Slovakia has a new decree on security measures: 227/2025 replaces the previous 362/2018. Lawyers, the regulator, and people from cybersecurity operations discussed what this means in practice. They agreed that the key points are proportionality, clarity, and the ability to translate the rules into the real-world functioning of organizations.
Why the "new king": fewer details, more responsibility
The previous decree had hundreds of detailed requirements, but practice did not show higher compliance or a better understanding of the field. The new 227/2025 is more concise and relies more on principles of open-endedness and proportionality, thereby shifting a larger share of responsibility onto organizations. This requires knowledge of the environment, sound guidance, and the ability to make decisions based on risks, not just a checklist.
Law is not meant to substitute for technical standards, but without regulation many entities, especially in the public sector, will not take the necessary steps. The argument “I don’t have a paper for that” still works in practice and slows down investment in security. The role of the regulation, therefore, is not to be a “cookbook” for technicians, but to create a framework that is workable and enforceable.
Suppliers under the microscope: contracts, costs, and common sense
Stronger regulation helps operators enforce security requirements with large vendors, similar to GDPR or DORA. At the same time, it means reviews and re-contracting, which in corporate practice can take years and is resource-intensive. Prices may fluctuate, but risk-related costs were often already “hidden” in the price of services; they just weren’t transparently identified.
The discussants warned against a “one size fits all” approach and bulldozing that replaces a well-thought-out agreement. The best results come when both sides do their homework: the customer knows which risks need to be covered, and the supplier can substantively quantify the additional work. The new statutory pressure is reinforced by the fact that in certain cases obligations attach directly to suppliers. And after 31. 8. 2025, contracts that are not aligned with the requirements should not be extended—the burden of proof in practice lies with the operator, and the inspector can assess this retrospectively.
Public administration, sectoral rules, and a "risk‑based" approach
In public administration there will be an overlap of general and sectoral regulation, with the sectoral regulation intended to be fully fledged and to take into account the full range of security areas. The interpretation presented points to the sectoral regulation in public-sector IT replacing the general standard, but the ambition is that nothing be missing in terms of content. Coordination between ministries and the regulator is key so that contradictions or gaps do not arise.
The new decree is based on risk management instead of the old categories, but that does not mean “zero measures.” A minimum set of obligations always applies, and only residual risk can be accepted. If a risk analysis comes out “too rosy,” it rather points to weak methodology or a poorly configured team—and the regulator as well as the auditor will ask about that during an inspection.
