at KYBER2026
The conference was opened by Roman Konečný, Director of the National Security Authority, who summarised the state of Slovak cybersecurity and outlined priorities for 2026. Jaroslav Ďurovka from the National Cyber Security Centre, together with Marek Vlášek from the Inspection and Supervision Division, presented the Cybersecurity Report for 2025, which recorded a year-on-year increase in reported incidents and a shift in the attack profile from opportunistic campaigns toward targeted operations against public administration and critical infrastructure.
Milan Pikula, Director of SK-CERT, addressed practical incident handling and the relationship between NSA Decree No. 227 of 2025 and sector-specific decrees. Martin Senčák, in his capacity as the National Cybersecurity Certification Authority, delivered a session on the Cyber Resilience Act and the obligations of manufacturers of products with digital elements. Further panels covered the transition to post-quantum cryptography, coordinated vulnerability disclosure (CVD), and the operation of the unified cybersecurity information system, known as JISKB. The shared conclusion of the conference was that 2026 is the first year in which the National Security Authority holds the full supervisory toolkit under Act No. 366/2024 on Cybersecurity.
Three hard deadlines before the end of the year
Operators and manufacturers must keep three specific dates in view. First, on 11 June 2026, the rules for conformity assessment bodies under the Cyber Resilience Act begin to apply — a prerequisite for the functioning of the CRA certification regime. Second, by 17 July 2026, central state administration bodies must, under Sections 7 and 8 of Act No. 367/2024 on Critical Infrastructure, identify critical entities in accordance with Directive (EU) 2022/2557 of the European Parliament and of the Council, known as the CER Directive. Third, on 11 September 2026, the mandatory 24-hour, 72-hour, and 14-day reporting regime for manufacturers through ENISA's Single Reporting Platform enters into full force.
Additional milestones on 30 August 2026 and 30 October 2026 relate to harmonised standards under the CRA. Entities that integrate or manufacture products with digital elements — including industrial control systems, smart meters, OT components, and network devices — must have not only their technical processes in place by September, but also their contractual and organisational arrangements. Fines under the CRA reach up to 15 million euros or 2.5 percent of global turnover. The proposed revision of the Cybersecurity Act, COM(2026) 11, envisages sanctions of up to 7 percent of turnover for breaches of ICT supply chain obligations.
What this means for the Slovak supply chain
One week before the KYBER2026 conference, SK-CERT published a cluster of critical advisories illustrating why ICT supply chain security is at the centre of attention. Between 13 and 17 April 2026, warnings were issued for vulnerabilities in Cisco products with a CVSS score of 9.9, in Schneider Electric with a CVSS score of 9.0 with direct impact on OT and ICS environments, in Microsoft Patch Tuesday, in Fortinet, in Tenable Identity Exposure, and in actively exploited Adobe and Nginx UI products. Each of these advisories triggers obligations under NSA Decree No. 227 of 2025 — security updates and vulnerability management — as well as a potential reporting obligation under NSA Decree No. 226 of 2025.
The threat environment corresponds accordingly. A joint advisory from 18 intelligence and cyber agencies issued on 7 April 2026, co-signed by the National Security Authority together with the Slovak Information Service and Military Intelligence, described a campaign by Unit 26165 of Russian GRU, known as APT28, using compromised SOHO routers for adversary-in-the-middle attacks against Outlook Web Access and Microsoft 365. Operation Neusploit, documented in CERT-EU Cyber Brief 26-03, targeted public administration in Slovakia, Ukraine, and Romania specifically through exploitation of vulnerability CVE-2026-21509 in RTF attachments. Slovakia is a named target, not collateral damage.
"2026 is the turning point that separates documentary compliance from demonstrable functionality. Those who have not tested by September whether they can report an actively exploited vulnerability within twenty-four hours, who have not aligned NSA Decree No. 227 of 2025 with the obligations of the Cyber Resilience Act, and who have not identified their critical dependencies before 17 July 2026, will not pass a real supervisory inspection. The Cyber Resilience Act, NIS 2, and CER are not abstract regulatory documents — they are a response to specific tactics of state actors that we observe in the Slovak cyber space every month," says Tibor Straka, President of the Critical Infrastructure Association of the Slovak Republic (AKI SR).
Practical recommendations for operators
For operators of critical infrastructure, KYBER2026 yields several concrete steps. First, updating supply chain mapping according to component criticality and geographic origin — relevant to every future certification scheme under the European ICT Certification Framework (ECCF). Second, reviewing contractual incident reporting mechanisms to ensure compatibility with the deadlines set under NIS 2 and with the 24-hour deadline for reporting actively exploited vulnerabilities under the CRA. Third, preparing internal procedures for coordination with SK-CERT and the National Security Authority in the event of significant incidents.
AKI SR — the Critical Infrastructure Association of the Slovak Republic — as a professional platform and strategic partner of the National Security Authority, provides its members with methodological support for aligning CRA, NIS 2, and CER obligations, interpretation of Acts No. 366/2024 and 367/2024, assistance in preparing reports under Decrees 226/2025 and 227/2025, and links to public-sector financial instruments. KYBER2026 demonstrated that the time for preparation has shortened. The next five months will determine which entities will have a functional compliance regime in place on 11 September 2026 — and which will respond only after the first supervisory inspection.
