The Rules of the Game Change on July 17. For the First Time, the State Will Identify Critical Entities Under New Legislation
On July 17, 2026, the deadline will expire by which central state administration bodies must, for the first time, identify critical entities under Act No. 367/2024 Coll. on Critical Infrastructure. This will be the first identification process following the approval of the Strategy for the Resilience of Critical Entities, and at the same time a significant milestone in the implementation of a new system for the protection of critical infrastructure in Slovakia.
Why Is This Date Important?
For organizations that will be designated as critical entities, this will not merely mean formal inclusion on a list. Their status will be accompanied by a whole range of new statutory obligations aimed at ensuring that they are able to withstand security, technological, natural, and hybrid threats, and to ensure the uninterrupted provision of essential services.
Once identified, critical entities will be required to systematically manage their resilience. The law will require them to regularly assess risks, adopt appropriate technical, organizational, and security measures, prepare and continuously update a resilience plan, ensure the continuity of essential service provision, report serious incidents to the competent authorities, regularly verify the effectiveness of adopted measures, and cooperate closely with state administration bodies in the performance of supervision. A significant new obligation will also be the assessment of risks in the supply chain, including the evaluation of suppliers’ risk profiles.
It Is Not Only About Penalties
The new legal framework therefore fundamentally changes the way critical infrastructure security is viewed. It will no longer be sufficient to protect only one’s own organization. Equally important will be the ability to identify and manage risks arising from business partners and suppliers who may significantly affect a critical entity’s ability to provide essential services.
Failure to comply with statutory obligations may lead to sanctions imposed by the competent authorities. However, financial penalties are in reality only a secondary consequence. A far greater risk is a situation in which, due to insufficient risk management or failure to adopt the necessary measures, an organization loses its ability to withstand threats, the provision of an essential service is disrupted or interrupted, or a serious incident occurs with extensive economic, security, or societal consequences. Preventing precisely such situations is the main objective of the new legislation.
“The identification of the first critical entities under the new legislation represents a historic moment in building the resilience of the Slovak Republic. Organizations that will be designated as critical entities will enter an entirely new regime of obligations, the purpose of which is not to create an administrative burden, but to ensure that they are prepared to withstand threats and are able to maintain the provision of essential services even in crisis situations. True resilience, however, is not created by adopting a single document or by formally meeting the requirements of the law. It requires systematic risk management, expertise, and continuous work. This is precisely where we want to be a partner to our members,” said Tibor Straka, President of the Critical Infrastructure Association of the Slovak Republic.
Supply Chains Are Coming Into Focus
One of the most significant changes introduced by the new law is the emphasis on managing risks in supply chains. Critical entities will be required to examine the risk profiles of their suppliers, identify strategic dependencies, and assess the potential impact that the failure of individual partners could have on their ability to provide an essential service. Security is therefore no longer limited to the organization itself, but extends to the entire ecosystem of partners on which its operation depends.
In practice, this means that the new legislation will not affect only critical entities, but to a significant extent also their suppliers. Companies supplying strategic raw materials, information technologies, energy solutions, logistics services, security technologies, industrial equipment, construction works, maintenance services, or professional services will increasingly become subject to security assessments by their customers. The ability to demonstrate reliability, preparedness, and resilience will therefore become an important part of their market position.
For this reason, the Critical Infrastructure Association of the Slovak Republic devotes a significant part of its professional activities to the issue of supply chain resilience. It provides its members with expert support in identifying and assessing geopolitical, hybrid, and cyber threats; monitors legislative and regulatory changes, international sanctions regimes, trade restrictions, risks arising from dependence on foreign suppliers, economic and financial risks, environmental factors, technological vulnerabilities, and disruptions to global supply chains. This support includes expert analyses, methodological assistance, consultations, training, early warnings about emerging threats, and proposals for specific measures that help organizations strengthen their resilience.
The approaching deadline of July 17, 2026, therefore represents more than merely meeting a statutory deadline. It marks the beginning of a new stage in the protection of critical infrastructure in Slovakia, in which the resilience of organizations will increasingly depend on their ability to anticipate risks, manage them in a timely manner, and build secure and reliable supply chains. In an environment where security threats are constantly evolving, cooperation, the sharing of expert knowledge, and timely access to information will be among the decisive factors in successfully addressing new challenges.








