What is AI regulation in Slovakia?
AI regulation: countries and regions
AI regulation in Slovakia is governed by the directly applicable European Union rulebook, enforced domestically through the national Act on the Organisation of State Administration in the Field of Artificial Intelligence. The jurisdiction employs a centralised regulatory architecture led by the Ministry of Investments, Regional Development and Informatization (MIRRI) as the primary market surveillance authority, supported by sector-specific regulators for data protection and cybersecurity. The national framework is underpinned by the Vision of AI for Slovakia (VAIS), a strategic doctrine that classifies artificial intelligence as critical infrastructure and promotes a sovereign digital ecosystem powered by local data and robust nuclear and hydroelectric energy capacity.
What this means
Slovakia does not write its own distinct legal code for what artificial intelligence can and cannot do. Those fundamental boundaries, risk classifications, and technical requirements are determined by the European Union. Instead, the Slovak government is responsible for building the local enforcement machinery required to make those European rules work on the ground. This involves deciding which government departments will police the market, how companies will be audited, and what infrastructure is necessary to support the domestic digital economy without compromising national security or citizen rights.
The Slovak model places one central ministry, MIRRI, in charge of overarching coordination, general market surveillance, and the handling of public complaints. This creates a single point of contact for developers and operators. However, if an artificial intelligence application touches a highly regulated area, such as the processing of personal data, consumer financial services, or critical cybersecurity infrastructure, existing specialist agencies take the lead.
Parallel to its regulatory plumbing, the Slovak government treats the technology as a strategic national asset. Rather than spending billions of euros to build a national foundational model from scratch, the state has opted to create a sovereign adaptive layer. This means the government partners with established European technology firms to fine-tune existing open-source models using securely held state data. The country is also positioning its stable, low-carbon energy infrastructure as a magnet for hosting large-scale computing centres, framing electrical stability as the new currency for regional digital development.
Why it matters
Slovakia's approach provides a highly structured blueprint for how smaller, industrially focused European nations can implement pan-EU legislation while simultaneously carving out a distinct competitive advantage. The jurisdiction's regulatory and strategic frameworks are deeply intertwined, focusing heavily on operational efficiency, energy leverage, digital sovereignty, and the aggressive protection of vulnerable demographics. The state views artificial intelligence not merely as an administrative challenge, but as a mechanism for fundamental economic transformation.
By guaranteeing stable, sovereign energy, the jurisdiction positions itself as a prime destination for computational workloads that might otherwise face grid constraints or aggressive carbon taxation in other European regions. The state views stable energy as a primary currency for the modern digital economy, explicitly tying its industrial policy to its regulatory framework to foster a highly predictable environment for hyperscale infrastructure investments.
By collaborating with leading European open-weights developers, such as the French company Mistral AI, the state intends to fine-tune existing models on local public administration data using domestic infrastructure. This ensures that sensitive public sector data remains under sovereign control while avoiding the astronomical capital expenditure required to train massive neural networks from scratch. This approach heavily influences the regulatory landscape, as it requires highly secure, audited environments where state data can interact with commercial algorithms without violating national security protocols or public trust.
Slovak policy explicitly warns that the long-term collection and processing of minor data by global developers risks profiling future generations, creating a critical vulnerability to national security. This stance signals to global operators that any deployments targeting or processing data from younger demographics will face intense, uncompromising regulatory scrutiny within Slovak borders.
How it works
A dual-layered system
The mechanics of EU AI Act implementation in Slovakia rely on a dual-layered system. The pan-European legislative framework dictates the substantive rules of engagement, classifying risks and setting technical mandates. National statutes allocate supervisory powers, define compliance workflows, establish the penalty infrastructure, and integrate algorithmic oversight into existing administrative law. Rather than creating an isolated regulatory silo, the state amended existing product safety and conformity statutes: Act No. 56/2018 on the conformity assessment of products was explicitly amended by Act No. 318/2025 to reference and enforce obligations under the new digital rulebook, ensuring hardware or software entering the market faces a unified, legally consistent compliance regime.
Who supervises what
MIRRI is the central coordinator and general market surveillance authority, acting as the single point of contact for European institutions, handling public complaints, conducting general corporate inspections, coordinating national strategy and operating regulatory sandboxes. The Office for Personal Data Protection (UOOU SR) is the sectoral authority for privacy, overseeing any algorithmic system that processes personal data and enforcing automated decision-making rules and the digital age of consent under Act No. 18/2018 Coll. The National Security Authority (NBU) supervises systems in critical infrastructure and products with digital elements, integrating AI oversight with the European cyber resilience framework. The Slovak Trade Inspection leads on general consumer products and services embedded with algorithmic systems, empowered to order corrective measures, withdrawals and market bans. The National Bank of Slovakia exercises prudential, conduct and ICT-risk oversight over regulated financial firms deploying high-risk algorithms for credit scoring, risk assessment or trading. The Office for Standardization, Metrology and Testing (OSMT SR) is the notifying authority, designating and monitoring the third-party conformity assessment bodies that audit high-risk systems before market entry.
Inspection and interim powers
MIRRI conducts on-site inspections at corporate premises and public institutions to verify compliance with technical documentation, risk management protocols and transparency mandates. Crucially, it can issue aggressive interim measures: if a system poses a serious and immediate threat to health, safety or fundamental rights, the ministry can restrict, prohibit or force withdrawal of the product before formal penalty proceedings conclude. Under Slovak administrative law, these interim measures cannot be delayed or suspended by an operator lodging an appeal, ensuring dangerous systems are taken offline immediately. Because almost all commercial algorithmic systems rely on processing personal data, the UOOU SR retains jurisdiction over privacy audits, ensuring a lawful basis for processing and mechanisms for human intervention under Act No. 18/2018. The NBU monitors systems interfacing with critical infrastructure; in serious incidents affecting fundamental rights or national security, sectoral supervisors must notify MIRRI, law enforcement and the Office of the Public Defender of Rights, ensuring a coordinated state response.
The Government Plenipotentiary and the strategic layer
A Government Plenipotentiary for AI represents Slovakia in EU-level negotiations, including informal Council meetings, where the role has pushed an AI First policy while defending the protection of minors. Domestically, the Plenipotentiary initiates public dialogue on responsible deployments, shapes national infrastructure strategy alongside domestic technology associations, and guides regional municipalities on integrating algorithmic systems into public administration. Web interfaces or mobile applications through which high-risk systems are made available to the public must comply with the Web Content Accessibility Guidelines (WCAG 2.2), ensuring algorithmic services do not present barriers to users with disabilities.
Regulatory sandboxes
The sandbox framework allows a temporary, monitored relaxation of certain administrative rules, providing developers with bespoke regulatory guidance. Companies can refine algorithms, test data governance protocols and meet fundamental safety standards under the direct observation of MIRRI and relevant sectoral authorities, reducing the legal risk of market entry.
Examples
A municipality procures an automated tax-assessment system. Rather than selecting the lowest bidder, it evaluates the vendor on algorithmic transparency, data sovereignty and overall public value. Before deployment, the municipal IT department ensures the public-facing citizen portal meets WCAG 2.2 accessibility standards. When the system generates a preliminary decision on a citizen's tax inquiry, the final correspondence includes a mandatory statutory disclosure stating exactly which parts of the assessment were handled by the automated tool and which were reviewed by a human official, satisfying the national transparency mandate and protecting the municipality from administrative legal challenges.
A national consortium fine-tunes a public-administration model under the sovereign adaptive layer strategy. The model is fine-tuned exclusively on server farms located within Slovakia, powered by domestic hydroelectric and nuclear energy. The training data, including sensitive national infrastructure metrics and citizen usage patterns, never leaves the national jurisdiction. Before the tool goes live, the consortium coordinates with the National Security Authority to verify that the deployment architecture meets critical infrastructure cybersecurity standards, keeping the sovereign data layer impenetrable to foreign state actors.
A health-tech startup enters the regulatory sandbox. It works directly with MIRRI supervisors and the UOOU SR, which provides binding guidance on securing patient consent and cryptographically anonymising the training data to comply with Act No. 18/2018 Coll. Once the system completes the sandbox phase and proves its clinical safety metrics, the startup engages an independent auditor designated by the OSMT SR to complete an official conformity assessment. With certification secured, it can market the product across the European Economic Area, having already passed rigorous national scrutiny.
Common misunderstandings
"Slovakia has its own standalone AI law."
It does not. The substantive rules come from the directly applicable EU AI Act. Slovakia's national act allocates supervisory powers, workflows and penalties, and amends existing product-safety law (Act No. 318/2025).
"One regulator handles all AI."
MIRRI coordinates and is the general market surveillance authority, but privacy falls to the UOOU SR, cybersecurity and critical infrastructure to the NBU, consumer products to the Slovak Trade Inspection, finance to the National Bank of Slovakia, and conformity-body designation to the OSMT SR.
"You can appeal to suspend an enforcement order."
Not for interim measures. Where a system poses a serious and immediate threat, MIRRI's restriction or withdrawal order cannot be delayed or suspended by lodging an appeal.
"Paying the fine closes the matter."
It does not. Under Slovak administrative law the entity must still remedy the non-compliance, alter the architecture or withdraw the product, and fines can be imposed up to five years after the violation.
"Processing children's data is just a privacy formality."
Slovak policy treats long-term retention and profiling of minors' data as a strategic national-security concern, so edtech, social and gaming deployments face heightened scrutiny and a digital age of consent set at 16.
Risks and boundaries
Slovakia's framework is an enforcement and institutional layer over the EU AI Act, not a separate rulebook; reading the national act in isolation will mislead, and the substantive duties and risk classes are set at EU level. The national act is recent and still settling (the draft act was timed to take effect in January 2026), so authority designations and procedures may evolve.
Penalties are severe and tiered: up to EUR 35 million or 7 percent of global annual turnover for the most serious violations such as deploying prohibited practices; up to EUR 15 million or 3 percent for administrative non-compliance such as failing to maintain technical documentation or bypassing conformity assessment; and up to EUR 7.5 million or 2 percent for providing misleading information to regulators. Paying a fine does not absolve the operator, which must still remedy the situation or withdraw the product, and fines can be imposed up to five years after the violation.
Two boundaries deserve particular attention. First, transparency and lawful basis for automated administrative systems: Slovak courts set strict precedent in the eKasa judgment, flagging deficiencies in legality, transparency and data protection, so any system affecting legal rights must have a sound lawful basis and meaningful human intervention to contest automated decisions. Second, minors' data: the state treats long-term retention and profiling of minor data as a national-security vulnerability, so edtech, social-network and gaming vendors face a sceptical environment, and any failure to secure parental consent or any profiling of minors for commercial gain or training risks immediate intervention by the UOOU SR. None of this is legal advice; sector-specific classification and liability should be confirmed with the relevant authority or qualified counsel.
What to do next
Conduct an immediate jurisdictional mapping of all internal systems against the high-risk categorisation matrix to determine whether your deployments fall under MIRRI or a specialised sectoral authority such as the NBU or the UOOU SR.
Review all public-facing web interfaces and mobile applications connected to algorithmic systems to ensure they meet the WCAG 2.2 accessibility standards mandated for high-risk deployments.
If developing a novel high-risk tool or operating in a legal grey area, proactively contact MIRRI to explore entry into the national regulatory sandbox, which yields direct, binding guidance before commercial launch.
Execute a data-retention audit on any systems processing information from users under the age of 16, ensuring demonstrable compliance with the Slovak digital age of consent and the prohibition on long-term profiling of minors.
Prepare technical documentation, logging mechanisms and quality management systems for potential unannounced on-site inspections, recognising MIRRI's broad statutory audit powers.
If supplying systems to the Slovak public sector, build algorithmic transparency declarations directly into your software outputs to help state bodies meet their statutory duty to disclose algorithmic involvement in individual decisions.
FAQs
Does Slovakia have its own AI law?
The substantive rules come from the EU AI Act. Slovakia's national Act on the Organisation of State Administration in the Field of AI allocates supervisory powers and penalties and amends existing product-safety law.
Who is the lead AI regulator in Slovakia?
MIRRI is the central coordinator and general market surveillance authority and single point of contact, with sectoral authorities (UOOU SR, NBU, Slovak Trade Inspection, National Bank of Slovakia, OSMT SR) leading in their domains.
What are the maximum fines?
Up to EUR 35 million or 7 percent of global turnover for the most serious breaches, EUR 15 million or 3 percent for administrative non-compliance, and EUR 7.5 million or 2 percent for misleading regulators.
Can an appeal pause an enforcement order?
Not for interim measures against systems posing a serious and immediate threat; under Slovak administrative law these cannot be delayed or suspended by lodging an appeal.
What is the digital age of consent in Slovakia?
It is set at 16 under Act No. 18/2018 Coll., and the state treats long-term profiling of minors' data as a national-security concern.
What is the sovereign adaptive layer?
A strategy of fine-tuning existing open-weight models (for example via a partnership with Mistral AI) on state data using domestic infrastructure and energy, rather than building a foundational model from scratch.
Does paying a fine end the obligation?
No. The entity must still remedy the non-compliance or withdraw the product, and fines can be imposed up to five years after the violation.