The law transposes bits of several EU directives as well as directive 2016/1148 on measures for a high common level of security of network and information systems, which is supposed to be implemented in national law by May.

It sets minimum standards for digital service providers as well as operators of essential services such as electricity, gas and water companies, ports, railroads, banks and hospitals.

Public Administration Minister Boris Koprivnikar said the law set the minimum standards to declare an information system secure. He said it would be binding on digital service providers as well as state authorities.

One of the main features of the legislation is the creation of a National Information Security Administration, a body in charge of coordinating responses to cyberthreats.

At the operational level, SI-CERT, the existing computer emergency response team will act as the national computer security incident response team and the Public Administration Ministry will handle this segment for the public administration.

These institutions will be operational as of 2019.

The legislation was passed in a cross-partisan vote, despite concerns from the opposition that it is too vague and would cost the state much more than expected.