DORA Compliance in Slovakia
The Digital Operational Resilience Act (DORA) entered into application on 17 January 2025 and applies directly in Slovakia without national transposition. Financial entities licensed in Slovakia must meet binding ICT risk management, incident reporting, resilience testing, and third-party oversight requirements.
Who is in scope in Slovakia?
Any of the following entity types licensed or registered in Slovakia falls under DORA (DORA Article 2):
- ▸Credit institutions (banks, building societies, savings institutions)
- ▸Insurance and reinsurance undertakings (Solvency II entities)
- ▸Investment firms, UCITS management companies, AIFMs
- ▸Payment institutions and electronic money institutions
- ▸Crypto-asset service providers (CASPs) under MiCA
- ▸Central counterparties (CCPs) and central securities depositories (CSDs)
- ▸Trading venues, data reporting service providers, trade repositories
- ▸Institutions for occupational retirement provision (IORPs) with ≥15 members
- ▸Managers of alternative investment funds and fund administrators
Micro-enterprise exemption: Entities with fewer than 10 employees and annual turnover below €2M are exempt from certain DORA requirements but must still implement basic ICT risk controls.
DORA obligations — five pillars
All five pillars apply to in-scope entities in Slovakia:
ICT Risk Management
ICT risk yönetim çerçevesi
Belgelenmiş ICT risk yönetimi çerçevesi; yönetim organı sorumluluğu.
DORA Art. 5-6
ICT Risk Management
Koruma ve önleme
ICT sistemlerinin sürekli izlenmesi, güvenlik politikaları ve araçları.
DORA Art. 9
Incident Reporting & Detection
Tespit mekanizmaları
Anormal aktivite ve ICT olaylarını hızlı tespit için mekanizmalar.
DORA Art. 10
Business Continuity & Recovery
İş sürekliliği ve kurtarma
ICT iş sürekliliği politikası, yedekleme ve kurtarma planları.
DORA Art. 11-12
Incident Reporting & Detection
Büyük ICT olay raporlama
Büyük ICT olaylarının sınıflandırılması ve yetkili otoriteye raporlanması.
DORA Art. 17-19
Resilience Testing
Dayanıklılık testi programı
Düzenli ICT dayanıklılık testleri; kritik kuruluşlar için TLPT.
DORA Art. 24-26
Third-Party Risk Management
Üçüncü taraf ICT risk yönetimi
ICT tedarikçi register'ı, sözleşme şartları ve konsantrasyon riski yönetimi.
DORA Art. 28-30
Information Sharing
Tehdit istihbaratı paylaşımı
Siber tehdit bilgisi ve istihbaratının gönüllü paylaşımı düzenlemeleri.
DORA Art. 45
Incident reporting to NBS
When a major ICT incident occurs, Slovakia-licensed entities must follow the DORA three-stage reporting timeline (DORA Articles 17–23):
- 4 hInitial notification — notify the competent authority immediately after classifying the incident as major. Include date/time, nature of incident and impact assessment.
- 72 hIntermediate report (within 72 hours of the initial notification) — updated status, initial root cause hypothesis, containment measures taken, and revised impact classification.
- 1 monthFinal root-cause report — full post-incident analysis, root cause, remediation actions taken, lessons learned and recurrence-prevention measures.
Reporting templates and classification criteria are set by DORA RTS (Commission Delegated Regulation 2024/1774). Parallel GDPR Article 33 notifications to the data protection authority may also be required if personal data is involved.
DORA vs NIS2 in Slovakia
Financial entities in Slovakia that also fall under NIS2 Annex I (banking and financial market infrastructure sectors) must comply with both frameworks. DORA acts as lex specialis for ICT risk obligations. NIS2 incident reporting to NBÚ (National Security Authority / Národný bezpečnostný úrad) / SK-CERT still applies independently for cybersecurity incidents under NIS2 Article 23.
Full NIS2 vs DORA comparison →Is your Slovakia entity DORA-ready?
Answer 8 questions and get a DORA readiness score, prioritised gap list and action plan tailored to your entity type — free.
Run the free DORA readiness check →Get the free NIS2 checklist for DORA in Slovakia
Free PDF delivered to your inbox. No spam — unsubscribe anytime.
Frequently asked questions
Does DORA apply to financial institutions in Slovakia?
Yes. DORA (Regulation (EU) 2022/2554) is directly applicable across all 27 EU member states, including Slovakia, from 17 January 2025. No national transposition is required — the Regulation applies in full as published. Financial entities regulated in Slovakia must comply directly.
Which authority supervises DORA in Slovakia?
DORA supervision in Slovakia falls to the entity's primary prudential regulator: NBS (Národná banka Slovenska). For banking groups under ECB direct supervision (SSM significant institutions), the ECB is the lead authority. National supervisors handle less significant institutions and non-bank financial entities. Cross-border groups must comply in each jurisdiction where they hold a licence.
What are the DORA incident reporting deadlines?
Financial entities must submit: an initial notification to the competent authority within 4 hours of classifying an incident as major (and no later than 24 hours from becoming aware of it); an intermediate report within 72 hours of the initial notification; and a final root-cause analysis and remediation report within 1 month. These deadlines are set by DORA Articles 17–23 and the associated Regulatory Technical Standards (RTS).
How does DORA differ from NIS2 for financial institutions in Slovakia?
Both frameworks apply simultaneously but DORA acts as lex specialis: for ICT risk management and operational resilience, DORA's more detailed obligations take precedence over NIS2 for in-scope financial entities. However, NIS2 incident notification to the NIS2 competent authority (NBÚ (National Security Authority / Národný bezpečnostný úrad)) may still run in parallel to DORA reporting to the financial supervisor. Organisations should maintain separate notification workflows for each regime.
Who must undergo TLPT (threat-led penetration testing) under DORA?
DORA Article 26 requires significant financial entities designated by their competent authority to conduct TLPT at least every 3 years. TLPT must follow the TIBER-EU framework or an equivalent national standard. In Slovakia, NBS (Národná banka Slovenska) publishes the list of in-scope entities. Smaller entities must still conduct regular vulnerability assessments and network security testing under DORA Article 25.
Official sources
- NIS2 Directive (EU) 2022/2555 — EUR-Lex
- DORA Regulation (EU) 2022/2554 — EUR-Lex
- ENISA — EU Agency for Cybersecurity
Last reviewed: 2026-07-03
For decision-support purposes only. DORA obligations may vary by entity type, size and systemic significance — verify with a qualified financial regulatory expert.