Frameworks

NIS2 in Slovenia: What ZInfV-1 means for your organisation

NIS2 Slovenia compliance guide to Zakon o informacijski varnosti. See scope, management duties, risk controls, incident reporting and steps to implement.

Tuomas Pitkänen
6 February 2026
@

Article contents

ISO 27001 collection
NIS2 in Slovenia: What ZInfV-1 means for your organisation
NIS2 collection
NIS2 in Slovenia: What ZInfV-1 means for your organisation
Cyberday blog
NIS2 in Slovenia: What ZInfV-1 means for your organisation

Slovenia has implemented the EU’s NIS2 Directive through the Information Security Act, ZInfV-1 (Zakon o informacijski varnosti). In practice, ZInfV-1 turns NIS2’s requirements into a Slovenian rulebook: who is covered, what “good security” looks like, how incidents must be reported, and what happens if an organisation falls short.

The goal is simple: raise the baseline level of cyber resilience across the Slovenian economy and make expectations enforceable, not optional.

What ZInfV-1 is trying to achieve

ZInfV-1 treats cyber resilience as a national reliability issue, not just an IT concern. Digital disruptions can quickly spill into public trust, economic stability, and the continuity of essential services.

The act pushes organisations toward:

  • Prevention, through risk management and controls before incidents happen
  • Transparency, via structured incident reporting
  • Coordinated response, so authorities and organisations can react faster
  • Leadership accountability, making cybersecurity a management responsibility

This mirrors the core intent of NIS2 across the EU: raising baseline resilience in sectors where disruption would have wider societal consequences.

The practical shift from guidance to enforceable requirements

ZInfV-1 moves beyond voluntary guidance and introduces a structured and enforceable framework for risk management, incident reporting, and supervisory oversight. The intent is to drive consistent minimum standards across sectors, while still allowing flexibility in how organisations implement controls.

Who is in scope of ZInfV-1

The Slovenian implementation of NIS2 follows the EU directive by focusing on the distinction between essential and important entities, with obligations scaled according to impact and risk. It expands coverage beyond traditional “critical infrastructure” by focusing on the likely societal or economic impact if an organisation is disrupted.

The act does not rely on one narrow list. Instead, scope is determined using a more realistic lens: size, role in society or the economy, and how disruptive an outage would be.

Essential and important entities

Sectors under the expanded scope include areas like energy, transport, health, digital infrastructure, public administration, and private industries whose outage could have meaningful knock-on effects.

Under this model, being “critical” is not just about your industry label. Digital dependencies can make organisations critical because of where they sit in a value chain or because they support many other organisations.

Exclusions and proportionality

ZInfV-1 clarifies exclusions and thresholds. Certain micro-enterprises are excluded unless they perform critical functions. Public sector bodies are generally included, reflecting their central role in service delivery.

Proportionality is reinforced throughout the act. Obligations are framed in terms of risk management rather than rigid technical prescriptions. Smaller organisations may face lighter requirements, while larger or more risk-intensive entities are expected to implement more comprehensive controls.

Governance: cybersecurity becomes a management responsibility

A central principle of ZInfV-1 is that cybersecurity is a governance issue. The act explicitly assigns responsibility to management bodies and expects senior leaders to stay involved, not just approve budgets after the fact.

This reflects one of NIS2’s central shifts: cybersecurity is no longer just a technical responsibility, but a board-level governance obligation.

Leadership accountability

Senior leadership is required to approve cybersecurity risk management measures and oversee their implementation. This elevates cybersecurity from a technical issue to a leadership priority.

Management bodies are also expected to undertake basic cybersecurity awareness. The goal is not to turn executives into security engineers, but to ensure they can make informed decisions and challenge gaps.

Policies and internal controls

Affected organisations must establish documented policies covering risk assessment, incident handling, business continuity, and supply chain security. These policies become the backbone of compliance because they show intent, approach, and consistency.

Internal controls are expected to be reviewed and updated regularly. The act encourages continuous improvement, recognising that threats evolve and static controls quickly lose effectiveness.

Risk management obligations: focus on outcomes, not tools

ZInfV-1 requires affected organisations to implement appropriate technical and organisational measures to manage cybersecurity risks. The act does not mandate specific technologies. Instead, it focuses on outcomes and resilience objectives.

This approach gives flexibility, but it also raises the bar on being able to justify your choices. You need to show that measures are risk-based and effective for your context.

Core security measures

Typical measures expected under ZInfV-1 include:

  • Access control and identity management
  • Asset inventory and critical system mapping
  • Incident detection and monitoring capabilities
  • Backup procedures and recovery planning
  • Secure development and change management practices

Risk assessments are a recurring obligation. Organisations must identify critical assets, assess threats, and implement controls that reduce risk to an acceptable level.

Supply chain security

A notable feature of the act is its emphasis on supply chain security. Affected organisations are expected to consider the cybersecurity posture of key suppliers and service providers.

Supply chain risk is a major theme in NIS2, recognising that many serious incidents now originate through third parties rather than direct attacks.

Incident reporting and response: clear expectations

ZInfV-1 introduces clear incident reporting obligations designed to support national situational awareness and coordinated response. It aims to strike a balance: fast visibility for meaningful incidents without drowning authorities in reports of minor events.

To make that work, organisations need both reporting readiness and internal processes to handle incidents end-to-end.

Reporting timelines and thresholds

Affected organisations must notify the competent authority of significant incidents within defined timeframes. Initial notifications focus on early awareness, followed by more detailed reports as information becomes available.

The act defines significance based on impact, duration, and geographic spread. This helps organisations determine when reporting is required and avoids excessive notifications for low-impact issues.

Incident handling and learning

Beyond reporting, organisations must maintain internal incident response processes, including detection, containment, recovery, and post-incident review.

The act implicitly promotes a learning culture. Post-incident analysis should feed back into risk management, with a view toward reducing recurrence and improving resilience over time.

Supervision and enforcement

ZInfV-1 designates national competent authorities responsible for supervision and enforcement. These authorities can request information, conduct inspections, and issue binding instructions to ensure organisations meet their obligations.

Oversight is intended to be risk-based, meaning higher-impact sectors and entities may face closer scrutiny. The act also provides for administrative fines and corrective measures in cases of non-compliance, with the focus on restoring compliance and reducing systemic risk rather than punishment alone.

How ZInfV-1 fits with other requirements

ZInfV-1 (and NIS2 in general) does not exist in isolation. Organisations covered by the act already have overlapping obligations under other EU and national rules, especially in areas like data protection, sector regulation, and operational risk management.

In practice, compliance works best when ZInfV-1 is treated as part of your existing governance structure, not as a separate cybersecurity project.

For many organisations, the main overlap points are:

  • GDPR and personal data breaches, where incident handling and reporting processes need to work together
  • Sector-specific regulators, especially in finance, energy, transport, and healthcare
  • Business continuity and operational resilience programs, which often already cover critical service availability
  • Supplier and outsourcing controls, since third-party risk is now a formal expectation under ZInfV-1

ZInfV-1 also supports EU-level coordination through information sharing and cross-border response mechanisms. This matters because significant incidents may involve suppliers, infrastructure, or impacts that extend beyond Slovenia.

The key takeaway is simple: organisations should integrate ZInfV-1 into existing compliance and risk workflows, instead of building parallel processes from scratch.

Practical implications: what to do first

For organisations complying with NIS2 obligations in other EU countries, ZInfV-1 will feel familiar, since it applies the same underlying structure through Slovenian authorities.

Most of the compliance work will involve changes to governance, documentation, and operational routines. Tools can help, but the most common gaps are ownership, evidence, and repeatability.

A phased approach works well: start with governance and the highest risks, then expand coverage and maturity over time.

A practical starting plan could be:

  1. Confirm whether you are likely an essential or important entity under ZInfV-1.
  2. Assign clear ownership (board/executive oversight plus an accountable operational owner).
  3. Formalise the basics: risk management, incident response, business continuity, supplier security expectations.
  4. Run a risk assessment tied to real services and assets, then prioritise gaps.
  5. Test incident response and reporting workflows so timelines and escalation are realistic.
  6. Review suppliers that can affect availability, integrity, or confidentiality of key services.

FAQs

Does ZInfV-1 apply to my organisation?

If you operate in an essential or important sector and your disruption could have material societal or economic impact, you may be in scope. Size, function, and risk profile are usually part of the assessment. Small organisations can still be included if they perform critical functions.

What is the biggest change compared to previous expectations?

Accountability and enforceability. ZInfV-1 makes cybersecurity a management responsibility and introduces supervision, inspections, and corrective powers. It also expands scope beyond a narrow set of operators.

Do we need to use specific standards or tools to comply?

Generally no. The act is outcome-focused and technology-neutral. You can choose standards and tools that fit your environment, as long as you can show risk-based measures and evidence that controls are implemented and maintained.

What should we prioritise if we are starting from scratch?

Start with governance and basics: assign ownership, document key policies (risk, incident response, continuity, supplier security), run a realistic risk assessment tied to services and assets, and test incident handling and reporting so you can meet timelines under pressure.