NIS2 Croatia: what you need to know about compliance and certification

NIS2 Croatia

The original NIS1 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 was introduced to strengthen cybersecurity within the EU.

Due to the increasing threat of cyber attacks, this directive was replaced by the NIS2 Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022, which imposes stricter requirements and has a broader scope to increase the resilience of critical infrastructures against cyber attacks.

The NIS2 Directive was transposed into Croatian law through the Cybersecurity Act ( Zakon o kibernetičkoj sigurnosti NN 14/2024 ), hereinafter referred to as the “cybersecurity law”, which has been in force since 15 February 2024. The requirements of the cybersecurity law that essential and important entities must comply with are described in the Regulation on Cybersecurity ( Uredbu o kibernetičkoj sigurnosti ), hereinafter referred to as the “regulation”, which was introduced on 22 November 2024.

On this page, you will find everything you need to know about the impact of NIS2 on your organisation and how you can prepare for the new regulations.

NIS2 entities (Art. 9-13)

The Croatian cybersecurity act is relevant for companies registered in Croatia that supply products and/or services in an EU country. Although the Croatian cybersecurity act largely corresponds to the European NIS2 Directive, it introduces stricter and more detailed requirements in certain areas.

The cybersecurity act explicitly specifies which public and private entities are subject to cybersecurity requirements. A distinction is made between essential entities and important entities. The categorisation of entities takes into account the services provided, the size of the entity and the location of the entity.

In principle, your entity is subject to the cybersecurity act if:

  1. Your organisation provides services within a sector listed in Annex I and Annex II of the NIS2 Act;
  2. Your organisation exceeds the thresholds for medium-sized enterprises; and
  3. Your organisation is established in Croatia (with the exception of providers of public electronic communication networks and providers of public electronic communication services).

Here you will find more information to determine whether your organisation is a small, medium-sized or large enterprise.

The cybersecurity law imposes additional requirements regarding the scope of application compared to the European NIS2 Directive. For example, the following entities must also comply with the requirements of the cybersecurity act:

  • ICT service management;
  • Local government bodies that are critical to the performance of societal or economic activities;
  • Public and private entities in the education sector that are important for the performance of educational activities.

The authorities responsible for implementing cybersecurity management measures, including the National Cyber Security Centre (NCSC-HR), draw up lists of entities that fall within the scope of the NIS2 Act and categorise them as essential entities and important entities. The responsible authorities notify the affected entities of the categorisation. From then on, these entities must fulfil their obligations under the Cybersecurity Act.

Articles 9 to 13 of the Cybersecurity Act describe both the general and specific criteria for essential and important entities.

Essential entities are organisations whose disruption of services could have a significant social or economic impact. These include:

  • Large companies active in sectors listed in Annex I of the Act, such as energy, transport and healthcare;
  • Providers of qualified trust services or top-level domain registration;
  • Government institutions at central, regional or municipal level;
  • The sole provider of a service that is vital to society or the state.

The general and specific criteria for important entities are also listed, examples of which are:

  • Medium-sized enterprises in the sectors listed in Annex I;
  • Large enterprises in the sectors listed in Annex II, provided that more than 50% of their turnover comes from these sectors;
  • Micro, small and medium-sized entities providing non-qualified trust services.

The full list of sectors can be found in Annex I and Annex II of the Croatian Cybersecurity Act and in Annex I of the Regulation.

What does this mean for my company?

  1. Registration (Art. 20-23 Cybersecurity Act and Art. 19 Regulation)

In Croatia, there is no obligation for NIS2 entities to register themselves. The registration of cybersecurity entities in Croatia is coordinated by the NCSC-HR. The latter draws up a list of essential and important entities. This is done using the general and specific criteria for essential and important entities as described in the Act. The entities included in the register shall be notified thereof and must submit the following information to the authority within 15 to 45 days:

  • Name of the entity.
  • Overview of the services provided.
  • Address of the main establishment and other establishments or the address of its representative.
  • Email addresses and telephone numbers of the entity and its representative.
  • Overview of member states where services are offered.
  • IP address range.

    1. Implement security measures (Art. 30 Cybersecurity Act; Annex II Regulation)

If your organisation is categorised as an essential or important entity, this means that you are responsible for implementing appropriate technical and organisational measures to ensure the security of your network and information systems. These measures are described in the government decree:

  • Policy for risk analysis and security of information systems.
  • Incident management.
  • Business continuity and crisis management.
  • Supply chain security.
  • Security in the acquisition, development and maintenance of network and information systems, including the response to and disclosure of vulnerabilities.
  • Policies and procedures to assess the effectiveness of measures for managing cyber security risks.
  • Cyber hygiene and training in cyber security.
  • Policies and procedures on cryptography and, where applicable, encryption.
  • Security aspects relating to personnel, access policy and asset management.
  • Where appropriate, multi-factor authentication, secure communication and secure emergency communication systems within the entity.
  • Policy for the coordinated disclosure of vulnerabilities.

The European Commission has set out the above minimum cybersecurity measures in Implementing Regulation 2024/2690 for DNS service providers, top-level domain name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, online marketplace providers, online search engines and social networking service providers, and trust service providers.

  1. Incident reporting (Art. 37 and Art. 58-74 of the Regulation)

Important and essential entities are required to notify the national CSIRT when a significant incident occurs. In addition to the competent CSIRT, they must also notify the receivers of their services if the significant incident affects the provision of services in the (sub)sectors listed in Annexes I and II.

A significant incident is defined in the NIS2 Act as ‘any incident that has significant consequences for the provision of one of the services in the sectors or subsectors listed in Annexes I and II of the Act and that:

  • has caused or is likely to cause a serious operational disruption of any of the services in the sectors or subsectors listed in Annexes I and II or financial losses for the entity concerned; or
  • has affected or is likely to affect other natural or legal persons by causing significant material or non-material damage’.

The significant incident shall be reported by the categorised entity via the PiXi platform in accordance with the following procedure:

  1. immediately and within 24 hours of becoming aware of the significant incident, the entity shall submit an early warning, indicating the probable cause and any cross-border implications;
  2. immediately and within 72 hours of becoming aware of the significant incident, the entity shall communicate an incident report containing an information update and an initial assessment of the incident;
  3. at the request of the responsible CSIRT, the entity shall submit an interim report;
  4. No later than one month after the incident report, the entity shall submit a final report stating:
    • A detailed description of the incident, including its severity and consequences;
    • The type of threat or root cause that is likely to have led to the incident;
    • Applied and ongoing risk mitigation measures;
    • The cross-border consequences of the incident, if applicable.
  5. If the incident is still ongoing one month after the incident report, the entity shall submit a progress report and a final report shall be submitted within one month after the incident has been resolved.

If the PiXi platform is unavailable, significant incidents must be reported by completing a form which must be emailed to the competent CSIRT (incident@ncsc.hr or zks-incident@cert.hr).

In Implementing Regulation 2024/2690, the European Commission has defined the criteria for a significant incident for DNS service providers, top-level domain name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online marketplaces, online search engines and social networking services, and trust service providers. These special rules take precedence over national rules in the event of any conflict.

Finally, all entities, regardless of whether they fall within the scope of the cybersecurity law, may voluntarily report (significant) incidents, cyber threats and nearly incidents. Categorised entities can do so via the PiXi platform, while non-categorised entities notify the competent CSIRT by email.

  1. Management obligations and responsibilities (Annex II, Section 1 of the Regulation)

The management bodies of essential and important entities are responsible for compliance with the Cybersecurity Act and must fulfil various obligations, including:

  • Approving the cybersecurity management measures
  • Appointing a person responsible for cybersecurity
  • Completing training to acquire sufficient knowledge and skills to identify risks and assess control measures and their impact on their services
  • Providing ongoing training to the employees of the cybersecurity entity in the field of cybersecurity

The management bodies are liable for non-compliance with the cybersecurity law.

  1. Cooperation with authorities

Essential and important entities must cooperate with the national authorities. This concerns the exchange of information on the security of network and information systems, reporting incidents, cooperation with the inspection service, etc.

How to demonstrate NIS2 compliance?

As indicated in the section “Enforcement and sanctions” below, the competent authorities carry out inspections of essential and important entities to verify compliance with the cybersecurity law.

In addition, essential entities are required to have an independent audit carried out by an accredited CAB (Conformity Assessment Body) at least every two years and at the request of the competent authority. Based on this independent conformity assessment, the entity can obtain a certificate demonstrating compliance with the NIS2 Act to its stakeholders. An important international standard that can be used for this purpose is ISO/IEC 27001.

Significant entities must conduct or have conducted a self-assessment at least every 2 years. At request of the competent authority, the significant entity must also have an external cyber security audit conducted.

For more information about certification, book an appointment with an expert here.

Enforcement and Sanctions (Art. 86, 101-103)

The competent authority shall carry out inspections to verify compliance by cyber security entities with the requirements laid down in the cyber security law. A distinction must be made between essential and important entities:

  • Essential entities are subject to both proactive (ex-ante) and reactive (ex-post) checks and are required to undergo regular conformity assessments.
  • Important entities are in principle only checked reactively, after an incident or in the event of suspected non-compliance with the law.

The Croatian cybersecurity law provides in specific sanctions for entities that do not comply with the legal requirements. These sanctions vary according to the nature and seriousness of the infringement and are divided into administrative measures and administrative fines.

Possible administrative measures that may be imposed include warnings, appointing a control officer, temporarily suspending certification or authorisation, temporarily prohibiting the performance of management functions, etc.

Administrative fines that may be imposed are also laid down by law and may amount to up to 10,000,000 euros for essential entities and up to 7,000,000 euros for important entities:

Fines for important entities

  • From 5,000 to 7,000,000 euros or from 0.2% to 1.4% of the total annual global turnover of the entity concerned (Art. 102).
  • From 1,000 to 6,000 euros for natural persons responsible for the management of the measures of the entity concerne.
  • From 2,000 to 20,000 euros if requested information regarding the categorisation of entities is not provided (in time) (Art. 103).
  • From 200 to 1,000 euros for the person responsible for the entity.

Fines for essential entities

  • From 10,000 to 10,000,000 euros or from 0.5% to 2% of the total annual global turnover of the entity concerned (Art. 101).
  • From 500 to 3,000 euros for natural persons responsible for managing the measures of the entity concerned.
  • From 2,000 to 20,000 euros if requested information regarding the categorisation of entities is not provided (in time) (Art. 103).
  • From 200 to 1,000 euros for the person responsible for the entity.
  •  

Deadlines

The Croatian cybersecurity law will enter into force on 15 February 2024. From that date, categorised entities will be required to implement the minimum set of measures to mitigate cyber threats. Significant incidents must also be reported in accordance with the prescribed procedure. Furthermore, administrative bodies must comply with their obligations as described above, and entities must cooperate with the competent authorities and are also subject to their supervision.

The Croatian government is required to compile a list of cyber security entities within one year of the law coming into force, i.e. by 15 February 2025 at the latest. The entity must provide the competent CSIRT with the necessary information within 15 to 45 days of notification.

These cybersecurity entities have 12 months from the date of notification by the competent authority to implement organisational measures. From the first working day after the expiry of this period, the entity is required to have cybersecurity audits carried out.

Competent authorities (Annex III cybersecurity law)

As part of the implementation of the NIS2 Act in Croatia, several competent authorities have been designated to supervise compliance with cybersecurity measures within their respective sectors. Croatian legislation covers 19 sectors and 15 subsectors, as specified in Annex III of the national legislation. Below is an overview of the main authorities and their responsibilities:

Sectoral competent authorities:

  • Croatian National Bank (CNB): banking sector
  • Croatian Financial Services Authority (HANFA): financial market infrastructure
  • Croatian Civil Aviation Authority (HACZ): air traffic
  • Office of the National Security Council (UVNS): public sector
  • Regulatory Authority for Network Industries (HAKOM): electronic communications sector
  • Central State Office for the Development of the Digital Society (SDURDD): trust service providers
  • Ministry of Science and Education (MZO): education and research sector

National cybersecurity centres

National Cybersecurity Centre (NCSC-HR):
This centre is part of the Croatian Security and Intelligence Agency (SOA) and is responsible for supervising and coordinating cybersecurity measures in all other sectors and subsectors not covered by the above authorities. It is also the competent CSIRT for 15 sectors and 15 subsectors.

National CERT (CERT.hr):
The National CERT plays a central role in handling cybersecurity incidents in the banking sector, financial markets, digital infrastructure, education and the research sector. It operates within the Croatian Academic and Research Network (CARNET).

For a detailed overview of the competent authorities, please consult Annex III of the cybersecurity law. The role of these competent authorities is also described in the FAQs on the website of the National Cybersecurity Centre.