CRA Compliance in Slovenia
National competent authority, Article 14 CSIRT contacts, and enforcement guidance for Slovenia manufacturers.
Slovenia's national cybersecurity authority structure combines SI-CERT (the national CSIRT operated by ARNES, the academic and research network) with AKOS (Agency for Communication Networks and Services), which has regulatory authority over electronic communications and serves as CRA co-authority. Slovenia has a technically sophisticated manufacturing sector with significant operations in industrial automation, medical devices, and automotive components. SI-CERT is one of the longer-established national CSIRTs in Central Europe, providing operational maturity for CRA incident coordination.
National Competent Authority (CRA)
AKOS / SI-CERT
Agencija za komunikacijska omrežja in storitve / SI-CERT
AKOS (Agency for Communication Networks and Services) serves as Slovenia's electronic communications regulator and CRA national competent authority for market surveillance. SI-CERT (operated by ARNES) serves as the national CSIRT. The Ministry of Public Administration coordinates national cybersecurity policy. CRA NCA designation will be confirmed through national implementing legislation.
https://www.akos-rs.si →National CSIRT (Article 14 Reports)
SI-CERT
SI-CERT
https://www.cert.si/en/contact/
https://www.cert.si →CRA Enforcement in Slovenia
Slovenia's CRA enforcement is coordinated between AKOS (market surveillance and regulatory functions) and SI-CERT (incident coordination). The Market Inspectorate of the Republic of Slovenia (Tržni inšpektorat RS) conducts product safety market surveillance and will partner with AKOS on CRA enforcement activities. Slovenia has transposed NIS2 through amendments to the Zakon o informacijski varnosti (ZInfV), establishing the NCA and CSIRT functions for cybersecurity oversight. Slovenian manufacturers — particularly in the highly capable pharmaceutical, industrial automation, and electronics sectors — have significant CRA obligations.
Article 14 Incident Reporting for Slovenian Manufacturers
Slovenian manufacturers submit Article 14 notifications to SI-CERT through its secure contact channels. SI-CERT operates 24/7 incident response capability and participates in the EU CSIRTs network. The Article 14 obligation requires an early warning within 24 hours of detecting active exploitation and a full notification within 72 hours. SI-CERT has decades of experience coordinating incident responses across Slovenian public and private sectors, providing operational maturity for CRA incident management. Manufacturers should register with SI-CERT and establish a designated security contact ahead of any incident.
Market Surveillance & Penalties
Market surveillance for CRA products in Slovenia is coordinated between AKOS and the Market Inspectorate (Tržni inšpektorat RS). The full CRA penalty regime applies: up to €15 million or 2.5% of global annual turnover for violations of essential cybersecurity requirements. The Market Inspectorate has active enforcement capabilities under EU product safety regulations. Slovenian manufacturers should maintain CRA technical documentation in both Slovenian and English, and should expect documentation-based surveillance as the primary tool in the early years of CRA application.
Support for Slovenian Manufacturers
SI-CERT and AKOS publish cybersecurity guidance for Slovenian businesses in Slovenian and English. The Slovenian Enterprise Development Fund (SPS) provides SME support including innovation grants applicable to cybersecurity investments. The Chamber of Commerce and Industry of Slovenia (GZS) provides regulatory compliance guidance for manufacturing members. The Jožef Stefan Institute provides technical research and conformity assessment expertise. SPIRIT Slovenia (Public Agency for Entrepreneurship, Internationalization, Foreign Investments and Technology) supports manufacturer export capacity including EU regulatory compliance.
CVD Portal automates your Article 14 notification obligations.
Pre-built notification workflows for SI-CERT, deadline tracking, CSAF advisory generation, and a public CVD submission portal. Free forever.
Start your free portalFrequently asked
How do I contact SI-CERT or AKOS as a manufacturer with a CRA compliance question?+
SI-CERT can be contacted through cert.si/en/contact for incident reporting and general cybersecurity queries. AKOS is contacted through akos-rs.si for regulatory compliance questions. For CRA-specific enquiries, manufacturers should address queries to AKOS's electronic communications and cybersecurity division. The Chamber of Commerce and Industry (GZS) at gzs.si also provides EU regulatory compliance support for Slovenian manufacturers.
Does Slovenia have national-level CRA implementing legislation?+
Slovenia has transposed NIS2 through the Zakon o informacijski varnosti (ZInfV) and implementing regulations. CRA implementing measures are expected through amendments to the ZInfV and product safety regulations under the Zakon o splošni varnosti proizvodov. AKOS and the Ministry of Public Administration are coordinating Slovenia's CRA implementation, with national measures expected ahead of December 2027. SI-CERT publications provide practical guidance for manufacturers navigating the current pre-implementation period.
How does the CRA interact with Slovenia's NIS2 implementation and industrial automation sector?+
Slovenia's Zakon o informacijski varnosti creates incident reporting obligations that overlap with CRA Article 14 for manufacturers also operating as essential or important entities. SI-CERT is expected to develop consolidated guidance allowing a single notification to satisfy both frameworks where applicable. Slovenian manufacturers in industrial automation — a significant sector including companies like Gorenje and numerous tier-1 automation suppliers — should pay particular attention to CRA Annex I requirements for industrial control system products, where IEC 62443 certification provides a relevant compliance pathway.
Need a CRA compliance checklist for your product?
Browse free niche-specific checklists covering classification, Annex I obligations, and CVD requirements.