New legislation on cybersecurity and critical infrastructure with respect to the space sector

Amendment to the Cybersecurity Act

Act No. 366/2024 Coll. (hereinafter referred to as the "Amendment") transposes Directive (EU) 2022/2555 of the European Parliament and of the Council (NIS 2 Directive) into Slovak law with effect as of 1 January 2025. This Amendment, which in particular amends Act No. 69/2018 Coll. on Cybersecurity, as amended (hereinafter referred to as the "Cybersecurity Act"), introduces several key changes.

Amendment of the legislation

In general, the Amendment amends the existing legislation in the spirit of modernisation, thereby increasing the overall level of cybersecurity at national level and reducing the risks associated with technological developments and digitalisation. In addition to the Cybersecurity Act, the Amendment amends several other laws.

Identification of obliged entities

The most significant change is the new mechanism for identifying operators of essential services. The original mechanism of combined identification under Annex 1 of the Cybersecurity Act in conjunction with the overlapping identification criteria is replaced by an exhaustive enumeration of entities directly in the Cybersecurity Act.

Extension of the scope of the Cybersecurity Act

The Amendment extends the scope of competence to other entities and expands the tasks of the National Security Authority (hereinafter referred to as the "NSA") in the area of the cybersecurity certification system. The NSA is not only the contact point for cybersecurity for foreign countries, including European Union authorities, but also for domestic cooperation.

Security measures

The Amendment introduces a minimum level of security measures and strengthens control of the supply chain. The security measures are adapted to reflect the new security standards, including addressing supply chain risks. The obligation to adopt, maintain and implement security measures is generally incumbent on the operator of the essential service.

However, the operator of the essential service is obliged, when performing an activity defined by the Cybersecurity Act through a third party, to conclude a contract with such third party to ensure compliance with security measures and notification obligations under the Cybersecurity Act throughout the entire period of performance of this activity. The third-party contractor is obliged to implement and enforce security measures in accordance with the written contract and the Cybersecurity Act during the duration of the contractual relationship and is obliged to submit to the control of the fulfilment of these measures by the operator of the essential service as well as to the control of the NSA, if the contract is with the operator of a critical essential service.

Reporting cybersecurity incidents

The reporting of a cybersecurity incident, a significant cyber threat, near misses, a vulnerability, and the incident handling are regulated. Voluntary reporting of cybersecurity incidents is encouraged.

Categorisation of entities

The Amendment further removes the distinction between an essential service provider and a digital service provider. Regulated entities are divided into two categories based on their importance:

• Important entities: operators of essential services;
• Essential entities: operators of critical essential services.

Operators of essential services

As outlined above, the Cybersecurity Act, as in force after the Amendment, directly determines who is entered in the register of operators of the essential services. For example, the following categories may be relevant from the perspective of entities doing business in the space sector:

1. Critical entity (as defined in the Critical Infrastructure legislation, which is discussed under Section 2 below),
2. a person, irrespective of whether the size thresholds for a medium-sized enterprise are met, which carries out an activity in one of the sectors listed in Annex 1 or Annex 2 and which:
• is an undertaking providing a public electronic communications network or a public electronic communications service,
• is a trust service provider,
• is a TLD name registry,
• is a DNS service provider
• is the sole provider in the Slovak Republic of a service which is essential for the maintenance of critical societal or economic activities,
• provides a service the disruption of which could have a significant impact on public order, safety or public health,
• provides a service or is in a position such that a disruption in the provision of the service or an interference with the position could give rise to a significant systemic risk, in particular in a sector where such disruption or interference could have a cross-border impact,
• it is critical to a particular sector because of its particular importance at national or regional level; or
• is an economic mobilisation entity that has been subject to a measure imposed under a special regulation,
3. a person who meets at least the size thresholds for a medium-sized enterprise and is active in one of the sectors listed in Annex 1 or Annex 2.

Annex 1 contains, inter alia, the following sector:

Sector: Space

Subsector: -

Type of entity: Operators of ground-based infrastructure, owned, managed and operated by Member States or by private parties, that support the provision of space-based services, excluding providers of public electronic communications networks

Central authority: Ministry of the Interior of the Slovak Republic

Note: Act No. 452/2021 Coll. on Electronic Communications, as amended

Thus, if an entity falls under the Space sector in Annex 1 of the Cybersecurity Act and also meets at least one of the conditions set out in point 2. letters a) to i) above, it will be considered an operator of an essential service. In this case, the size of the entity is irrelevant.

An entity falling under the Space sector in Annex 1 of the Cybersecurity Act will also be considered an operator of an essential service if it meets at least the size thresholds for a medium-sized enterprise. In such a case, it is not required to meet at least one of the conditions set out in point 2. letters a) to i) above.

The size threshold (medium-sized enterprise) should be assessed according to Commission Recommendation 2003/361/EC.

Please note that the Space Sector under Annex 1 of the Cybersecurity Act is not bound to the performance of activities under Act No. 378/2024 Coll. on the Regulation of Space Activities (on the contrary, it refers to Act No. 452/2021 Coll. on Electronic Communications, as amended).

Critical essential services

Critical essential service means, among others, an activity in a sector as defined in Schedule 1 of the Cybersecurity Act, other than the public administration sector, if it is carried out by a person that exceeds the size thresholds specified for a medium-sized enterprise.

 

Critical Infrastructure Act

Act No. 45/2011 Coll. on Critical Infrastructure, as amended, was repealed with effect from 1 January 2025 and replaced by Act No. 367/2024 Coll. on Critical Infrastructure (hereinafter referred to as the "Critical Infrastructure Act").

The Critical Infrastructure Act transposes Directive (EU) 2022/2557 of the European Parliament and of the Council on the resilience of critical entities into Slovak law.

The Critical Infrastructure Act regulates the organisation and competence of state administration bodies in the field of critical infrastructure. It sets out the process for identifying critical entities and critical entities of particular European significance, as well as their obligations in ensuring the resilience of critical infrastructure and the continuity of the provision of essential services.

The duties of critical entities are:

• Adopt a resilience plan within ten months of identification that includes technical, organisational, personnel and control measures to ensure resilience.
• Conduct an initial risk assessment within nine months of identification and update it as necessary, taking into account all relevant natural and human risks.
• Report incidents that meet certain thresholds to the relevant authorities, including the cause, impact, duration and geographical scope of the incident.
• Implement measures to prevent, protect, respond, resist, mitigate, absorb, adapt and recover from incidents. Ensure adequate physical and technical protection of critical infrastructure.
• Increase staff awareness of resilience measures through training and information materials. Manage security of staff and external personnel, including authentication and access rights.
• Provide the necessary information and cooperation to government authorities during audits and inspections. Share relevant information with other critical entities to enhance overall resilience.
• Comply with all relevant laws and regulations. Regularly review and update the security plan and resilience measures, at least every four years or as required.
• Coordinate with state authorities and other critical entities to ensure effective implementation of resilience measures. Utilize support from state authorities to enhance resilience, including guidance materials and training.

Competence of public authorities

• Government: approves the strategy on the resilience of critical entities.
• Ministry of the Interior of the Slovak Republic: develops the strategy, manages the list of identified critical entities and coordinates with the European Commission and other Member States.
• Central authorities: contribute to strategy development, assess risks, identify critical entities and manage relevant information.

Identification of critical entities

The identification of a critical entity shall be made by the relevant central authority. The central authority shall identify an entity as a critical entity if:

• the entity provides one or more of the essential services under Annex 1 of the Critical Infrastructure Act,
• the entity operates and its critical infrastructure is located on the territory of the Slovak Republic; and
• an incident at a critical entity would have a significant disruptive effect on the provision of one or more essential services by the critical entity or on the provision of other essential services in the sectors and subsectors listed in Annex 1 of the Critical Infrastructure Act that depend on that essential service or those essential services, based on meeting at least one of the significant disruptive effect criteria.

Cumulative fulfilment of all the conditions set out in letters a) to c) above is required for identification.

Annex 1 of the Critical Infrastructure Act includes, inter alia, the following sector:

Sector: 9. Space

Subsector : -

Categories of entities: operators of ground-based infrastructure, owned, managed and operated by Member States or by private parties, that support the provision of space-based services, with the exception of providers of public electronic communications networks under a specific regulation (the Critical Infrastructure Act refers to Act No 452/2021 Coll. on Electronic Communications, as amended)

Essential services: services managed and operated by the Slovak Republic or owned by a legal entity contributing to the provision of space services

Central authority: Ministry of the Interior of the Slovak Republic

Please note that the Space Sector under Annex 1 of the Critical Infrastructure Act is not bound to the performance of activities under Act No. 378/2024 Coll. on the Regulation of Space Activities (on the contrary, it refers to Act No. 452/2021 Coll. on Electronic Communications, as amended).

For the sake of completeness, it should also be noted that the Critical Infrastructure Act does not apply to critical entities in the space sector that operate infrastructure owned, managed or operated by, or on behalf of, the European Union as part of its space programme.

 

Conclusion

Based on the above, if you fall within the definition of an operator of an essential service under the Cybersecurity Act or have been identified as a critical entity under the Critical Infrastructure Act, you will be subject to the relevant obligations.

If you have any further questions, please do not hesitate to contact us.