- July 8, 2026
- admin
- 0
Cybersecurity is no longer merely a technical issue. It is becoming one of the key responsibilities of management, public institutions, and organisations that perform important social or economic activities. The new Information Security Act – ZInfV-1 regulates the field of information and cybersecurity in the Republic of Slovenia and defines the national information security system. Its purpose is to ensure a higher level of cyber resilience for organisations that are important for the uninterrupted functioning of the state, the economy, and society.
ZInfV-1 transposes the European NIS 2 Directive, namely Directive (EU) 2022/2555, into Slovenian law. This directive establishes measures at European Union level to ensure a high common level of cybersecurity. In addition, the Act also regulates the implementation of certain European regulations in the fields of cybersecurity, ICT certification, and European mechanisms for responding to cyber threats and incidents.
Why Is ZInfV-1 Important?
ZInfV-1 represents an important shift from general recommendations on good security practices towards more formalised, demonstrable, and supervised obligations. Organisations that fall within the scope of the Act must be able to demonstrably manage cybersecurity risks, maintain proper security documentation, implement technical and organisational measures, and report significant incidents.
Among other things, the Act introduces an expanded scope of obliged entities, the obligation of self-registration, additional risk management measures, conformity assessment or self-assessment, regular training of responsible persons, and mechanisms for coordinated vulnerability disclosure.
For companies, this means that information security is no longer solely the responsibility of the IT department. In practice, it affects management, legal departments, HR, procurement, suppliers, external contractors, and all employees who use the organisation’s information systems.
What Does ZInfV-1 Cover?
ZInfV-1 regulates a broad area of information and cybersecurity. The Act defines the responsibilities, tasks, organisation, and operation of the competent national information security authority, the authority responsible for managing large-scale incidents and crises, the single point of contact for cybersecurity, and CSIRT teams.
In addition to this institutional framework, the Act also defines measures for managing information and cybersecurity risks, reporting obligations for obliged entities, voluntary incident notification, rules for exchanging cybersecurity information, supervision, and cybersecurity certification.
The Act therefore does not only address incident response. It requires a comprehensive approach: from maintaining an inventory of information assets, risk assessment, security policies, and business continuity, to technical controls, supplier management, employee training, and reporting to the competent authorities.
Who Does the Act Apply To?
One of the most important tasks for every organisation is to determine whether it qualifies as an obliged entity under ZInfV-1. Official explanations state that an entity must first independently identify which activities it has registered and which activities it actually performs. It must then verify whether those activities fall within the sectors, subsectors, or types of entities listed in Annex 1 or Annex 2 of the Act.
It is important to note that the types of activities listed in the annexes are not necessarily identical to the activities defined under the Standard Classification of Activities. Therefore, it is not sufficient to check only the company’s registered main activity.
According to the official explanations, an entity generally qualifies as an obliged entity if it simultaneously meets three conditions: it performs an activity listed in Annex 1 or Annex 2, has at least 50 employees, and has an annual turnover or annual balance sheet total of at least EUR 10 million.
Obliged entities are divided into essential entities and important entities. Essential entities include certain entities from highly critical sectors, such as energy, transport, banking, and healthcare, provided that they meet the relevant criteria, as well as certain other specially designated entities. Important entities are those that fall within the scope of the Act but are not classified as essential entities.
Which Sectors Are Covered?
ZInfV-1 covers a number of areas that are important for the functioning of society and the economy. The sectors included within highly critical or other critical areas include, among others, energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space, postal and courier services, waste management, chemicals, the food industry, certain manufacturing activities, digital providers, and research.
This means that the Act does not apply only to traditional state institutions or large infrastructure companies. In certain cases, it may also apply to manufacturing companies, logistics organisations, providers of digital services, healthcare organisations, research institutions, or companies that provide important ICT or managed services.
Special Cases of Obliged Entities
The official explanations explicitly state that an entity may also be considered an obliged entity even if its activity is not necessarily listed in Annex 1 or Annex 2, provided that it falls within certain special categories.
These include, for example, entities designated as critical under the legislation governing critical infrastructure, entities providing domain name registration services, and entities defined in national protection and rescue plans as services of national importance, where the failure of their network and information systems could endanger the performance of protection and rescue tasks.
This is why an initial assessment of whether an organisation qualifies as an obliged entity is so important. An organisation should not rely solely on its main registered activity or size. It must also assess the activities it actually performs, any special statuses it may have, and any potential links to critical services.
What Must an Organisation Do If It Is an Obliged Entity?
The first step is self-registration. The new Act states that entities meeting the statutory criteria must self-register as obliged entities no later than 30 days from the day on which they meet those criteria. For this purpose, an online form has been prepared through which an organisation can complete self-registration, verify whether it falls within the scope of the Act, and determine the category to which it belongs.
The next step is to establish an appropriate information security management system. In practice, this means that the organisation must prepare and maintain documented policies, procedures, plans, and records proving that security risks are not handled randomly, but systematically and in a controlled manner.
Key Documentation an Organisation Should Have
An organisation that wants to be prepared for the requirements of ZInfV-1 must have basic security documentation in place. This usually includes an information security policy, an inventory of information assets, a risk assessment, a risk management plan, an access management policy, a password and multi-factor authentication policy, a backup policy, a business continuity plan, a disaster recovery plan, an incident response plan, and a procedure for notifying the competent CSIRT team.
The official ZInfV-1 brochure states that, in the case of an obliged entity, the inspection authority may review security documentation such as policies, procedures, plans, and risk assessments, and may also verify whether security measures are actually being implemented.
It is therefore not enough for an organisation to prepare documents merely as a formality. It is important that the measures described in those documents are implemented in practice, that evidence of implementation exists, and that responsibilities are clearly defined.
Technical Measures: What Should Be Arranged in Practice?
ZInfV-1 emphasises risk management, which means that organisations must also ensure appropriate technical security measures. In practice, the most important measures include proper user account management, multi-factor authentication, separate administrator accounts, regular installation of security updates, control of privileged access, properly managed backups, testing of data restoration, centralised logging, endpoint protection, network segmentation, and control of remote access.
In addition to internal measures, supply chain management is also important. The areas addressed in the explanations and frequently asked questions include risk management measures and supply chain security.
This means that an organisation must know which external contractors have access to its systems, what services those contractors provide, what contractual arrangements are in place, how incidents involving suppliers are handled, and what security standards apply to external partners.
Incident Reporting
ZInfV-1 also defines obligations regarding the notification of significant incidents. The official brochure describes several reporting phases: an early warning containing an initial assessment of the incident, an incident notification with an assessment of its severity and impact, an interim report at the request of the CSIRT, and a final report. If the incident is still ongoing after one month, a progress report is required, while the final report is submitted after the incident has been resolved.
A significant cyber incident is defined in the Act as an incident that has caused, or could cause, serious operational disruption to the provision of services or financial losses, or that has affected, or could affect, other natural or legal persons by causing significant material or non-material damage.
Organisations should therefore determine in advance who internally assesses an incident, who informs management, who communicates with the competent authorities, and who prepares the reports. Without a predefined procedure, an organisation may lose valuable time in the event of a serious incident.
Voluntary Incident Notification
The legislative framework also allows for voluntary incident notification. The official brochure states that voluntary notification is intended for entities that are not obliged entities under the Act, as well as for obliged entities in cases where an incident is not classified as significant but could nevertheless affect the security, stability, or reliability of information systems.
Voluntary notification is not subject to penalties and is not considered an admission of non-compliance. Instead, it is treated as a good practice of responsible conduct.
This is particularly important in the case of new or broader threats, vulnerabilities, incidents that may affect multiple organisations, or situations where an entity wishes to contribute to overall cyber resilience.
Supervision and Inspections
ZInfV-1 also provides for supervision of the implementation of obligations. The official brochure states that the inspection authority may review security documentation, verify the implementation of security measures, perform a technical inspection of the network, and check the physical and technical protection of locations where key information systems are located, such as server rooms.
An organisation must therefore be prepared to present not only policies and procedures, but also supporting evidence. This may include update records, configuration exports of security controls, results of data recovery tests, training records, security review reports, supplier contracts, and documented procedures for incident handling.
What Should a Company Do First?
It is recommended that a company first carry out an initial assessment to determine whether it falls within the scope of ZInfV-1. This assessment should include a review of the activities actually performed, a comparison with Annex 1 and Annex 2, verification of the number of employees, annual turnover and balance sheet total, and an assessment of any special statuses, such as critical infrastructure, domain name registration services, or tasks related to protection and rescue.
The official explanations emphasise that it is not sufficient to consider only the main registered activity. The activities actually performed by the organisation must also be taken into account.
If a company determines that it is an obliged entity, it must complete self-registration, appoint responsible persons, prepare or update security documentation, carry out a risk assessment, review technical security measures, and establish a procedure for incident reporting.
If a company is not an obliged entity, this does not mean that the measures are irrelevant. ZInfV-1 and NIS 2 set standards that will gradually become the expected level of cyber hygiene also for smaller companies, suppliers, external contractors, and business partners of larger organisations.
Practical Checklist for Companies
For an initial review, we recommend asking the following questions:
- Does the company perform an activity that falls within the sectors listed in Annex 1 or Annex 2 of ZInfV-1?
- Does the company have at least 50 employees?
- Does the annual turnover or balance sheet total reach at least EUR 10 million?
- Is the company part of critical infrastructure?
- Does the company provide domain, DNS, ICT, managed, or security services?
- Has the company appointed a person responsible for information security?
- Is there an up-to-date inventory of information assets?
- Has a risk assessment been carried out?
- Is there an incident response plan?
- Are backups tested regularly?
- Has multi-factor authentication been implemented?
- Are administrator accesses separated and controlled?
- Are external suppliers security-assessed?
- Are there records of security measures, training, and reviews?
Such a checklist is not a substitute for a legal assessment, but it is a very useful starting point for discussions between management, the IT department, the legal department, and external consultants.
ZInfV-1 introduces important changes for organisations that perform key or important activities. Its objective is not merely to impose an administrative burden on companies, but to raise the level of cyber resilience, improve risk management, and enable faster response to incidents.
For companies, this means that information security must be approached systematically. Clear responsibilities, proper documentation, technically implemented security measures, regular reviews, employee training, and readiness to report incidents are all required.
The best approach is for an organisation to start by assessing whether it falls within the scope of the Act and then prepare an action plan. Even if a company is not formally an obliged entity, many of the measures envisaged by ZInfV-1 make sense as good practices for information security and business protection.
