Cyber security audits expected in Slovakia in November

In November 2020, some businesses and organisations providing essential services in the critical infrastructure will have to undergo mandatory cyber-security audits, which is a statutory obligation of the Slovak Cyber Security Act (Act No. 69/2018 Coll., the “Act”) in force since April 2018. The purpose of these audits is to verify the effectiveness of a company’s security measures and ensure it is fulfilling its statutory requirements.

The deadline for fulfilment of audit obligations will vary depending on the company's date of registration into the relevant registry of providers maintained by the Slovak National Security Authority (NSA). (The register of providers of essential services can be found here). According to the Act, if companies registered after 9 November 2018, this obligation must be fulfilled within two years from the date of registration. If registered before 9 November 2018, however, this statutory obligation must be met within three years from this date (i.e. by 9 November 2021) according to the transitional provisions of the Act and the methodological guidelines set out by the Slovak National Security Authority in May 2019. The audit must be performed by an individual or entity who is certified by an accredited certification body. Such certification is to be made based on an application containing the requirements prescribed by law. The auditor's authority includes establishing the duration of the audit in order to sufficiently verify if adopted security measures are effective.

It is estimated that around one thousand companies operating in Slovakia will be obliged to fulfil this obligation. This is relevant for public administration entities, municipalities, and companies in the energy, heating, gas, healthcare, financial services or telecommunications sectors.

According to the Act, an essential service is defined as a service that fulfils at least one of the following:

• it is dependent on networks and information systems, and is active in at least one sector or sub-sector of Annex No. 1 of the Slovak Cybersecurity Act (e.g. banking, transportation, healthcare etc.);
• it is a public administration information system; or
• it is a critical infrastructure element.

Furthermore, in order to qualify, an essential-service provider must meet at least one impact criterion (e.g. potential for economic loss or material damage, number of people affected, etc.) and one sector specific criterion as specified in the Slovak Decree No. 164/2018 Coll. (e.g. number of clients, market share, etc.).

Some of key elements an auditor can review include:

• Firewalls;
• Software system security;
• Data storage;
• Cyber security policies (including passwords and bring-your-own-device to work policies);
• Cyber security best practices guidance for employees.

Following an audit, the auditor will issue a final audit report with an explanation of results and the evidence used to make the assessment. Essential-service operators must present the results and report to the NSA within 30 days of the completion of the cyber security audit, which will also include any rectification measures, including time limits. The cost of such an audit is the responsibility of the essential-service operator.

The NSA has the power to issues decisions regarding measures, impose sanctions for minor or other administrative offences, and carry out their own audits. The NSA can impose fines ranging from EUR 300 up to 1% of the overall annual turnover of the service provider for the preceding financial year, but to a value of no more than EUR 300,000.

If you have any questions regarding what a cyber security audit entails and the steps you should take to ensure compliance, please contact your regular CMS partner or local CMS expert.