Cyberattacks increasingly affect both public and private sectors, and it's important for companies to stay vigilant. The European Union adopted the NIS2 directive, which we in Slovakia have transposed into the Cybersecurity Act, touching not only IT departments but also Human Resources (HR). Companies often fail to realize that cybersecurity is not just about technology, but above all about people and their behavior. HR departments play a key role in building a security culture within a company.
Why should HR employees also focus on cybersecurity?
The law responds to the growing number of attacks affecting various industries — from healthcare to manufacturing. Most incidents originate from human error — a careless click on a malicious link, setting a weak password, or ignoring security policies. HR’s role therefore is not only to hire people with necessary competencies, but also to create an environment where safe behavior is a natural part of the corporate culture.
What does the new law mean for HR departments?
The law does not only demand modern technologies — it wants companies to manage and protect them responsibly. Among the main new obligations of HR departments are:
1. Mandatory training and awareness raising
The law emphasizes employee education, so HR must:
- ensure regular trainings on phishing, password management, MFA (multi-factor authentication), and correct use of corporate devices,
- document completion of trainings and keep records for audits,
- evaluate training effectiveness (e.g. through simulated phishing tests).
2. New processes in onboarding and offboarding
During the hiring and exit of employees HR must:
- clearly define access rights and timely revoke them upon termination of employment,
- include basic cybersecurity training into the onboarding process,
- cooperate with the IT department to secure system access according to the “need to know” principle
3. Documentation and audits
HR must, in cooperation with management, adjust and document internal policies — for example, concerning security policy, records of trainings, or confirmations of reading rules for using IT resources.
Keďže HR spracúva veľké množstvo osobných a citlivých dát, je priamo zasiahnuté povinnosťami zákona – musí zabezpečiť, aby boli údaje o zamestnancoch chránené nielen podľa GDPR, ale aj podľa nových bezpečnostných štandardov (šifrovanie, kontrola prístupov, zálohovanie).
4. Incident reporting and communication
In a cyber incident, HR often participates in the communication plan — coordinating internal communication with employees, informing about procedures, and helping manage crisis situations from a people perspective (e.g. stress, uncertainty, data loss).
5. Protection of personal data
Since HR handles a large volume of personal and sensitive data, it is directly affected by the law’s obligations — it must ensure that employee data are protected not only under GDPR, but also under the new security standards (encryption, access control, backups).
Practical impacts on HR departments
The implementation of the Cybersecurity Act shows up in the everyday tasks of HR departments. It’s not just about new administrative duties — it changes how HR cooperates with IT, plans trainings, and manages employee data. With the law’s introduction, cybersecurity has become an integral part of personnel processes and affects people management strategy across the organization in several ways:
- Increased demands for coordination between HR and IT departments.
- More administrative burden and emphasis on documentation — HR must prove that security measures were actually carried out
- Necessary investments in training, internal campaigns, and HR software that meets the law’s requirements.
- New competencies for HR managers — understanding cybersecurity basics and the ability to incorporate them into HR strategy.
How to proceed?
Implementing the Cybersecurity Act requires not only technical measures, but also a systematic approach from the HR department. It is a combination of organizational steps, education, and close cooperation with IT. The following recommendations will help HR teams apply the new requirements effectively and without unnecessary stress:
- Map competencies — identify who in the HR team is responsible for security issues.
- Introduce trainings and internal campaigns — regularly recurring, not just once a year.
- Link HR processes with IT — set up automated revocation of access upon termination of employment.
- Revise internal policies — add security obligations to job regulations and contracts.
- Support a security culture — reward responsible behavior and communicate transparently on suspected incidents.
Conclusion
The Cybersecurity Act is not just an IT matter — it is a human matter. Success in implementation depends on how employees understand risks and how they behave in their daily work. HR departments are thus on the front line: they create an environment in which security is a value, not an obligation. Companies that manage this change well will gain not only a higher level of protection, but also the trust of clients and team stability.
Do you have doubts whether the Cybersecurity Act applies to you, or need assistance implementing it in your organization? Do not hesitate to contact us and use our experience.