From Legislation to Practice: Critical Infrastructure and Cybersecurity in 2026
The year 2025 was, from the perspective of critical infrastructure, a year of legislative transformation. The year 2026 is the first year of its full-scale application. The difference between these two periods is fundamental – while 2025 was dominated by legal implementation and methodological preparation, 2026 brings a regime of real regulatory responsibility.
The legal framework for cybersecurity in the Slovak Republic is governed by Act No. 69/2018 Coll. on Cybersecurity, as amended by Act No. 366/2024 Coll., which transposed into national law Directive (EU) 2022/2555 of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union (NIS 2). Simultaneously, Act No. 367/2024 Coll. on Critical Infrastructure was adopted, establishing a new resilience framework for critical entities. These two pieces of legislation together form a comprehensive system for managing cyber and physical risks, which has begun to be fully applied in practice.
From Identification to Mandatory Compliance
In 2025, the process of preparing and methodologically implementing measures for the identification of critical entities under the Critical Infrastructure Act was underway. State administration bodies are required to identify critical entities no later than 17 July 2026. Entities falling within the categories defined by the Act will subsequently be required to introduce measures to strengthen the security and resilience of critical infrastructure. These include systematic risk assessment, implementation of security measures, business continuity planning, and the establishment of incident response mechanisms.
The transposition of the NIS 2 Directive significantly expanded the scope of cybersecurity regulation. One of the most notable changes is the shift from the formal existence of documentation to a requirement for demonstrable functionality of security measures. An entity must be able to demonstrate a systematic process of risk identification and assessment, supply chain security management, testing of business continuity plans, and a functional incident response mechanism. This approach aligns with the objective of the NIS 2 Directive – to increase real resilience, not merely formal compliance.
The amended Cybersecurity Act also explicitly enshrines the direct responsibility of statutory bodies for managing cyber risks. Management is required to approve cybersecurity risk management measures and oversee their implementation. Under the Act, this responsibility may be fully reflected within the supervisory and sanctioning mechanisms of the law.
Adopted Strategies and Government Steps
At the beginning of 2026, the Slovak Government adopted two strategic documents as part of the implementation of the Critical Infrastructure Act and the Cybersecurity Act, providing a clear framework for risk management. The Resilience Strategy for Critical Entities of the Slovak Republic analyses the current state and vulnerabilities of critical entities, defines objectives and measures up to 2030, and establishes a coordination framework between central state authorities, local government, and critical entities. The National Cybersecurity Strategy for 2026–2030 places emphasis on the systematic strengthening of national cyberspace resilience, the protection of citizens' rights and security in cyberspace, the protection of the state's critical infrastructure, operators of essential services, and other important assets.
Strategic Significance for Slovakia
Critical infrastructure represents a system of interconnected elements. A failure in the energy sector will affect transport, transport will affect healthcare and food distribution, and digital infrastructure will affect public administration and banks. Cross-sector dependencies increase the risk of cascading effects. The legislative framework creates the conditions for systematic risk management across all critical sectors, raising the security level of processes and strengthening national resilience against hybrid and cyber threats.
Expert Cooperation
The implementation of new obligations requires a combination of legal, technical, and organisational expertise. In this context, the Critical Infrastructure Association of the Slovak Republic (AKI SR) plays a key role as a professional platform connecting regulated entities, security and crisis management experts, public administration representatives, and technology partners. AKI SR provides companies with expert advisory services on identifying and implementing statutory obligations, methodological support for risk assessment and the introduction of measures, coordination and experience sharing between sectors, and up-to-date information on legislation, deadlines, and practical steps. For members, this means access to expert know-how, coordinated procedures, and the ability to respond to legislative changes in real time.
The year 2026 represents for critical infrastructure and cybersecurity a transition from legislative preparation to practical implementation. Organisations will be assessed not only on the formal existence of security documents, but also on their ability to demonstrate their functionality in practice. Preparedness today equals resilience and trustworthiness tomorrow. Coordinated preparation with an expert partner such as AKI SR enables companies to fully ensure compliance with the new statutory obligations.
