Free tools | SEPA Viewer Editor | Peppol Viewer | CAMT Statements Viewer | IBAN Extractor | IDML Converter | UPNQR Builder
RZIJZ Cybersecurity Survey: Key Findings


RZIJZ Cybersecurity Survey: Key Findings

RZIJZ Cybersecurity Survey: Key Findings

INFORMACIJSKA VARNOSTKIBERNETSKA VARNOSTSPOOFINGZINFV-1NIS-2

RZIJZ Cybersecurity Survey

Key Findings

Automated security scan of 1043 domain names associated with 1143 Slovenian public entities registered in RZIJZ (Register zavezancev za informacije javnega značaja — the mandatory register of entities obligated to provide public access to information under ZDIJZ). Schools and kindergartens excluded. Scanned: April 7, 2026.

Executive summary

The survey covers RZIJZ-registered entities (N=1143) with an identifiable web domain. The overall mean security score is 56.3/100 (median 55), indicating systemic underinvestment in basic cybersecurity hygiene across the Slovenian public sector.

Detailed Reports

Key Findings

Detailed Breakdowns

Domains

Press Release

Main risk factors

  1. Email spoofing exposure — only 18.6% of domains enforce DMARC (reject/quarantine). The remaining 81.4% can be trivially impersonated in phishing attacks targeting citizens and other public entities.

  2. CMS fingerprinting — 43.9% of domains run a detectable CMS (WordPress 41.6%, Drupal 2.3%), making the attack surface publicly known. 11.3% combine WordPress with no DMARC — a high-risk combination enabling both exploitation and phishing.

  3. Transport security gaps — 62.1% of domains lack HSTS, leaving users vulnerable to SSL stripping / downgrade attacks.

  4. No responsible disclosure channel — 94.2% of domains have no security.txt, meaning security researchers have no official route to report vulnerabilities.

  5. Hosting concentration — the top two ISPs (Webtasy and Pošta Slovenije) host nearly 30% of all public sector domains, creating systemic single points of failure.

  6. 5.2% of domains hosted outside the EU, with no GDPR guarantee on data processing location.

13.2% score below 40 (critical risk) and a further 43.7% score 40–59 (poor). Combined, 56.9% of all scanned public entities have inadequate baseline security.

Overall scorecard

Score distribution

Metric Value
Mean score 56.3 / 100
Median score 55 / 100
Min / Max 10 / 100
Stdev 16.9

Risk bands

Band Count %
Good (>=80) 145 12.7%
Moderate (60-79) 347 30.4%
Poor (40-59) 500 43.7%
Critical (<40) 151 13.2%

Security check pass rates

Check Pass % Risk if failing
DMARC (enforce/quarantine) 18.6% Domain can be spoofed for phishing
DMARC (any policy) 63.7% Includes monitoring-only
SPF (hard fail) 54.2% Sender auth incomplete
DKIM 60.2% Email integrity unverified
HTTPS redirect 77.3% HTTP access possible
HSTS 37.9% Downgrade attacks possible
security.txt 5.8% No disclosure contact

Hosting sovereignty

Location % Note
Slovenia (SI) 76.8% Data stays in Slovenia
EU (non-SI) 11.5% GDPR applies
Outside EU 5.2% No GDPR guarantee
Unknown 6.6% Could not determine

CMS fingerprinting

CMS % Note
WordPress 41.6% Attack surface publicly known
Drupal 2.3%
Any detected 43.9%

Risk combinations

Combination % of all domains
WordPress + no DMARC 11.3%
Outside-EU + no HTTPS redirect 7.8%

By sector (kategorija)

Kategorija classifies each entity by sector (healthcare, municipalities, utilities…). Sorted worst-first by mean score.

Group N Mean Median DMARC% DKIM% HSTS% SI% WP%
naravni_park 15 40.7 42 0.0% 33.3% 33.3% 66.7% 53.3%
socialne_storitve 13 44.7 45 15.4% 38.5% 15.4% 76.9% 61.5%
gledalisce_kultura 14 52.9 50.0 0.0% 71.4% 35.7% 64.3% 21.4%
drugo_javno 445 53.7 55 22.0% 60.4% 31.7% 69.0% 45.6%
muzej_galerija 33 54.8 55 9.1% 54.5% 21.2% 87.9% 51.5%
transport 13 54.9 55 23.1% 53.8% 15.4% 76.9% 53.8%
zdravstvo 181 55.8 55 14.4% 63.5% 24.3% 81.2% 54.1%
komunala 73 56.6 55 24.7% 63.0% 26.0% 80.8% 50.7%
stanovanjski_sklad 9 56.7 50 22.2% 55.6% 44.4% 55.6% 44.4%
lekarna 20 59.2 58.5 20.0% 70.0% 45.0% 80.0% 40.0%
obcina 209 60.2 60 12.9% 46.9% 63.6% 89.5% 22.0%
univerza_fakulteta 64 61.5 62.0 10.9% 85.9% 45.3% 79.7% 40.6%
voda_kanalizacija 7 64.9 65 28.6% 100.0% 28.6% 71.4% 14.3%
energetika 35 66.0 70 45.7% 80.0% 62.9% 68.6% 22.9%
holding_infrastruktura 8 69.8 75.0 37.5% 50.0% 75.0% 87.5% 25.0%

Oblika is the legal organisational form registered in RZIJZ (d.o.o., javni zavod, d.d.…). Larger commercially-oriented forms tend to score higher. Sorted worst-first.

Group N Mean Median DMARC% DKIM% HSTS% SI% WP%
Ustanova 7 38.6 45 0.0% 42.9% 14.3% 42.9% 71.4%
Izvršitelj 5 50 55 20.0% 60.0% 0.0% 80.0% 60.0%
Zavod 74 54.0 55.0 25.7% 60.8% 25.7% 77.0% 52.7%
Družba z omejeno odgovornostjo d.o.o. 522 54.3 55.0 20.1% 61.1% 33.1% 72.8% 46.2%
Javni zavod 255 56.1 55 17.3% 64.3% 25.5% 76.1% 47.8%
Javni sklad 11 57.8 62 18.2% 54.5% 36.4% 36.4% 54.5%
Javna agencija 7 58.9 60 28.6% 42.9% 0.0% 85.7% 42.9%
Lokalne skupnosti 198 60.4 60.0 12.6% 46.5% 66.2% 91.4% 20.2%
Članica univerze 19 62.2 65 0.0% 100.0% 89.5% 94.7% 5.3%
Organ, organizacija širše lokalne skupnosti 3 63.3 55 33.3% 66.7% 33.3% 66.7% 100.0%
Zbornica 3 66.7 65 33.3% 100.0% 0.0% 100.0% 66.7%
Skupnost zavodov 3 68.3 80 0.0% 66.7% 66.7% 100.0% 100.0%
Delniška družba d.d. 27 68.7 65 40.7% 70.4% 59.3% 63.0% 22.2%

By region (region)

Region groups entities by administrative region codes. Regions with 3+ domains only. Sorted worst-first.

Group N Mean Median DMARC% DKIM% HSTS% SI% WP%
Zasavska 29 51.6 50 13.8% 69.0% 34.5% 69.0% 41.4%
Goriška 70 54.6 55.0 15.7% 58.6% 27.1% 81.4% 34.3%
Savinjska 131 54.7 55 19.8% 60.3% 36.6% 77.1% 44.3%
Posavska 51 55.2 55 17.6% 64.7% 27.5% 70.6% 27.5%
Podravska 154 55.5 55.0 18.8% 49.4% 39.6% 79.2% 46.1%
Koroška 39 55.7 55 17.9% 56.4% 38.5% 74.4% 30.8%
Jugovzhodna 79 55.8 55 15.2% 59.5% 32.9% 82.3% 55.7%
Gorenjska 117 55.9 55 20.5% 52.1% 41.9% 76.1% 39.3%
Obalno-kraška 56 56.0 55.0 12.5% 71.4% 32.1% 80.4% 53.6%
Pomurska 67 56.2 55 13.4% 61.2% 40.3% 73.1% 35.8%
Primorsko-notranjska 27 58.2 60 25.9% 63.0% 29.6% 88.9% 55.6%
Osrednjeslovenska 323 58.6 55 21.1% 65.3% 42.7% 74.6% 39.0%

By municipality (obcina)

Obcina is the municipality of the entity’s registered office. Municipalities with 3+ domains only. Sorted worst-first.

Group N Mean Median DMARC% DKIM% HSTS% SI% WP%
Radlje Ob Dravi 4 37.2 38.0 0.0% 0.0% 100.0% 25.0% 0.0%
Vojnik 4 37.5 40.0 25.0% 0.0% 25.0% 50.0% 50.0%
Črnomelj 6 39.2 40.0 16.7% 16.7% 0.0% 100.0% 50.0%
Tabor 3 45 45 0.0% 100.0% 0.0% 100.0% 0.0%
Brda 3 45 45 0.0% 0.0% 0.0% 100.0% 0.0%
Slovenske Konjice 3 45.7 40 0.0% 100.0% 33.3% 66.7% 33.3%
Gorišnica 4 46.2 50.0 0.0% 25.0% 0.0% 100.0% 100.0%
Komenda 3 46.7 45 33.3% 0.0% 100.0% 66.7% 0.0%
Vrhnika 6 47 47.5 0.0% 66.7% 0.0% 83.3% 50.0%
Moravske Toplice 3 47.3 45 0.0% 100.0% 0.0% 66.7% 66.7%
Prevalje 6 48.3 45.0 0.0% 33.3% 33.3% 100.0% 0.0%
Trbovlje 7 49 45 14.3% 42.9% 57.1% 57.1% 28.6%
Lenart 3 49 45 0.0% 66.7% 66.7% 66.7% 0.0%
Ormož 7 49.3 55 0.0% 42.9% 57.1% 71.4% 42.9%
Litija 7 49.7 50 14.3% 71.4% 28.6% 85.7% 42.9%
Koper 21 49.8 45 9.5% 71.4% 28.6% 66.7% 52.4%
Jesenice 18 50.2 45.0 11.1% 44.4% 11.1% 88.9% 55.6%
Tržič 12 50.3 50.0 0.0% 66.7% 0.0% 66.7% 33.3%
Velenje 13 50.5 55 23.1% 61.5% 23.1% 76.9% 61.5%
Grad 4 51 51.0 0.0% 0.0% 50.0% 50.0% 0.0%
Domžale 9 51.1 55 11.1% 33.3% 22.2% 77.8% 22.2%
Šentjur 9 51.1 55 22.2% 55.6% 22.2% 100.0% 33.3%
Idrija 7 51.1 55 14.3% 57.1% 28.6% 85.7% 57.1%
Slovenj Gradec 10 51.2 45.0 10.0% 80.0% 10.0% 60.0% 60.0%
Tolmin 8 51.6 52.5 0.0% 62.5% 25.0% 87.5% 50.0%
Škofljica 3 51.7 70 66.7% 33.3% 66.7% 66.7% 33.3%
Brežice 12 52.4 51.0 25.0% 58.3% 16.7% 50.0% 8.3%
Zagorje Ob Savi 9 52.8 55 11.1% 77.8% 33.3% 66.7% 33.3%
Krško 12 53.2 55.0 25.0% 75.0% 33.3% 50.0% 8.3%
Škofja Loka 10 53.3 57.5 20.0% 80.0% 20.0% 90.0% 50.0%
Majšperk 3 53.3 55 0.0% 33.3% 33.3% 100.0% 66.7%
Žalec 9 53.6 55 0.0% 77.8% 0.0% 77.8% 66.7%
Nazarje 4 53.8 52.5 25.0% 75.0% 50.0% 50.0% 0.0%
Ivančna Gorica 7 54 55 14.3% 71.4% 28.6% 71.4% 42.9%
Trebnje 6 54.2 55.0 0.0% 83.3% 0.0% 100.0% 66.7%
Celje 38 54.4 50.0 18.4% 63.2% 42.1% 68.4% 50.0%
Novo Mesto 25 54.6 50 20.0% 60.0% 28.0% 72.0% 68.0%
Maribor 68 54.7 55.0 25.0% 54.4% 26.5% 72.1% 48.5%
Nova Gorica 22 54.8 55.0 22.7% 50.0% 13.6% 77.3% 18.2%
Renče-Vogrsko 3 55 55 0.0% 100.0% 0.0% 100.0% 66.7%
Radovljica 5 55 52 40.0% 60.0% 20.0% 60.0% 40.0%
Brezovica 30 55 50.0 16.7% 83.3% 16.7% 100.0% 100.0%
Hoče-Slivnica 3 55 35 33.3% 66.7% 33.3% 100.0% 33.3%
Dobje 4 55 55.0 0.0% 100.0% 0.0% 100.0% 100.0%
Hrastnik 15 55 58 20.0% 80.0% 20.0% 60.0% 60.0%
Radenci 3 55 55 0.0% 100.0% 0.0% 66.7% 33.3%
Rogaška Slatina 8 55.2 55.0 25.0% 50.0% 25.0% 87.5% 37.5%
Ajdovščina 9 55.3 55 22.2% 77.8% 44.4% 66.7% 22.2%
Vodice 4 56 56.0 0.0% 50.0% 50.0% 50.0% 0.0%
Postojna 12 56.1 57.5 33.3% 75.0% 25.0% 91.7% 50.0%
Murska Sobota 18 56.2 55.0 16.7% 55.6% 38.9% 50.0% 16.7%
Logatec 4 56.2 55.0 25.0% 100.0% 0.0% 100.0% 100.0%
Naklo 12 56.2 55.0 25.0% 50.0% 50.0% 50.0% 50.0%
Grosuplje 4 56.2 57.5 0.0% 25.0% 50.0% 75.0% 75.0%
Ptuj 22 56.6 55.0 13.6% 59.1% 36.4% 81.8% 54.5%
Mozirje 3 56.7 45 33.3% 66.7% 33.3% 100.0% 33.3%
Ljutomer 6 56.7 55.0 0.0% 66.7% 33.3% 83.3% 33.3%
Sevnica 7 57.4 55 14.3% 85.7% 28.6% 85.7% 14.3%
Žirovnica 6 57.5 57.5 0.0% 50.0% 50.0% 100.0% 50.0%
Luče 4 57.5 57.5 0.0% 50.0% 50.0% 100.0% 50.0%
Sežana 10 58 55.0 10.0% 60.0% 30.0% 100.0% 70.0%
Kočevje 7 58.1 60 14.3% 57.1% 28.6% 85.7% 28.6%
Bled 9 58.2 55 44.4% 33.3% 55.6% 66.7% 33.3%
Kranj 38 58.2 55.0 23.7% 47.4% 47.4% 78.9% 39.5%
Slovenska Bistrica 8 58.9 59.5 25.0% 50.0% 37.5% 50.0% 25.0%
Ljubljana 229 59.5 58 23.6% 68.1% 45.9% 72.1% 37.1%
Izola 3 60 65 0.0% 33.3% 33.3% 100.0% 33.3%
Markovci 4 60 60.0 0.0% 50.0% 100.0% 100.0% 50.0%
Straža 3 60 60 0.0% 0.0% 100.0% 100.0% 0.0%
Kamnik 9 60.2 60 11.1% 55.6% 44.4% 88.9% 44.4%
Mengeš 3 60.7 55 33.3% 66.7% 33.3% 33.3% 66.7%
Puconci 4 61 58.5 25.0% 50.0% 25.0% 50.0% 25.0%
Piran 6 61.2 58.5 16.7% 83.3% 33.3% 83.3% 33.3%
Ilirska Bistrica 4 62.5 62.5 25.0% 25.0% 25.0% 100.0% 75.0%
Šenčur 4 62.5 65.0 0.0% 100.0% 75.0% 75.0% 25.0%
Šoštanj 4 63.2 67.5 25.0% 100.0% 75.0% 50.0% 0.0%
Bovec 3 63.3 60 33.3% 33.3% 33.3% 100.0% 33.3%
Ravne Na Koroškem 9 63.8 60 33.3% 77.8% 11.1% 77.8% 55.6%
Dravograd 6 64.5 63.5 50.0% 66.7% 50.0% 83.3% 16.7%
Kranjska Gora 3 65 60 33.3% 33.3% 66.7% 100.0% 0.0%
Ruše 6 65 65.0 33.3% 66.7% 66.7% 100.0% 66.7%
Cerknica 3 65 60 33.3% 66.7% 33.3% 100.0% 66.7%
Kidričevo 3 66.7 70 66.7% 33.3% 33.3% 100.0% 33.3%
Železniki 6 67.3 77.0 33.3% 100.0% 66.7% 0.0% 66.7%
Cerklje Na Gorenjskem 4 68 66.0 50.0% 50.0% 75.0% 75.0% 0.0%
Gornja Radgona 4 68.8 70.0 50.0% 75.0% 25.0% 100.0% 75.0%
Lendava 4 70 67.5 50.0% 100.0% 50.0% 75.0% 50.0%
Laško 4 70.5 76.0 75.0% 50.0% 50.0% 75.0% 25.0%
Šentilj 3 71.7 70 66.7% 33.3% 33.3% 100.0% 33.3%
Ribnica 12 71.8 72.5 25.0% 100.0% 25.0% 75.0% 75.0%
Šempeter-Vrtojba 3 73.3 80 66.7% 100.0% 33.3% 66.7% 66.7%
Medvode 5 73.4 65 40.0% 100.0% 60.0% 60.0% 20.0%
Škocjan 3 80 80 0.0% 100.0% 100.0% 100.0% 0.0%

Hosting provider concentration (top 15)

Concentration in a few providers is a systemic risk: an incident at a dominant ISP affects many public entities simultaneously.

ISP Domains %
Webtasy, d.o.o. 194 17.0%
Posta Slovenije d.o.o. 144 12.6%
Optimus IT d.o.o. 83 7.3%
(unknown) 75 6.6%
Telemach d.o.o. 58 5.1%
AVANT.SI d.o.o 53 4.6%
Hetzner Online GmbH 47 4.1%
SIEL, INFORMACIJSKE RESITVE, D.O.O. 40 3.5%
ARNES provider 39 3.4%
Hitrost.com Internet Storitve d.o.o. 34 3.0%
Cloudflare, Inc. 30 2.6%
Optimus IT d.o.o. sub of 27 2.4%
ARCTUR d.o.o. 22 1.9%
Avtenta.si 19 1.7%
PERFTECH, podjetje za proizvodnjo in uvajanje novih tehnologij, d.o.o. 19 1.7%
Domain Score Kategorija Country SPF DKIM DMARC HSTS
veterinarska-bolnica.si 10 drugo_javno SI fail fail fail no
komunala-slb.si 10 komunala US warn fail fail no
alba-ce.com 10 drugo_javno CA warn fail fail no
ircuo.si 10 drugo_javno SI fail fail fail no
szf.si 15 drugo_javno GB fail fail fail no
rcr-zasavje.si 15 drugo_javno GB fail fail fail no
obcina.skofljica.si 15 obcina US fail fail fail yes
fizio-obala.si 17 drugo_javno DE warn ok fail no
mc-litija.si 18 drugo_javno fail fail fail yes
olvidnja.si 18 drugo_javno fail fail fail yes
publicus.si 18 komunala fail fail fail yes
vdcvipava.si 18 socialne_storitve fail fail fail yes
lotusart.si 18 drugo_javno fail fail fail yes
sistemika.si 18 zdravstvo fail fail fail yes
obcina-gup.si 18 energetika fail fail fail yes
zavodruj.si 18 drugo_javno fail fail fail yes
papilot.si 18 drugo_javno fail fail fail yes
i-ulfgg.si 18 holding_infrastruktura fail fail fail yes

Best scoring domains (best scores)

Domain Score Kategorija Country SPF DKIM DMARC HSTS
sava.si 100 drugo_javno SI ok ok ok yes
ir-rs.si 100 univerza_fakulteta SI ok ok ok yes
sdh.si 100 holding_infrastruktura SI ok ok ok yes
gek.si 100 energetika SI ok ok ok yes
zd-ms.si 95 zdravstvo SI ok ok ok yes
slo-zeleznice.si 95 transport SI ok ok ok yes
domtaber.si 95 drugo_javno SI ok ok ok yes
b2.eu 95 drugo_javno SI ok ok ok yes
psih-klinika.si 95 zdravstvo SI ok ok ok yes
komunala-nm.si 95 komunala SI ok ok ok yes
piran.si 95 obcina SI ok ok ok yes
talum.si 95 drugo_javno SI ok ok ok yes
siq.si 95 drugo_javno SI ok ok ok yes
hoce-slivnica.si 95 obcina SI ok ok ok yes
jkp-dravograd.si 95 komunala SI ok ok ok yes
petrol.si 95 drugo_javno SI ok ok ok yes
kraski-vodovod.si 95 voda_kanalizacija SI ok ok ok yes
rra-koroska.si 95 drugo_javno SI ok ok ok yes
prevozi-guliver.si 95 drugo_javno SI ok ok ok yes
slov-bistrica.si 95 obcina SI ok ok ok yes

Informacijski pooblaščenec in URSIV preverjata dokumentacijo, ne le sisteme. Ste pripravljeni?

ZInfV-1 zahteva dokazljivo usposabljanje zaposlenih — evidence udeležbe so med prvimi dokumenti, ki jih preveri inšpekcija. Naš praktičen tečaj (prilagojen vaši organizaciji) pokrije zakonsko obveznost in zgradi varnostno kulturo v enem koraku. Pridobite ponudbo za vašo organizacijo →

key_findings

Kibernovarnostna raziskava RZIJZ: Celotna statistika po skupinah

Kibernovarnostna raziskava RZIJZ: Domene

Kibernovarnostna raziskava RZIJZ: Ključne ugotovitve

RZIJZ Cybersecurity Survey: Detailed Breakdowns

RZIJZ Cybersecurity Survey: Domains