New Information Security Act (ZInfV-1): Key Innovations and Obligations for Stakeholders

Historical Development and Adoption of ZInfV-1

The Republic of Slovenia has been actively addressing digital protection challenges for several years. The process began in 2016 with the creation of a cybersecurity resilience strategy, laying the groundwork for safeguarding critical digital networks. In 2018, the Information Security Act (ZInfV) was introduced, implementing the initial European directive in this field, covering essential services, the public sector, and selected digital platforms. In 2020, the National Security Council highlighted a rising level of cyber risks, particularly evident during Slovenia’s EU Council Presidency when digitalization and security were key priorities. This assessment revealed the inadequacy of the existing framework, prompting a 2021 overhaul (ZInfV-A). This led to the establishment of the Government Office for Information Security (URSIV) as an independent entity, emphasizing the need for autonomy in effective oversight.

In 2022, the European Union adopted the new NIS 2 Directive, mandating its incorporation into national laws by October 2024. Slovenia responded in 2023 by drafting the Information Security Act (ZInfV-1), which integrates EU requirements with additional provisions. After months of negotiations, the law was approved by the National Assembly in May 2025, published on June 4, 2025, and took effect on June 19, 2025. The NIS 2 Directive serves as the central European legal framework for cybersecurity, updating existing regulations like eIDAS and the electronic communications code, while expanding its scope across multiple sectors to ensure a uniformly high security standard. Key requirements include risk management, incident reporting, supply chain security, and cross-border cooperation.

Key Features and Organizational Structure

ZInfV-1 builds on prior legislation with a more comprehensive approach, incorporating security strategies, response plans, and training programs. The NIS 2 Directive requires member states to designate competent authorities, and Slovenia has opted for a centralized model with URSIV as the lead body, supported by the SI-CERT team and the governmental SIGOV-CERT unit for public administration. URSIV ensures compliance, issues guidelines, and enforces penalties, including corrective measures or fines reaching up to 10 million euros or 2% of annual turnover for critical entities, and up to 7 million euros or 1.4% for significant entities. The law also incorporates other European regulations, such as the Cybersecurity Act and the European Cybersecurity Competence Centre Regulation.

While ZInfV-1 largely aligns with the NIS 2 Directive, it introduces specific adaptations reflecting Slovenia’s context, such as consolidating multiple rules into one document for ease of use, though this may complicate alignment with other EU frameworks. The Directive outlines general supervisory powers, whereas ZInfV-1 grants URSIV more detailed authority, including on-site inspections and broader sanctions. The law limits its application, excluding financial institutions, which fall under the Digital Resilience Act (DORA), and specifically addresses the defense sector, exceeding minimal EU requirements.

The NIS 2 Directive emphasizes supply chain resilience but leaves methods open, while ZInfV-1 imposes specific demands, such as certifying ICT products and continuously monitoring suppliers. This requires entities to maintain detailed supplier records and include security clauses in contracts, posing challenges for smaller businesses amid rising supply chain attacks. Additionally, it introduces the concept of "protected data," enabling URSIV to handle sensitive information more flexibly, though this may lead to legal or operational overlaps with other regulations.

Obligations for Stakeholders and Reporting

Stakeholders must implement measures to mitigate risks, develop response protocols, ensure supply chain security, and train personnel. Serious incidents must be promptly reported to URSIV or the national CSIRT, with mandatory public disclosure if public safety is at risk. The law also encourages voluntary reporting of minor incidents to enhance information sharing. Oversight is conducted by URSIV, which can conduct inspections and impose measures, with fines reaching 10 million euros for critical entities.

Stakeholders are defined in Articles 6 and 7, covering essential entities from sectors like energy and healthcare, as well as significant ones from areas like postal services. Criteria include at least 50 employees and 10 million euros in annual revenue, though some, such as communication service providers, are obligated regardless of size. Status is determined through self-registration and EU guidelines on affiliated companies.

The law applies to approximately 1,000 entities, a significant increase from the previous law’s coverage of around 100, driven by the broader NIS 2 criteria. Entities must register with URSIV within six months of the law’s enactment, with risk management measures to be implemented within 12 to 18 months, setting a deadline of late 2026.

ZInfV-1 marks a significant advancement in protecting Slovenia from cyber threats, but its success hinges on effective implementation. Integrating EU rules offers simplifications yet presents challenges requiring caution, with URSIV playing a pivotal role in providing clear guidance and support during the transition.

Recommendations and Legal Assistance

Companies should assess their obligations under the law, complete self-registration, and adopt risk management measures. We also recommend reviewing policies, training programs, and supply chains. Križanec & Partners Law Firm in Slovenia brings extensive expertise in information and cybersecurity. Our lawyers provide professional advice and legal representation in all procedures related to ZInfV-1, including self-registration, risk management, and asserting rights and duties before competent authorities. For further details and legal guidance on the new law, contact our information law specialist, attorney at law Dinar Rahmatullin.