NIS2 Directive and Cybersecurity Act

Analysis, strategy, and implementation

PwC’s team of cybersecurity, legal, digitization, and other specialists will help you meet all your NIS2-related obligations, including security, legal analysis, strategy, financing, design, and implementation. We can also provide outsourcing of information security management system (ISMS) operation and employee training.

≈ 7,000

organizations in Slovakia will be subject to the revised EU NIS2 Directive

2025

year of expected effectiveness of amended Cybersecurity Act

€10 mil.

or 2% of net turnover is the maximum penalty for non-compliance with NIS2

What is the NIS2 Directive?

NIS2 is the updated version of the EU Network and Information Security Directive issued in 2016. It significantly extends the scope of the current legislation and is designed to strengthen and secure European cyberspace. EU member states are obliged to transpose this directive into national legislation.

On 30 May 2024, the Slovak National Security Agency initiated an interdepartmental commenting procedure for the submitted draft amendment to the Cybersecurity Act. This amendment is transposing NIS2 into Slovak law. The amendment is effective from 1 January 2025. Currently, the Ordinance on Security Measures is being prepared, and its effectiveness is expected from 1 July 2025.

Who will be subject to the regulation?

NIS2 identifies 18 sectors of the economy (compared to 7 sectors in NIS1), whose entities (private or public) will be required to implement enhanced cybersecurity requirements. The new sectors include, among others:

electronic communications providers

food sector

electronic communications providers

public administration entitie

waste management

manufacturers, e.g., of computers

chemical manufacturers

How NIS2 affects your organization?

NIS2 takes a proactive approach to risk management. Essential and important entities are required to implement appropriate security policies to ensure systematic and in-depth risk analysis. These policies should be based on an all-hazard approach, considering all possible risks, including those related to physical security. Risk management measures (technical, operational, and organizational) should be proportionate to the assessed risk. Monitoring and responding to potential threats must cover at least the following areas:

Prevention, detection, and response to incidents
Business continuity and crisis management
Supply chain security
Cyber hygiene and training
Security of network and information systems
Vulnerability management and reporting policy
Human resource security, access and asset management
Multi-factor and continuous authentication
Use of cryptography and encryptio

Main proposed changes to the Cybersecurity Act

Increased number of regulated organizations and services
Increased demands on supply chain security
Incident reporting
Fines and penalties
Management responsibilities and obligations

Increased number of regulated organizations and services

NIS2 will increase the level of security not only in the ‘VIP club” environment, but also as regards the most significant elements of national infrastructure and services. The amended act will apply to new regulated entities and will also extend the scope of the law to a greater number of systems and services within organizations already subject to the current act effective since 2018.

Regulated service areas include public administration, power, manufacturing, food, and chemical industries, water and waste management, rail, water, and road transport, digital infrastructure and digital services, financial markets, healthcare, science, research and education, postal services, and military and space industries.

Increased demands on supply chain security

The European Regulator and the Slovak National Security Agency are placing increasing emphasis on supplier security. This is due to the increasing number of recent supply chain attacks (Solarwinds, Okta, LastPass, and many others), and increased dependencies within supply chains. These dependencies can be considered as similar to the availability and prices of energy and fuel in the context of a physical war. From the cybersecurity perspective, these third-party vulnerabilities can potentially be very damaging (e.g. Log4j, OpenSSL).

The draft bill (as in the current law) imposes the obligation to actively manage cybersecurity during the supplier selection process. It introduces additional obligations for significant suppliers, including requirements regarding supplier contracts, evaluation of security measures implemented by suppliers and the associated risks, contract reviews, and regular checks of measures taken by suppliers.

Management responsibilities and obligations

The goal of NIS2 is to increase the responsibility of top management for cybersecurity and compliance with the law. A significant part of the draft bill details top managements’ obligations and duties, which are extensive and include creation of the security policy, ensuring sufficient resources, communicating the importance of security across the organization and managing cyber risks.

Only a few new concepts

Similar to the current act, the draft amendment to the Cybersecurity Act is based on the internationally recognized standards of the ISO 27000 family, so only a few new concepts and measures are introduced which would not be standard at most companies.

How PwC can help you

Team of PwC’s cybersecurity experts, lawyers from PwC Legal and public sector specialists will provide you with a complete package of services to meet your NIS2 obligations.

Analysis of the extent of the impact of the directive on your organization and specification of the scope of cybersecurity management
Gap analysis of the current cybersecurity status
Information security risk analysis
Legal analysis of contracts and other legal documents
Threat intelligence and OSINT analysis
Cyber Hygiene Assessment (technical security level analysis using the Tanium tool)
Compromise Discovery Assessment (environment compromise analysis using the Tanium tool)

Strategy of the security transformation programme
Establishment of the security organization, governance, risk management, and compliance functions
Definition of target operating model
Transformation plan
Project and programme plan

Analysis of options for financing the strategy from public sources and EU subsidies
Proposal of funding solution
Support with applying for financing from the subsidy programme
Follow-up support – tenders, cooperation during inspections, monitoring reports

Design and support during the delivery of security measures
Preparation and modification of managed documentation
Proposal of changes and implementation of organizational, legal, and technical measures from our service portfolio
Development and configuration of selected technical measures (EDR, SIEM, VM, IAM/PAM, OT, Cloud security, etc.)
Proposal of legal changes (contractual arrangements with suppliers, employees, process set-up)
Support or representation for communication with the Slovak National Security Agency and other authorities as regards the registration of a regulated service and incident reporting
Project support and management, implementation

Operation of the information security management system (ISMS)
Managed service of selected measures
Staff education and training
Legal services (labour, corporate, and criminal law) for incident resolution

Where to start - Initial package

To handle the impacts of NIS2 requirements on a company’s operation, PwC recommends the following approach:

NIS2 impact analysis

We will help you analyse your organization’s position as regards NIS2 requirements and identify the mode you fall under. We will do this by determining the scope of cybersecurity management in relation to the managed services we identify.

Gap analysis of current cybersecurity status and requirements

We will help you identify deficiencies as regards requirements and recommended corrective actions to ensure compliance.

Funding analysis and funding proposal

We will help you analyse funding options for your organization from the EU subsidy programme.

Contact us

Štefan Čupil

Partner, Risk Assurance Leader, PwC Slovakia

Tel: +421 911 964 212

Adrian Bagala

Senior manager, PwC Slovakia

Tel: +421 903 909 186

Marko Valo

Senior Consultant, PwC Slovakia

Tel: +421 948 700 744

Hide

We are pleased that you are interested in our services. Please fill out the short form below. We will get back to you soon.

Required fields are marked with an asterisk(*)

First name*

Surname*

E-mail*

Mobile

Company

Job Title

Additional information

Please click here*

Your personal data is processed in accordance with our Privacy Statement, you can click there for more information.

© 2020 - 2025 PwC. © 2017-2020 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.