12 March 2026 Update - The transposition of the CER Directive in Slovenia
The transposition of Directive (EU) 2022/2557 into the legal order of the Republic of Slovenia must be understood as an ongoing legislative process that, as of early 2026, had not yet led to the adoption of a comprehensive national implementing statute.
Directive (EU) 2022/2557 entered into force on 16 January 2023 and required Member States to adopt and publish the national measures necessary to comply with its provisions by 17 October 2024. Slovenia did not adopt such measures by that date. Consequently, from the perspective of Union law, Slovenia failed to complete the transposition of the Directive within the prescribed deadline.
Before the adoption of Directive (EU) 2022/2557, Slovenia already maintained a national legal regime governing the protection of critical infrastructure and the continuity of essential services. This framework was based primarily on legislation implementing the earlier European regime established by Directive 2008/114/EC and on national security and civil protection legislation regulating the protection of infrastructure essential for the functioning of society and the economy. However, the earlier legal regime focused largely on the identification and protection of infrastructure assets considered critical from the standpoint of national security or economic stability. The CER Directive introduced a broader regulatory model centered on resilience and the continuity of essential services, thereby requiring Member States to expand and adapt their national frameworks accordingly.
In response to the Directive’s requirements, the Slovenian authorities initiated a legislative process aimed at reforming the national framework governing critical infrastructure protection. The government prepared draft legislative measures designed to align Slovenian law with the resilience-oriented regulatory model introduced by Directive (EU) 2022/2557. These legislative proposals seek to establish the institutional and regulatory architecture necessary for identifying critical entities, imposing resilience obligations upon them, and supervising compliance with those obligations.
The proposed Slovenian framework is intended to introduce procedures through which competent authorities identify entities whose services are considered essential for maintaining vital societal functions, public safety, economic stability, or environmental protection. These determinations are expected to be based on national risk assessments and sector-specific analyses evaluating the potential consequences of disruptions affecting essential services. Entities whose disruption would significantly impair the functioning of society or the economy would therefore be designated as critical entities under the national resilience regime.
Once designated as critical entities, the organizations concerned would be subject to statutory obligations designed to strengthen their resilience against disruptions. These obligations would include the requirement to conduct risk assessments identifying threats and vulnerabilities that may affect the continuity of essential services. Based on these assessments, critical entities would be required to implement technical and organisational measures aimed at mitigating identified risks and ensuring the continuity of their operations.
The Slovenian legislative framework under preparation includes incident reporting obligations requiring critical entities to notify competent authorities without undue delay when incidents occur that significantly disrupt the provision of essential services. These notification mechanisms would enable authorities to monitor disruptions affecting essential sectors and coordinate responses where necessary. Incident reporting therefore forms an important element of the resilience governance structure contemplated under the proposed legislation.
As of March 2026, despite the legislative preparations, the national measures necessary to fully implement Directive (EU) 2022/2557 had not yet been adopted. The existing Slovenian legislation governing critical infrastructure protection has not yet been comprehensively amended or replaced to incorporate the full set of obligations required by the Directive. Consequently, Slovenia cannot be regarded as having fully transposed the Directive into its domestic legal order.