Expert Statement of the Critical Infrastructure Association of the Slovak Republic (AKI SR) on Act No. 318/2025 Coll. and the implementation of the Cyber Resilience Act (CRA)

The Act also changes the position of the National Security Authority, which becomes the market surveillance authority for products with digital elements. This is a significant strengthening of the state's capacities in an area where a clear and unambiguous competence framework has been lacking until now. The NSA will now be able to verify the security properties of digital products, order manufacturers or distributors to eliminate identified deficiencies, if necessary, prohibit the placement of non-compliant technologies on the market and intervene also in the online environment against offers that threaten user security. This is a response to the long-term trend where an increasing number of digital components - including those that later end up in critical systems - are purchased through global online platforms without sufficient control of origin or quality.

The Cyber Resilience Act introduces extensive and previously non-existent obligations for manufacturers and importers of digital products. The manufacturer will bear responsibility for product security throughout its entire life cycle, will have to ensure vulnerability management processes, provide corrective updates, prepare technical documentation for conformity and transparently inform about security incidents. The amendment to the Act translates these rules into the Slovak legal framework and creates a basis for their practical enforcement.

An extremely important innovation is also the digital product passport, which is intended to provide an overview of security properties, technical specifications, compliance with regulations and update history. For critical infrastructure operators, this means a much higher level of transparency in relation to the technologies they use in their key systems. From a long-term perspective, this will also support better risk management and more efficient identification of weaknesses in supply chains.

From the perspective of energy security, transport, healthcare, manufacturing sectors or telecommunications networks, this is a legislative step that clearly moves Slovakia closer to modern European standards of cyber resilience. Critical infrastructure today is exposed to highly sophisticated attacks that often exploit vulnerabilities in common commercial products. While until now it was possible to place on the market even products with minimal security standards, the new legal framework will enable the state to effectively stop such technologies as soon as they appear on the Slovak market.

The Critical Infrastructure Association of the Slovak Republic considers this legislative regulation to be a step in the right direction. At the same time, we perceive the need for the state to prepare clear methodological guidelines for critical infrastructure operators, public authorities and companies that will have to fulfil obligations under the CRA. The introduction of the regulation will also involve the need to strengthen the expert capacities of the NSA, as well as better coordination between individual state authorities.

AKI SR is ready to actively cooperate with the NSA, ministries and the expert community in implementing this legal regulation into practice. We believe that the new framework will contribute to increasing the security of digital technologies used in Slovakia and will strengthen the protection of systems that are necessary for the functioning of society, the economy and the state.