38. Slovenia 67.53

38th National Cyber Security Index
67th Global Cybersecurity Index
33rd ICT Development Index
27th Networked Readiness Index
Population 2.1million
Area (km2) 20.3thousand
GDP per capita ($) 36.6thousand
NCSI FULFILMENT PERCENTAGE
NCSI DEVELOPMENT TIMELINE 3 years All data
RANKING TIMELINE
NCSI Update Data source
31 Jul 2023 Government officials
2 Dec 2021 Public data collection
26 Nov 2018 Public data collection
12 Apr 2018 Public data collection

Version 31 Jul 2023

GENERAL CYBER SECURITY INDICATORS
BASELINE CYBER SECURITY INDICATORS
  • 5. Protection of digital services 5/5 100%
    5
    5 100%
    • 5.1. Cyber security responsibility for digital service providers 1
      1
      1
      Requirements
      Criteria

      According to legislation, digital service providers (except micro and small enterprises): (1) must manage cyber/ICT risks or (2) must implement established cyber/information security requirements.

      Accepted references

      Legal act

      Evidence

      http://www.pisrs.si/Pis.web/pregledPredpisa?id=ZAKO7707

      Information Security Act (ZInfV)

      IV. Information security of digital service providers

      • Article 14 (security requirements and notification of incidents) 
    • 5.2. Cyber security standard for the public sector 1
      1
      1
      Requirements
      Criteria

      Public sector digital service providers must implement (1) cyber/ICT security requirements (defined by legislation) or (2) a widely recognised security standard.

      Accepted references

      Legal act

      Evidence

      http://www.pisrs.si/Pis.web/pregledPredpisa?id=ZAKO7707

      Information Security Act (ZInfV)


      V. Information security of state administration bodies 

      • Article 16: Safety requirements
      • Article 17: Security documentation and security measures
      • Article 18: Incident notification.
    • 5.3. Competent supervisory authority 3
      3
      3
      Requirements
      Criteria

      The government has a competent authority in the field of cyber/information security that has the power to supervise public and private digital service providers regarding the implementation of cyber/information security requirements.

      Accepted references

      Official website or legal act

      Evidence

      https://www.gov.si/en/state-authorities/government-offices/government-information-security-office/about-the-administration/

      The Government Information Security Office (GISO) is the competent national authority in the field of information security, which acts as a government office.

      GISO connects stakeholders in the national information security system and coordinates the operational capabilities of the system at a strategic level. It pays particular attention to subjects under the Information Security Act (ZInfV) from the group of essential service providers in the fields of energy, digital infrastructure, drinking water supply and distribution, healthcare, transport, banking, financial market infrastructure, food supply and environmental protection, from a group of digital service providers and from a group of state administration authorities.

      GISO is also the single point of contact to ensure cross-border cooperation with the relevant authorities of other EU Member States and with the European CSIRT Network and other international cooperation tasks. Through its own inspection service, it oversees the implementation of ZInfV.

      Due to being tasked with informing the Government and the National Security Council (NSC) in the case of critical incident or cyber attack, GISO is also placed within the national security system.

      http://www.pisrs.si/Pis.web/pregledPredpisa?id=ZAKO7707

      Information Security Act (ZInfV)

      • Article 27: Competent national authority

      (1) The competent national authority is the Information Security Office of the Government of the Republic of Slovenia.

  • 6. Protection of essential services 6/6 100%
    6
    6 100%
    • 6.1. Operators of essential services are identified 1
      1
      1
      Requirements
      Criteria

      There is a legal act that allows to identify operators of essential services.

      Accepted references

      Legal act

      Evidence

      http://www.pisrs.si/Pis.web/pregledPredpisa?id=ZAKO7707

      Information Security Act (ZInfV)

      • Article 6: Designation of essential service providers
      • Article 7: Criteria - methodology
    • 6.2. Cyber security requirements for operators of essential services 1
      1
      1
      Requirements
      Criteria

      According to the legislation, operators of essential services must manage cyber/ICT risks.

      Accepted references

      Legal act

      Evidence

      http://www.pisrs.si/Pis.web/pregledPredpisa?id=ZAKO7707

      Information Security Act (ZInfV)

      III Information security of essential service providers

      • Article 11: Safety requirements
      • Article 12: Security documentation and security measures
      • Article 13: Incident notification
    • 6.3. Competent supervisory authority 3
      3
      3
      Requirements
      Criteria

      The government has a competent authority in the field of cyber/information security that has the power to supervise operators of essential services, regarding cyber/information security requirements.

      Accepted references

      Official website or legal act

      Evidence

      http://www.pisrs.si/Pis.web/pregledPredpisa?id=ZAKO7707

      Information Security Act (ZInfV)


      Article 27: Competent national authority

      (1) The competent national authority is the Information Security Office of the Government of the Republic of Slovenia.

      (2) In addition to other tasks specified by this Act, the competent national authority performs the following tasks:

      1. coordinates the operation of the information security system;

      2. develops capabilities for the implementation of cyber defense;

      3. provides professional support in the field of information security to all taxpayers in the performance of their tasks;

      4. provides analysis, methodological support and preventive action in the field of information security and gives opinions in the field of their presence;

      5. cooperates with authorities and organizations operating in the field of information security, especially with national CSIRTs and CSIRTs of state administration bodies, with security-operational centers, with regulators or supervisors of the areas referred to in the second paragraph of Article 5, with the Agency for Communication Networks and Services of the Republic of Slovenia, with the Information Commissioner and law enforcement authorities and security solution providers;

      6. makes taxpayers aware of the importance of reporting an incident with all the signs of a criminal act, which is being prosecuted ex officio, to the law enforcement authorities, in accordance with the Criminal Code;

      7. coordinates training, exercises and education in the field of information security and takes care of raising public awareness of information security;

      8. encourages and supports research and development in the field of information security;

      9. performs testing of information and communication technologies in the field of information security;

      10. takes care of the preparation and implementation of the strategy;

      11. prepares a national incident response plan, taking into account the strategy, plans of the national CSIRT and CSIRT of state administration bodies, other competent authorities, and the security documentation of the obligees;

      12. reviews the adequacy of the determination of providers of essential services and state administration bodies at least every two years, and may propose updating the determinations to the government;

      13. for the purposes of reviewing Directive 2016/1148/EC, informs the European Commission at least every two years about the measures to determine the services of essential service providers, their number and importance, about the list of essential services and the thresholds for determining the appropriate level of provision of services by essential service providers based on the number users or according to the importance of the relevant provider of essential services;

      14. is a single point of contact for ensuring cross-border cooperation with the relevant authorities of other EU member states and with the network of CSIRT groups and with the cooperation group to which it contributes its representative;

      15. fulfills other obligations to inform the European Commission and the cooperation group, obligations to inform and notify other international organizations;

      16. performs other tasks of international cooperation;

      17. prepares proposals for regulations in the field of information and cyber security;

      18. performs the tasks of the national certification body for cyber security;

      19. determine a unified information security policy, except for information and communication systems intended for the field of defense, protection against natural and other disasters, police, internal information system of internal affairs, intelligence and security activities, external affairs, prevention and detection of money laundering and financing of terrorism and performing payment transactions for budget users.

      (3) The competent national body is responsible for planning and managing budgetary resources in the field of information security in the state administration, except for the implementation of technical tasks of information security or cyber defense in the management of the central information and communication system or the management of information and communication systems intended for the field of defense, protection against natural and other disasters, the police, the internal information system of internal affairs, intelligence and security activities, external affairs, prevention and detection of money laundering and financing of terrorism, and payment transactions for budget users.

    • 6.4. Regular monitoring of security measures 1
      1
      1
      Requirements
      Criteria

      Operators of essential services must regularly (at least once every 3 years) provide evidence of the effective implementation of cyber/information security policies (e.g. audit result, documentation, specific report).

      Accepted references

      Legal act

      Evidence

      http://www.pisrs.si/Pis.web/pregledPredpisa?id=ZAKO7707

      Information Security Act (ZInfV)

      Article 27: Competent national authority

      (1) The competent national authority is the Information Security Office of the Government of the Republic of Slovenia.

      (2) In addition to other tasks specified by this Act, the competent national authority performs the following tasks: ...

      12.    reviews the adequacy of the determination of providers of essential services and state administration bodies at least every two years and may propose to the government an update of the determinations;

       

      Article 32: Supervision of Operators of essential services

      (1) The inspector supervises whether Operators of essential services fulfill their obligations from the first and fifth paragraphs of Article 10, from Article 11, from the first, second and fifth paragraphs of Article 12, from the first and second paragraphs of Article 13, from the sixth paragraph Article 14 of this act and from the decisions issued on the basis of the fourth paragraph of Article 21 and the fourth paragraph of Article 22 of this act, and on their basis certain measures for the security of networks and information systems.

      (2) The inspector may require Operators of essential services to submit information necessary to assess the security of their networks and information systems, including documented security rules, as well as evidence of the effective implementation of security rules. Where the inspector requests such information or evidence, he shall state the purpose of the request and specify what additional information is required. On the basis of the above information, it can impose measures on Operators of essential services to eliminate identified deficiencies.

      (3) An assessment of the security of networks and information systems prepared by a qualified auditor for the Operator of essential services is considered to be proof of the effective implementation of the security rules from the previous paragraph.

  • 7. E-identification and trust services 8/9 89%
    8
    9 89%
  • 8. Protection of personal data 4/4 100%
    4
    4 100%
INCIDENT AND CRISIS MANAGEMENT INDICATORS
Information Disclaimer

The information provided on the NCSI website is based on publicly available evidence materials. The appearance in the index and subsequent ranking is commensurate to the existence and public availability of such information. The NCSI links to third party websites and information. The NCSI and eGA are not responsible for the accuracy or completeness of third party website information.

What can I do to improve my country's data in NCSI?

Become a data contributor Update a specific indicator with evidence data