On Friday, 23 May 2025, the National Assembly of the Republic of Slovenia approved the new Information Security Act (ZInfV-1), which transposes the European NIS2 Directive into Slovenian legislation. The Act will enter into force on the fifteenth day after its publication in the Official Gazette. From that day on, essential and important entities will have six months to self-register (Article 60). Self-registration will be governed by the Government Information Security Office, which is obligated to establish a mechanism for self-registration within four months of ZInfV-1 entering into force.
Entities subject to ZInfV-1 will have approximately two years to bring their organisation’s information security management in line with the requirements of the Act. As Slovenia’s first Information Security Act defined information security management more strictly than foreseen in the NIS Directive, many organisations have already implemented the majority of the new Act’s requirements. However, some requirements will be encountered for the first time by both existing and new entities subject to the Act.
Managing supply chain security through measures and security testing
One of the significant innovations of ZInfV-1 is certainly supply chain security management. This security measure, also introduced by DORA, aims to address the issue of a growing attack surface caused by the interconnection of organisations in digital supply chains.
Nowadays, it is a no-brainer that visitors to an organisation’s premises should not be left unattended, even if they are regular guests. A visitor is welcomed at the reception desk and escorted by an insider from there on. However, when it comes to accessing digital assets, it is still often the case that suppliers have a VPN connection established, even when they do not need it. This often leaves the door to the internal network wide open, especially in organisations where the network is not segmented correctly.
When speaking of supply chain security management, two aspects should be considered:
- enforcing appropriate security policies when assigning and managing access rights to suppliers and integrating supplier solutions into the internal IT system;
- monitoring the security posture of key suppliers and acting appropriately if their security posture changes.
How does the ZInfV-1 define supply chain security management?
As defined in Article 22 of the ZInfV-1, entities subject to the Act are required to ensure measures for supply chain security in a way that “appropriate minimum requirements related to information and cyber security are established for key suppliers or service providers, where the requirements relate to the relationship between the entity and its direct suppliers or service providers.”… “In assessing and implementing appropriate security measures for supply chain security, essential and important entities should take into account the vulnerabilities specific to each direct supplier and service provider and the overall quality of the products and services provided by their suppliers and service providers in the area of cybersecurity, including their secure development processes. They should determine which security measures are adequate and appropriate to ensure supply chain security and may verify their implementation by suppliers and service providers. …”
The ZInfV-1 requirement for essential and important entities is to keep a list of suppliers, to implement security requirements and measures related to their cooperation with suppliers, and to monitor the suppliers’ security posture, which includes:
- assessing the risks of working with a particular supplier,
- contractual definition of information and cyber security obligations; and
- monitoring the implementation of the supplier’s security measures.
Which suppliers should be regularly monitored and included in the list?
Organisations should, in particular, monitor and keep the list of suppliers who:
- provide critical ICT services such as security software, cloud services, managed services;
- have access to systems and data;
- have the potential to disrupt the organisation’s services and operations through security failures or deficiencies.
The list of suppliers should clearly show the criticality of each supplier (how important it is to the business) and the risk assessment based on questionnaires including:
- information security management practices,
- a statement of the sector-specific certifications in place, such as ISO 27001,
- a statement of the information system audits carried out.
How can we ensure ZInfV-1 compliant supply chain security in practice?
In large organisations with dispersed supply chains, managing such risks can place a heavy burden on internal teams. It is therefore recommended to consider a separation of tasks:
- The internal team should ensure that relationships with suppliers are clearly defined in security policies, that adherence to and assurance of appropriate levels of information and cyber security are specified in contracts, and access routes between the organisation and the supplier are adequately secured.
- Monitoring of suppliers’ security posture can be efficiently managed by automated solutions that assess the security of the supplier’s external network. Such solutions utilise publicly available information to calculate the security score and do not interfere with the supplier’s network. Particularly for key suppliers, where continuous monitoring and rapid response to changes are necessary, such solutions are highly beneficial.

- For business-critical systems or solutions, arrange a third-party penetration test carried out on your request by cyber security testing specialists.
This approach not only provides a “checked box” from a legal compliance perspective but also contributes to improving your organisation’s security posture.
Smaller organisations should commit to at least the first two points: ensuring an adequate level of information and cybersecurity in contracts and policies and adequately securing links with suppliers, as well as regularly monitoring the security posture of suppliers. As a smaller organisation, you may find it more challenging to coordinate a third-party penetration test. Nevertheless, when discussing this issue with the supplier, point out that security testing also provides a business benefit for them, as it offers the opportunity to improve and gain a competitive advantage.
When to accept risk in the supply chain?
The business value of using a particular solution or service may outweigh the risk of working with its supplier. Or there may be only one suitable solution that efficiently addresses your specific problem. In this case, you will probably choose it despite the risks. It’s essential to be aware of these risks and address them accordingly: harden access control, assess the supplier more frequently, isolate the solution from other systems, or place it in a separate segment of the network.
The supplier’s security score, obtained either through an automated solution or a targeted security test, should guide you in further decision-making. Consider the results in the context of your organisation and internal security measures. Make an informed decision on whether to implement a solution or not based on risk analysis and Business Impact Assessment (BIA), which are also required documents when auditors knock on your door.
For more information on how to manage security in your supply chain, don’t hesitate to get in touch with us.
- Penetration testing
- SecurityScorecard – a solution for monitoring supplier security
- Security Consulting