İçeriğe geç
NISDESK
SIRegulation (EU) 2022/2554

DORA Compliance in Slovenia

The Digital Operational Resilience Act (DORA) entered into application on 17 January 2025 and applies directly in Slovenia without national transposition. Financial entities licensed in Slovenia must meet binding ICT risk management, incident reporting, resilience testing, and third-party oversight requirements.

DORA supervisor in Slovenia: Bank of Slovenia (Banka Slovenije) and ATVP. Significant institutions under ECB direct supervision (SSM) are additionally supervised by the ECB for prudential purposes.

Who is in scope in Slovenia?

Any of the following entity types licensed or registered in Slovenia falls under DORA (DORA Article 2):

Micro-enterprise exemption: Entities with fewer than 10 employees and annual turnover below €2M are exempt from certain DORA requirements but must still implement basic ICT risk controls.

DORA obligations — five pillars

All five pillars apply to in-scope entities in Slovenia:

ICT Risk Management

ICT risk yönetim çerçevesi

Belgelenmiş ICT risk yönetimi çerçevesi; yönetim organı sorumluluğu.

critical

DORA Art. 5-6

ICT Risk Management

Koruma ve önleme

ICT sistemlerinin sürekli izlenmesi, güvenlik politikaları ve araçları.

high

DORA Art. 9

Incident Reporting & Detection

Tespit mekanizmaları

Anormal aktivite ve ICT olaylarını hızlı tespit için mekanizmalar.

high

DORA Art. 10

Business Continuity & Recovery

İş sürekliliği ve kurtarma

ICT iş sürekliliği politikası, yedekleme ve kurtarma planları.

high

DORA Art. 11-12

Incident Reporting & Detection

Büyük ICT olay raporlama

Büyük ICT olaylarının sınıflandırılması ve yetkili otoriteye raporlanması.

critical

DORA Art. 17-19

Resilience Testing

Dayanıklılık testi programı

Düzenli ICT dayanıklılık testleri; kritik kuruluşlar için TLPT.

high

DORA Art. 24-26

Third-Party Risk Management

Üçüncü taraf ICT risk yönetimi

ICT tedarikçi register'ı, sözleşme şartları ve konsantrasyon riski yönetimi.

critical

DORA Art. 28-30

Information Sharing

Tehdit istihbaratı paylaşımı

Siber tehdit bilgisi ve istihbaratının gönüllü paylaşımı düzenlemeleri.

medium

DORA Art. 45

Incident reporting to Bank

When a major ICT incident occurs, Slovenia-licensed entities must follow the DORA three-stage reporting timeline (DORA Articles 17–23):

Reporting templates and classification criteria are set by DORA RTS (Commission Delegated Regulation 2024/1774). Parallel GDPR Article 33 notifications to the data protection authority may also be required if personal data is involved.

DORA vs NIS2 in Slovenia

Financial entities in Slovenia that also fall under NIS2 Annex I (banking and financial market infrastructure sectors) must comply with both frameworks. DORA acts as lex specialis for ICT risk obligations. NIS2 incident reporting to SI-CERT / Information Commissioner / SI-CERT still applies independently for cybersecurity incidents under NIS2 Article 23.

Full NIS2 vs DORA comparison →

Is your Slovenia entity DORA-ready?

Answer 8 questions and get a DORA readiness score, prioritised gap list and action plan tailored to your entity type — free.

Run the free DORA readiness check →

Get the free NIS2 checklist for DORA in Slovenia

Free PDF delivered to your inbox. No spam — unsubscribe anytime.

Frequently asked questions

Does DORA apply to financial institutions in Slovenia?

Yes. DORA (Regulation (EU) 2022/2554) is directly applicable across all 27 EU member states, including Slovenia, from 17 January 2025. No national transposition is required — the Regulation applies in full as published. Financial entities regulated in Slovenia must comply directly.

Which authority supervises DORA in Slovenia?

DORA supervision in Slovenia falls to the entity's primary prudential regulator: Bank of Slovenia (Banka Slovenije) and ATVP. For banking groups under ECB direct supervision (SSM significant institutions), the ECB is the lead authority. National supervisors handle less significant institutions and non-bank financial entities. Cross-border groups must comply in each jurisdiction where they hold a licence.

What are the DORA incident reporting deadlines?

Financial entities must submit: an initial notification to the competent authority within 4 hours of classifying an incident as major (and no later than 24 hours from becoming aware of it); an intermediate report within 72 hours of the initial notification; and a final root-cause analysis and remediation report within 1 month. These deadlines are set by DORA Articles 17–23 and the associated Regulatory Technical Standards (RTS).

How does DORA differ from NIS2 for financial institutions in Slovenia?

Both frameworks apply simultaneously but DORA acts as lex specialis: for ICT risk management and operational resilience, DORA's more detailed obligations take precedence over NIS2 for in-scope financial entities. However, NIS2 incident notification to the NIS2 competent authority (SI-CERT / Information Commissioner) may still run in parallel to DORA reporting to the financial supervisor. Organisations should maintain separate notification workflows for each regime.

Who must undergo TLPT (threat-led penetration testing) under DORA?

DORA Article 26 requires significant financial entities designated by their competent authority to conduct TLPT at least every 3 years. TLPT must follow the TIBER-EU framework or an equivalent national standard. In Slovenia, Bank of Slovenia (Banka Slovenije) and ATVP publishes the list of in-scope entities. Smaller entities must still conduct regular vulnerability assessments and network security testing under DORA Article 25.

For decision-support purposes only. DORA obligations may vary by entity type, size and systemic significance — verify with a qualified financial regulatory expert.