What is AI regulation in Slovenia?
AI regulation: countries and regions
AI regulation in Slovenia is built mainly on the EU AI Act, with a Slovenian implementing law adopted in 2025 that allocates regulators, sets offences and organises supervision. Oversight is split across AKOS, the Information Commissioner, Bank of Slovenia, the Insurance Supervision Agency and the Market Inspectorate. Slovenia also has a national AI policy layer: the earlier NpUI 2025 programme and the adopted 2030 AI strategy, plus public sector transparency duties and a national ethics council.
What this means
Slovenia does not run a wholly separate AI rulebook from Brussels. The main binding framework is the EU AI Act, which applies directly in Slovenia. What Slovenia has added is the national machinery that tells you which authority supervises which type of AI use, how national penalties are organised, how public bodies must disclose AI use, and which institution acts as the public contact point.
As of 6 June 2026, the whole AI Act is not yet fully applicable. The general provisions, banned practices, governance rules, general-purpose AI model layer and penalty framework are already in force, while most remaining high-risk system rules and the broader transparency layer start applying on 2 August 2026. Note that the European Commission has proposed a digital Omnibus package that could defer some high-risk obligations, so the 2 August 2026 dates should be read as the current legal position rather than a settled certainty. That timing matters, because organisations in Slovenia should already be putting governance in place rather than waiting for the full start date.
Slovenia also has a strategic layer. Its first national AI programme was NpUI 2025. In March 2026 the government adopted a new 2030 AI strategy that updates the earlier framework and sets the national direction for infrastructure, skills, uptake, ethics, regulation and public sector use.
Why it matters
If you build, buy, deploy or govern AI in Slovenia, you need to know two things early: whether your system falls into an EU AI Act risk category, and which Slovenian authority is likely to supervise it. That can change materially by sector. A lender, insurer, employer, ministry or critical infrastructure operator may face different supervisors even where the same EU regulation applies.
The Slovenian layer also creates practical governance pressure. Public bodies have disclosure duties that go beyond generic strategy talk. Enforcement is not abstract either, because the national law creates offences and fines and gives authorities a coordinated enforcement structure. For organisations handling personal data, the AI Act sits alongside data protection law rather than replacing it.
How it works
The legal core is the EU AI Act
Slovenia's AI regulation starts with Regulation (EU) 2024/1689, the EU AI Act. That is the main substantive rulebook for prohibited practices, high-risk AI, transparency duties, general-purpose AI models, governance and penalties. In practical terms, Slovenia does not redefine the main EU concepts. It implements them through national institutions and enforcement arrangements.
The AI Act applies in stages. By June 2026, the rules on scope, definitions and prohibited practices are already applicable, as are the governance layer, the general-purpose AI model layer and penalty provisions. Most of the remaining rules, including the main Annex III high-risk duties and the broader Article 50 transparency duties, start on 2 August 2026. That means Slovene organisations should treat 2026 as an implementation year, not a waiting room.
Slovenia divides supervision by sector and use case
Slovenia's implementing law, ZIUDHPUI, took effect on 21 November 2025 and does the key national work. It names five market surveillance authorities: the Agency for Communication Networks and Services of the Republic of Slovenia, usually called AKOS; the Information Commissioner; Bank of Slovenia; the Insurance Supervision Agency; and the Market Inspectorate of the Republic of Slovenia. The same law makes AKOS the single point of contact for the country.
The split is functional, not symbolic. The Information Commissioner supervises prohibited practices and certain high-risk areas that are closely tied to fundamental rights, namely biometrics, education, law enforcement, migration and border management, and justice and elections. Bank of Slovenia supervises AI used by credit institutions for the relevant creditworthiness use case. The Market Inspectorate takes the equivalent role for consumer lenders it already supervises. The Insurance Supervision Agency covers the relevant insurance use case. AKOS takes the large remainder, including product-linked high-risk AI under Annex I Section A, critical infrastructure, employment and worker management, certain public-benefit and emergency-service uses, and the national supervision of Article 50 transparency duties.
This matters because there is no single Slovenian AI super-regulator for every file. If you misidentify your use case, you can end up preparing the wrong regulator engagement, the wrong internal controls or the wrong reporting route.
Notification, conformity and enforcement are organised nationally
Beyond supervision, ZIUDHPUI also assigns notifying authorities. Different ministries or agencies handle different categories of notified-body designation, depending on whether the AI is embedded in regulated products or falls within the relevant Annex III category. The national accreditation service assesses and monitors conformity-assessment bodies.
For operators, that means Slovenia has built the national institutional plumbing needed for higher-risk AI oversight rather than relying only on abstract EU text. The law also creates national misdemeanour offences and fines tied to duties under the AI Act and the Slovenian implementation law. It requires the market surveillance bodies to coordinate through a formal coordination council led by AKOS, and it requires regulatory reporting back into the European framework.
Public sector AI use is subject to extra Slovenian transparency rules
One of Slovenia's clearest national add-ons is public sector disclosure. Under ZIUDHPUI, the ministry responsible for managing state information and communication systems must provide a single information point where public sector bodies publish set information about AI systems or information tools that include AI. The required information includes the body's name, the intended use, the basic principles of the algorithmic decision logic, the document number and date of any data protection impact assessment, the document number and date of any fundamental rights impact assessment for high-risk AI, and the available legal redress.
This is not just a paper duty. In May 2026 the Ministry of Digital Transformation launched the SPOT e-procedure through which public bodies report these AI uses, with publication to follow on the national open data portal. There are statutory exclusions, including certain law-enforcement, defence, national security, migration, asylum and border-management uses, and systems used exclusively for military, defence or national-security purposes.
Slovenia has also now moved beyond the law text on ethics. The implementing law created a five-member National Council for Ethics in AI, and the government appointed its members in May 2026. Its role is advisory rather than a substitute regulator, but it is part of the country's governance architecture.
Strategy and innovation support sit alongside enforcement
Slovenia's policy architecture did not begin with the AI Act. NpUI 2025, adopted in 2021, was the country's first comprehensive AI programme. It focused on ecosystem-building, skills, research, infrastructure, deployment, ethics, regulation and a national AI observatory. In March 2026, the government adopted NsUI 2030, which updates that earlier approach and sets five strategic goals around sovereign and trustworthy AI, wider uptake, knowledge and ecosystem development, resilience and international positioning.
The 2030 strategy is important, but it is not itself the main compliance instrument. It is a strategic framework for action plans, funding priorities, institutional coordination and long-term capability building. For businesses and public bodies, it tells you where Slovenia is trying to go. It does not remove the need to classify systems correctly, complete AI Act controls, deal with sector regulators or address data protection and other sector law.
Innovation support is part of the framework too. AKOS is responsible for establishing at least one national regulatory sandbox for AI by 2 August 2026 and describes a two-step public-call model for selecting sandbox themes and participants. It also operates a national contact role for AI Act implementation and is tasked with providing guidance and answering questions from businesses, innovators, local government and the wider public.
Examples
A Slovenian bank using an AI system to assess creditworthiness does not face the same national supervisor as every other AI user. Under the Slovenian implementation law, Bank of Slovenia supervises the relevant creditworthiness use case when it is used by credit institutions. If a comparable tool is used by a lender supervised under consumer-credit rules, the Market Inspectorate takes that supervisory role instead. In both cases, the EU AI Act still supplies the substantive rule set.
A ministry, municipality or other covered public body introducing an AI-assisted administrative tool has a national disclosure task in addition to any EU AI Act duties. It must report the system through the SPOT process so the key information can be published via Slovenia's central public data point, unless the system falls within one of the statutory exclusions such as specified law-enforcement, defence, national-security or border-management contexts. For relevant systems, publication covers not only intended use and basic algorithmic logic but also references to impact-assessment documents and routes for legal protection.
An employer or infrastructure operator planning a high-risk AI deployment should not wait until after launch to work out the Slovenian institutional path. For employment and workforce-management systems, and for critical-infrastructure systems, AKOS is the main national supervisor. AKOS is also the body tasked with establishing Slovenia's AI regulatory sandbox by 2 August 2026, which makes it the logical national place to watch for early guidance and future sandbox entry points.
Common misunderstandings
"Slovenia has its own AI Act instead of the EU AI Act." Correction: the EU AI Act is the core substantive rulebook, while Slovenia's national law mainly allocates authorities, penalties and implementation mechanics.
"All AI Act duties are already fully in force in Slovenia." Correction: application is phased. By June 2026, some layers already apply, but most of the remaining high-risk and transparency rules begin on 2 August 2026.
"The Information Commissioner supervises every AI system in Slovenia." Correction: supervision is split across five bodies, with AKOS, Bank of Slovenia, the Insurance Supervision Agency and the Market Inspectorate each having defined roles.
"Only AI vendors need to care." Correction: deployers also matter. Employers, lenders, insurers and public bodies can have direct duties under the EU AI Act and the Slovenian implementation law.
"Public sector AI use can stay internal and undisclosed." Correction: many public bodies must publish core information about AI they use, subject to specific statutory exclusions.
Risks and boundaries
This page is about Slovenia's national AI architecture, not a full article on every substantive EU AI Act requirement. For the full risk-tier logic, conformity work, impact assessments and general-purpose AI model duties, the EU layer remains decisive.
Classification can still be difficult. A single organisation can be a provider, deployer, importer, distributor or product manufacturer, depending on the fact pattern. Borderline questions also arise around whether a system is actually "high-risk", whether a public tool falls within a statutory exclusion, and which sector supervisor has the lead. Those are not issues to guess through.
The Slovenian strategic layer also has limits. NpUI 2025 and NsUI 2030 matter for direction, funding and governance, but strategy documents do not replace binding compliance duties. Likewise, the ethics council is advisory, not the main enforcement body.
There are also practical implementation uncertainties to watch. The public sector information point and SPOT reporting route are new, and the sandbox architecture is still being operationalised ahead of the 2 August 2026 deadline. AKOS's English AI pages also state that the original Slovene version prevails if there is a translation discrepancy. And where personal data is involved, GDPR and sector-specific rules continue to apply in parallel.
What to do next
Start with an AI inventory. Record who provides each system, who deploys it, what sector it sits in, what data it uses, and what decisions or recommendations it affects.
Then map each use case against the EU AI Act and the Slovenian authority split. If the use touches employment, credit, insurance, biometrics, public benefits, justice, migration, emergency services or critical infrastructure, treat classification and regulator mapping as an early-stage task.
Do not wait for 2 August 2026 to build controls. Put AI literacy, governance ownership, procurement checks, record-keeping, transparency notices, incident escalation and change-management into place now. If personal data is involved, align AI governance with your data protection work rather than running two separate tracks.
If you are in the public sector, make the SPOT and OPSI publication process part of project delivery. Prepare the intended-use description, algorithm summary, redress route and the references for any impact assessments before the system goes live.
Use the national support structure. Watch AKOS for guidance and sandbox developments, watch the Information Commissioner where fundamental-rights and personal-data risks are prominent, and monitor the Ministry of Digital Transformation for strategy and public-administration updates.
FAQs
Does Slovenia have a standalone national AI statute?
Yes, but only as an implementation layer. Slovenia's ZIUDHPUI law does not replace the EU AI Act. It mainly assigns authorities, enforcement powers, penalties, a public-sector disclosure mechanism, an ethics council and innovation support measures.
Is the EU AI Act already fully applicable in Slovenia?
No. As of 6 June 2026, some parts already apply, including the general provisions, prohibited practices, governance layer, general-purpose AI model layer and penalties. Most of the remaining system rules start on 2 August 2026, with the Article 6(1) layer applying later.
Who is the main AI regulator in Slovenia?
There is no single regulator for every case. AKOS is the national single point of contact and main coordinator, but supervision is split among AKOS, the Information Commissioner, Bank of Slovenia, the Insurance Supervision Agency and the Market Inspectorate.
Which authority matters for AI used in lending?
Bank of Slovenia supervises the relevant creditworthiness use case when used by credit institutions. The Market Inspectorate handles the equivalent role for lenders it supervises under consumer-credit rules.
What is NpUI in Slovenia?
NpUI 2025 was Slovenia's first national AI programme, adopted in 2021. It has now been followed by the government's 2030 AI strategy, which updates the national policy direction for AI capability, uptake, ethics, regulation and infrastructure.
Do Slovenian public bodies have extra AI transparency duties?
Yes. Many public sector bodies must publish key information about AI systems or AI-enabled information tools they use through the national reporting and publication route, subject to statutory exclusions for certain sensitive domains.
Is there a Slovenian AI sandbox?
Slovenia's law requires AKOS to establish at least one AI regulatory sandbox by 2 August 2026. AKOS has already described the sandbox model and says participation details will be published through public calls.
Does data protection still matter if I comply with the AI Act?
Absolutely. AI Act compliance does not displace GDPR or sector rules. In Slovenia, AI systems that process personal data can attract both AI supervision and data protection scrutiny.