Slovakia's Cybersecurity Strategy 2026–2030: 7 Things Suppliers Should Expect

The National Security Authority (NBU) has outlined the contours of the new National Cybersecurity Strategy for 2026–2030. After years when cybersecurity in Slovakia was more a topic of academic discussions than real investments, change is coming. And with it, new requirements for everyone who supplies IT services to the state.

Context: Why Now

2025 was a turning point for Slovakia in cybersecurity:

• Increase in ransomware attacks on public institutions
• Transposition of the NIS2 directive into Slovak law
• Growing geopolitical tension and cyber threats related to the conflict in Ukraine
• Outages of critical state systems (ESKN, UPVS)

The result is that cybersecurity has gone from a "nice to have" to a real condition for participating in public procurement.

The strategy responds to these challenges and defines a framework for the next five years.

What Suppliers Should Expect

1. Security as Part of Design, Not an Afterthought

The strategy emphasizes the "security by design" principle. Suppliers will need to demonstrate that security is integrated into the development process from the start. Not something tacked on at the end as a patch.

What this means specifically:

• Security analysis as part of architecture design
• Threat modeling before development begins
• Security code review as standard

2. Mandatory Security Testing

Expect requirements for:

• Regular penetration tests
• Automated security scanning (SAST, DAST)
• Testing before every production deployment

3. Incident Response Plans

Every supplier will need a documented incident response plan, including:

• Defined roles and responsibilities
• Communication procedures
• Notification timeframes (in line with NIS2)

4. Supply Chain Security

The strategy also focuses on supply chain security:

• Registration and verification of subcontractors
• SBOM (Software Bill of Materials) for delivered software
• Checking open-source components for known vulnerabilities

5. Education and Certifications

Suppliers will need to demonstrate that their teams have relevant security knowledge:

• Certifications (CISSP, CEH, or equivalent)
• Regular security training
• Awareness programs for all employees
• Participation in security exercises and simulations

6. Data Protection and Privacy

In line with GDPR and new requirements:

• Encryption of data at rest and in transit
• Data collection minimization
• Regular audits of personal data processing

7. Continuity and Resilience

Suppliers of critical systems will need to demonstrate:

• Business continuity plans
• Disaster recovery procedures with tested RTO/RPO
• Redundancy of critical components

What This Means for the Market

These requirements will raise the entry barrier for public sector suppliers. Smaller companies without established security processes will be at a disadvantage. On the other hand, companies that take security seriously will have an edge in tenders.

It's also a signal that the Slovak public sector is beginning to align with the standards of regulated industries like banking or healthcare.

What this looks like for us

On a recent project for a public sector client, we implemented automated SAST/DAST scanning into the CI/CD pipeline. The first scan uncovered 14 vulnerabilities in the existing code. None were critical, but cumulatively they created an attack surface nobody knew about. Security is part of every sprint for us: threat modeling, code review, automated testing.

We help clients build systems that are secure from the first line of code.

How to Prepare

If you supply IT services to the public sector:

1. Start with an audit - Where are the gaps between your current processes and new requirements?
2. Invest in education - Security certifications and training for your team
3. Automate - Security testing must be part of the CI/CD pipeline
4. Document - Processes, plans, procedures, everything must be documented and up to date

Need a partner to help you meet new security requirements? Write to us.