Decree No. 227/2025 Coll. in the context of the “old” Decree No. 362/2018 Coll.
Slovak cybersecurity has received a new version since 1. 9. 2025 new “working environment”. From the perspective of the law, but also of existing practice in the field of cybersecurity, this is certainly not a cosmetic change. What is changing is first and foremost the philosophy and the related structure as well as the “micro-setting” of many of the requirements with a common and single right starting point.
Decree No. 227/2025 of the National Security Authority on security measures (“227/2025”) replaces the previous Decree No. 362/2018 of the National Security Authority (“362/2018”) and, together with the earlier transposition of the NIS2 in the form of the amendment to the Cybersecurity Act, which is effective as of the first day of 2025, changes the rules of the game not only for the old familiar operators of basic services. Let’s see together how.
From “checklist” to risk-based
Decree 362/2018 was an important step at the time of its adoption, it created a considerably detailed catalogue of security measures related to the areas under Article 20(3) of the Cyber Security Act, supplemented by information classification, IS categorisation and minimum requirements for individual IS categories I-III. The wording of Decree 362/2018 has often motivated obliged persons to tendencies and “compliance” approach to have a considerable scope of security requirements processed only formally, through documentation, without any real link to real risk analysis or business continuity. Although it should be added in the same breath that it is precisely formalisation and documentation that have often been identified by audits as a deficient “commodity” among obliged persons.
Notwithstanding the above, with Decree 362/2018, the stated formal approach in the realities of Slovak cybersecurity is partly over and this is replaced by a different philosophy and approach based on Decree 227/2025. Although at first, and perhaps even at second glance, it may not immediately appear so.
According to the latest wording of the Cyber Security Act, security measures are divided into minimum measures pursuant to Section 20(4) of the Act and general security measures (areas for which security measures are taken) pursuant to Section 20(2) of the Act, with the content of the areas of security measures pursuant to Section 20(2) of the Act being determined by Decree 227/2025 within the extensive 151-line Annex No. 1. Nothing new yet, the law was similarly structured before the amendment in conjunction with Decree 362/2018.
However, the key point is that the scope of the security measures under the new rules is linked only to the results of the risk analysis. The argument could be made that risk analysis was after all also required under Decree 362/2018, but the truth is that the primary identification of security measures was based on the classification of information assets and the categorisation of networks and information systems (the minimum measures were fixed according to category I / II / III), with the risk analysis often being carried out only formally, in appearance, against a catalogue of assets that did not correspond to the already classified assets.
The output was thus called a risk analysis, and it looked like that, but it was mostly an isolated document that did not reflect all the assets of the operator of the basic service, “working” with standard catalogues of threats, exceptionally also vulnerabilities, without reflecting on the real risk profile of the organisation, its assets, critical activities and last but not least (business and other) needs. It was essentially a formality presented to the auditor because the checklist “asks” for it.
However, as far as Decree 227/2025 is concerned, it is obligatory to anchor a systematic risk management process with an obvious mapping to the NSA methodology (although the methodology is not binding) and with a clear distinction between accepted, unaccepted and residual risks. Decree 227/2025 explicitly requires demonstrable approval of the results of the risk analysis by the person referred to in Article 20(4)(h) of the Act.
From a practical perspective, this is a step forward, moving from ‘unpicking measures’ to discussing what is necessary, important and defensible for a particular basic service operator.
Security documentation: less talk, more content
Decree 362/2018 defined safety documentation quite broadly and in some places descriptively – also covering the related organisational culture, operational risk management frameworks or safety manuals.
Although Decree 227/2025 does not approximate this framework in terms of content (there is even a lower level of detail compared to Decree 362/2018), it expands the framework in terms of volume. For example, by requiring the existence of security policies for individual security areas (the amendment to the law has expanded the areas), the performance of a risk analysis, the determination of the level of identified risks, accepted risks and residual risks for assets, together with a list of assets, or a documented determination of the scope and manner of adoption, compliance and implementation of security measures, including the justification for not adopting a security measure.
In addition to the above, the shift can also be seen in the fact that the documentation is more clearly linked to risk management and to the real architecture of the environment according to Decree 227/2025. For organisations that already use e.g. ISO 27001 or other frameworks in practice, it is explicitly allowed to map existing methodologies for performing risk analysis to the (albeit non-binding but good) methodology published by the National Security Authority of the Slovak Republic.
This therefore puts pressure on those who have so far operated on “paper”. Security documentation cannot just be a one-size-fits-all template package. It must realistically reflect the organisation’s assets, its architecture and its risks.
OT “really” on set
One of the biggest shifts is the explicit anchoring of operational technologies (OT) in the text of Decree 227/2025, where it works with the concept of operational technologies directly, e.g. in § 1 and § 4, and in Annex 1 it divides measures according to their relevance for ICT and OT and sets security requirements in reflection of the specifics of OT (e.g. emergency power supply, separate backup systems, physical and logical segmentation of OT vs. IT, OT layers, independent firewalls for OT).
This is a significant shift in terms of cyber security. The regulatory framework finally explicitly reflects that PLCs, SCADA or DCS cannot be governed by the same principles as “office” IT, and also that OT breaches can have real impacts.
However, with this clear extension of the scope of the law, we are also opening a new Pandora’s box. From among the already narrow group of ICT experts in the field of cyber security, it is necessary to find those who have real knowledge and specialisation for the world of OT.
In meeting the new obligations, it is important to address cybersecurity not only technically but also from a legal perspective. If an organization needs to evaluate its obligations under an expanded regulatory framework, legal certainty is key. SIGNUM legal LLC
has long practiced regulatory and technology law and has assisted in the implementation of cybersecurity requirements – from identifying risks to setting up processes and contractual relationships in compliance with the law.
However, the legal setting must be followed by technical implementation. To effectively manage the requirements of the law, it is advisable to work with a partner who understands both OT and IT security. GAMO a.s. offers implementation of the law’s requirements, IT/OT audits, security monitoring and cybersecurity manager services. With a combination of technical know-how and practical experience, it can offer organisations solutions that are sustainable, functional and compliant with legislation.
In conclusion
So where are we moving with Decree 227/2025? Whether forward or backward will depend primarily on how controllers, auditors and cybersecurity managers do their jobs. The practice developed by these entities will show whether we will resort to formulaic and formalistic approaches to cybersecurity or to realistic implementation of security requirements, starting with the performance of risk analysis and the mapping of security measures that realistically mitigate the identified risks.
