Report
• INFORMACIJSKA VARNOST • KIBERNETSKA VARNOST • ZINFV-1 • ZINFV • ZINF • ZINV •
Over 80% of Slovenian Public Sector Domains Vulnerable to Spoofing, Cybersecurity Survey Finds
LJUBLJANA, Apr 7, 2026 — A sweeping automated cybersecurity survey of 1,043 domain names associated with 1,143 Slovenian public entities has uncovered critical vulnerabilities and systemic failure in email configuration across the public sector of Slovenia. The study, conducted on April 6 2026 by Kibervarnost.si, assessed organizations registered in the Register zavezancev za informacije javnega značaja (RZIJZ)—the mandatory database of entities legally obligated to provide public access to information—excluding schools and kindergartens.
Evaluating organizations on a 0-100 scoring system based on seven critical setup indicators, the survey found an overall mean security score of just 56.3 out of 100 for Slovenia’s public sector. More than half of the scanned public entities (57%) fell into the «poor» or «critical» risk bands, indicating inadequate cybersecurity settings for their public-looking infrastructure.
«Protecting citizen data and public services requires coordinated policy action,» said mag. Aleksander Sotov, cybersecurity expert at the surveying organization. «This survey underscores the urgent need for targeted improvements in email security, encryption, and vulnerability disclosure mechanisms across Slovenia’s public sector, especially in healthcare and utilities,» said mag. Aleksander Sotov, cybersecurity expert at Kibervarnost.si, the surveying organisation. «The new Information Security Act (ZInfV-1), which entered into force in June 2025, appears to have raised standards among critical infrastructure operators, but the effect has not reached the wider public sector. Unpatched CMS platforms combined with missing DMARC are a perfect storm. Threat actors can launch mass phishing campaigns impersonating public institutions, sending fake invoices from addresses that look entirely legitimate. Cybersecurity must be treated as a chain — and right now there are far too many weak links.»
«Our independent tests provide objective diagnostics, and this public survey is the first of its kind in Slovenia. We analyzed SPF, DKIM, and DMARC configurations—key controls against domain spoofing—for public service domains, as weak or missing policies indicate exposure to multiple attack vectors. Malicious AI agents can exploit domain spoofing to generate highly convincing phishing attacks, deploy ransomware, or send fraudulent invoices. Many of these vectors involve fraud,so they pose significant risks to public funds,» stated Sotov.
Detailed Reports
Key Vulnerabilities Identified
The survey scanned domain names associated with organizations in the RZIJZ register. The methodology weighted email authentication mechanisms (DMARC, SPF, and DKIM) to measure resilience against phishing, while also assessing secure transport protocols (HTTPS, HSTS), data sovereignty (hosting location), and responsible disclosure readiness (security.txt).
The raw data revealed several alarming trends:
Mass Exposure to Email Spoofing: Only about 19% of domains enforce strict DMARC policies, that is fewer than one in five. The remaining 81.4% of domains can be trivially impersonated in phishing attacks targeting citizens and other public institutions, which can lead to vendor impersonation attacks, a common attack vector in fraud.
The «Perfect Storm» of CMS Risks: About 40% of domains utilize WordPress without obfuscation, making their attack surface publicly known. Critically, 11.3% of all domains combine a WordPress CMS with no DMARC enforcement—a high-risk scenario that enables both direct exploitation and coordinated phishing campaigns.
Transport Security Gaps: While nearly 80% of entities redirect traffic to HTTPS, over 62% lack HTTP Strict Transport Security (HSTS), leaving long-term connections vulnerable to downgrade attacks.
Systemic Hosting Risks: Nearly 30% of all public sector domains are concentrated within just two hosting providers (Webtasy and Pošta Slovenije), and such concentration represents a systemic single point of failure. Furthermore, 5.2% of public sector’s domains are hosted outside the EU, and it raises concerns regarding GDPR compliance.
No Reporting Channels: A staggering 94.2% of domains lack a
security.txtfile, meaning independent security researchers have no official or secure route to report discovered vulnerabilities before they are exploited.
«This automated overview of domains in Slovenia’s public sector is just the tip of the iceberg,» Sotov warned. «We deliberately focused on email configuration and domain names, but the disclosure of weak configurations across the majority of scanned domains — combined with the widespread presence of identifiable WordPress installations — suggests that the exploitable attack surface is far broader. Database attacks, such as SQL injection, are technically feasible and within reach of virtually any threat actor given these configurations. With the advancement of artificial intelligence, this risk grows exponentially: threat actors can already deploy AI agents to automate the discovery and mass exploitation of such vulnerabilities at a scale that manual attacks could never achieve.»
Sector Disparities: From Critical Infrastructure to Slovenia’s Natural Parks
The survey highlighted severe contrasts in digital hygiene between different sectors. Critical infrastructure entities—such as energy holdings and infrastructure companies—demonstrated the highest security maturity, reflecting compliance, targeted investments, and greater resource availability. The energy sector, for instance, achieved a mean score of 66.0, with holding and infrastructure scoring 69.8.
Conversely, natural parks and social services are the most vulnerable groups, scoring an average of 40.7 and 44.7, respectively. Nearly half of all natural park websites fell into the «critical» category (scoring below 40), with zero entities enforcing DMARC.
The healthcare sector (zdravstvo), despite having a massive digital footprint of 181 scanned entities, is highly exposed to cybersec risks. While 84% of healthcare domains successfully secure their websites by redirecting to HTTPS, only 14.4% enforce DMARC, leaving critical health-related communications highly vulnerable to email impersonation.
Water and sanitation utilities (voda_kanalizacija), part of critical infrastructure, present a unique paradox: they achieved a perfect 100% implementation rate for DKIM email signatures, yet lag significantly in web transport security, with only 28.6% utilizing HSTS.
Public utility companies (Komunala) represent the middle ground, they have a moderate overall cybersec standard with a mean score of 57. While utilities demonstrate strong HTTPS adoption (79.5%), only a quarter enforce DMARC, leaving their communications partially exposed.
Universities and faculties exhibit high adoption of basic email authentications like SPF (57.8%) and DKIM (85.9%), yet fall short at the final hurdle, with just 10.9% actually enforcing a strict DMARC reject or quarantine policy. It illustrates «technical implementation without policy completion». In other words, in higher education institutions one step in cybersec is walked well in the right direction, but the next one is ignored almost completely.
The University of Maribor, which fell victim to a ransomware attack in 2024, scores 85 out of 100 in this survey — placing it among the higher-performing entities in the dataset — suggesting that the experience of a serious cyber incident translated into concrete improvements in email authentication and web transport security.
Regional disparities: Piran outscores Koper despite size
Beyond sector differences, the data exposes significant regional disparities in cybersecurity preparedness. The Osrednjeslovenska region ranks among the top performers with a mean score nearing 60, a metric heavily bolstered by the high concentration of better-resourced, higher-scoring public entities located in the capital, Ljubljana. In stark contrast, the Zasavska region demonstrates one of the lowest regional averages, with a mean score of just about 51. This geographic divide emphasizes the ongoing resource, funding, and IT expertise gap between central administrative hubs and smaller regional zones.
Regional comparisons also show that size does not always equate to better security. In the Obalno-kraška region, the smaller municipality of Piran scored a respectable 61.2 in cybersecurity score, vastly outperforming its larger neighbor Koper (49.8). Particularly in Koper, our survey did not find a single public entity with security score over 80 (indicating good diligence), most entities (n=15) were evaluated either «poor» or «critical».
Recommendations
To address these systemic vulnerabilities, stakeholders must prioritize a «security-by-default» mandate that moves beyond basic connectivity toward robust authentication. Immediate policy action should focus on enforcing strict DMARC «reject» or «quarantine» policies across all RZIJZ entities to close the door on domain spoofing, alongside the mandatory adoption of HSTS and security.txt files to protect user data and enable responsible vulnerability reporting. Furthermore, reducing the reliance on a small number of hosting providers and migrating domains back to EU-based infrastructure will mitigate systemic single points of failure and ensure long-term GDPR compliance. Targeted funding and shared cybersecurity services are particularly essential for lower-scoring sectors like social services, ensuring that the public sector’s digital perimeter is only as strong as its most vulnerable link. The public sector organizations that were surveyed, are legally obligated to be accountable to the public, and their cybersecurity posture is part of that accountability.
Note to Editors:
The raw data are available on request, per-domain scores available here
The cybersecurity score here measures configuration hygiene — DMARC, DKIM, HSTS, HTTPS — not intrusion resilience or network security. A ransomware attack typically enters through phishing, VPN vulnerabilities, or unpatched internal systems, none of which this scoring model captures. For example, University of Maribor’s 85 score is accurate for what it measures, but the juxtaposition with the 2024 incident is a reminder to readers that a high domain score does not mean an organisation is immune to attack. It means only that their public-facing email and web infrastructure is well-configured.
Domain spoofing is when attackers fake a website or email domain to fool users, especially in phishing attacks. DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email security protocol that stops phishing by verifying that an email actually comes from the domain it claims to represent. It works with SPF and DKIM to detect spoofed emails and tells receiving mail servers to quarantine or reject them, protecting brands and users from fraud.
In 2025, SI-CERT recorded over 6,000 cybersecurity incidents (a 35% increase), including nearly 2,000 phishing cases, indicating a significant overall rise in incidents—with phishing representing a substantial and actively handled portion.
Source of information on public sector entities is the Register of Obliged Entities for Access to Public Information (RZIJZ), an open database listing all public bodies and publicly controlled entities in Slovenia that are legally required to provide access to information of public interest.
Kibervarnost.si (Center Glas) is a Slovenian non-profit organization that brings together experts in the fields of information and cybersecurity and regulatory compliance. We develop free open source tools for e-invoices in the EU and offer practical training and consulting in the field of cybersecurity and AI safety, with the goal of increasing resinence of digital processes.
Detailed Reports
For more information or to access the full sector breakdowns and regional data from the RZIJZ Data Cybersecurity Survey, please contact kibervarnost@proton.me
Informacijski pooblaščenec in URSIV preverjata dokumentacijo, ne le sisteme. Ste pripravljeni?
ZInfV-1 zahteva dokazljivo usposabljanje zaposlenih — evidence udeležbe so med prvimi dokumenti, ki jih preveri inšpekcija. Naš praktičen tečaj (prilagojen vaši organizaciji) pokrije zakonsko obveznost in zgradi varnostno kulturo v enem koraku. Pridobite ponudbo za vašo organizacijo →