NIS2 Croatia: what you need to know about compliance and certification

NIS2 Croatia

The original NIS1 Directive (EU) 2016/1148 was introduced to strengthen cybersecurity across the European Union. Due to the increasing frequency and impact of cyber attacks, this directive was replaced by the NIS2 Directive (EU) 2022/2555, which introduces stricter cybersecurity requirements and significantly expands the scope of organisations covered.

In Croatia, the NIS2 Directive has been transposed into national law through the Cybersecurity Act (Zakon o kibernetičkoj sigurnosti, NN 14/2024), hereinafter referred to as the cybersecurity law, which has been in force since 15 February 2024. This law establishes the legal framework for NIS2 compliance in Croatia and defines which organisations qualify as essential or important entities.

The specific cybersecurity requirements that in-scope organisations must comply with are further detailed in the Regulation on Cybersecurity (Uredbu o kibernetičkoj sigurnosti), which entered into force on 22 November 2024. This regulation elaborates on risk management measures, incident reporting obligations and supervisory expectations.

What does NIS2 Croatia mean for your organisation? On this page, you will find a clear overview of the scope of NIS2 in Croatia, the applicable compliance requirements, the role of the competent authorities and the steps organisations can take to prepare in a structured and proportionate way.

Scope of NIS2 in Croatia (Articles 9–13)

The Croatian Cybersecurity Act applies to companies established in Croatia that provide products and/or services within the European Union. While the Croatian Cybersecurity Act largely aligns with the NIS2 Directive, it introduces more detailed and, in some areas, stricter provisions regarding scope and compliance.

The cybersecurity law explicitly defines which public and private entities fall within the scope of NIS2 in Croatia. A distinction is made between essential entities and important entities. When determining this classification, authorities take into account the services provided, the size of the entity and the place of establishment.

In principle, an organisation falls within the scope of NIS2 Croatia if all of the following criteria are met:

  1. Your organisation provides services within a sector listed in Annex I or Annex II of the Croatian Cybersecurity Act;
  2. Your organisation exceeds the thresholds for medium-sized enterprises; and
  3. Your organisation is established in Croatia (with specific exceptions for providers of public electronic communication networks and public electronic communication services).

More information on determining whether your organisation qualifies as a small, medium-sized or large enterprise can be found here.

In addition to the general scope criteria, the Croatian Cybersecurity Act introduces specific extensions to the scope compared to the NIS2 Directive. The following entities may also be required to comply with the cybersecurity law:

  • Entities providing ICT service management;
  • Local government bodies that are critical to the performance of societal or economic activities;
  • Public and private entities in the education sector that are essential to the provision of educational services.

The competent authorities responsible for cybersecurity supervision, including the National Cyber Security Centre (NCSC-HR), compile and maintain lists of entities that fall within the scope of the Croatian Cybersecurity Act. These authorities formally notify organisations of their classification as an essential or important entity. From that moment onward, the notified entities must comply with the obligations laid down in the cybersecurity law.

Articles 9 to 13 of the Croatian Cybersecurity Act set out both general and sector-specific criteria for determining whether an entity qualifies as essential or important.

Essential entities are organisations whose disruption of services could have a significant impact on society, the economy or public security. These include, for example:

  • Large enterprises operating in sectors listed in Annex I of the Act, such as energy, transport and healthcare;
  • Providers of qualified trust services or top-level domain name registries;
  • Government institutions at central, regional or municipal level;
  • The sole provider of a service that is vital to society or the state.

Important entities are subject to similar obligations, but are generally supervised under a different enforcement regime. Examples include:

  • Medium-sized enterprises operating in sectors listed in Annex I;
  • Large enterprises operating in sectors listed in Annex II, where more than 50% of annual turnover is generated from those sectors;
  • Micro, small and medium-sized entities providing non-qualified trust services.

The complete list of in-scope sectors is set out in Annex I and Annex II of the Croatian Cybersecurity Act and in Annex I of the Regulation on Cybersecurity.

Unsure whether your organisation qualifies as an essential or important entity under NIS2 Croatia? A structured scope assessment can help clarify your classification and the resulting obligations.

NIS2 obligations for organisations in Croatia

1. Registration (Articles 20–23 Cybersecurity Act; Article 19 Regulation)

In Croatia, organisations are not required to proactively register themselves as NIS2 entities. Instead, the registration of cybersecurity entities is coordinated by the National Cyber Security Centre (NCSC-HR).

Based on the general and specific criteria set out in the Cybersecurity Act, the NCSC-HR compiles a list of essential and important entities. Entities included in this register are formally notified of their classification.

Following notification, the entity must submit the following information to the competent authority within a period ranging from 15 to 45 days:

  • Name of the entity
  • Overview of the services provided
  • Address of the main establishment and any other establishments, or the address of its representative
  • Email addresses and telephone numbers of the entity and its representative
  • Overview of the Member States where services are provided
  • IP address range

2. Implementation of cybersecurity measures (Article 30 Cybersecurity Act; Annex II Regulation)

If your organisation is classified as an essential or important entity, it is required to implement appropriate technical and organisational measures to ensure the security of its network and information systems.

These cybersecurity risk management measures include, at a minimum:

  • Policies for risk analysis and information system security
  • Incident management
  • Business continuity and crisis management
  • Supply chain security
  • Security in the acquisition, development and maintenance of network and information systems, including vulnerability handling and disclosure
  • Policies and procedures to assess the effectiveness of cybersecurity risk management measures
  • Cyber hygiene practices and cybersecurity training
  • Policies and procedures on cryptography and, where applicable, encryption
  • Security aspects relating to personnel, access control and asset management
  • Where appropriate, multi-factor authentication, secure communication and secure internal emergency communication systems
  • Policies for the coordinated disclosure of vulnerabilities

For certain digital and trust service providers, the European Commission has further specified minimum cybersecurity measures in Implementing Regulation (EU) 2024/2690 . These rules apply, among others, to DNS service providers, cloud computing providers, data centre service providers, managed service providers and trust service providers.

3. Incident reporting (Article 37 Cybersecurity Act; Articles 58–74 Regulation)

Essential and important entities must notify the national CSIRT when a significant incident occurs. In addition, service recipients must be informed if the incident affects the provision of services in the sectors or subsectors listed in Annexes I and II.

Under the Cybersecurity Act, a significant incident is defined as an incident that:

  • has caused or is likely to cause serious operational disruption or financial loss; or
  • has affected or is likely to affect other natural or legal persons by causing significant material or non-material damage.

Significant incidents must be reported via the PiXi platform in accordance with the following timeline:

  1. Within 24 hours: submission of an early warning indicating the probable cause and any cross-border implications;
  2. Within 72 hours: submission of an incident report with updated information and an initial assessment;
  3. At the request of the CSIRT: submission of an interim report;
  4. No later than one month: submission of a final report including:
    • a detailed description of the incident and its impact;
    • the likely threat or root cause;
    • applied and ongoing mitigation measures;
    • any cross-border consequences.
  5. If the incident is ongoing after one month, a progress report must be submitted, followed by a final report within one month after resolution.

If the PiXi platform is unavailable, incidents must be reported via the incident reporting form by email to the competent CSIRT (incident@ncsc.hr or zks-incident@cert.hr).

For certain digital and trust service providers, the criteria for determining whether an incident is significant are further specified in Implementing Regulation (EU) 2024/2690 . Where applicable, these EU rules prevail over national provisions.

Entities that do not fall within the scope of the Cybersecurity Act may also voluntarily report incidents or cyber threats. Categorised entities may do so via the PiXi platform, while non-categorised entities may notify the CSIRT by email.

4. Management obligations and responsibilities (Annex II, Section 1 Regulation)

The management bodies of essential and important entities are ultimately responsible for compliance with the Cybersecurity Act. Their obligations include, among others:

  • Approving cybersecurity risk management measures
  • Appointing a person responsible for cybersecurity
  • Ensuring that management follows appropriate training
  • Providing continuous cybersecurity training for employees

Members of the management bodies may be held liable for non-compliance with the cybersecurity law.

5. Cooperation with authorities

Essential and important entities must cooperate with national authorities. This includes information sharing on network and information system security, incident reporting, and cooperation with supervisory and inspection activities.

Would you like to translate these obligations into a practical compliance roadmap? A structured readiness or gap assessment can help prioritise actions and prepare for supervisory oversight in a proportionate way.

How to demonstrate NIS2 compliance in Croatia

As explained in the section on enforcement and sanctions, the competent authorities may carry out inspections of essential and important entities to verify compliance with the Croatian Cybersecurity Act. Organisations must therefore be able to demonstrate, at any time, that appropriate cybersecurity measures are implemented and maintained.

In addition, essential entities are required to undergo an independent cybersecurity audit by an accredited conformity assessment body (CAB) at least once every two years and upon request of the competent authority.

Based on such an independent conformity assessment, an organisation may obtain a certificate or audit report that can serve as supporting evidence of compliance with the NIS2 requirements towards stakeholders and supervisory authorities. This does not constitute a formal NIS2 certification and does not replace supervisory oversight.

Important entities are required to perform a self-assessment at least every two years. At the request of the competent authority, an important entity may also be required to undergo an external cybersecurity audit.

How to demonstrate NIS2 compliance in practice

Demonstrating NIS2 compliance in Croatia is not a one-off exercise. In practice, organisations typically follow a structured approach consisting of the following steps:

  1. Confirm scope and classification
    Verify whether your organisation qualifies as an essential or important entity and document the applicable obligations under the Croatian Cybersecurity Act.
  2. Implement cybersecurity risk management measures
    Establish technical and organisational measures addressing risks to network and information systems, in line with NIS2 requirements.
  3. Document policies and evidence
    Maintain clear documentation showing that measures are implemented, monitored and periodically reviewed.
  4. Perform assessments and audits
    Conduct required self-assessments and, where applicable, independent audits by an accredited CAB.
  5. Continuously improve
    Use audit results, incidents and management reviews to improve cybersecurity maturity on an ongoing basis.

An internationally recognised standard that is often used to structure and demonstrate these measures is ISO/IEC 27001 . ISO/IEC 27001 certification is not mandatory under NIS2, but is commonly used as a practical framework to support compliance.

Would you like to discuss which compliance approach best fits your organisation? You can schedule an appointment with an expert here.

Enforcement and sanctions under NIS2 in Croatia (Articles 86, 101–103)

The competent authorities may carry out inspections to verify whether cybersecurity entities comply with the requirements laid down in the Croatian Cybersecurity Act. In this context, a distinction is made between essential entities and important entities:

  • Essential entities may be subject to both proactive (ex-ante) and reactive (ex-post) supervision and may be required to undergo periodic conformity or compliance assessments.
  • Important entities are, as a rule, supervised primarily on a reactive basis, for example following an incident or where there are indications of non-compliance.

The Croatian Cybersecurity Act provides for specific sanctions in cases of non-compliance. These sanctions depend on the nature and seriousness of the infringement and are divided into administrative measures and administrative fines.

Administrative measures

Possible administrative measures that may be imposed include, among others:

  • Issuing warnings
  • Appointing a control or supervisory officer
  • Temporarily suspending certificates or authorisations
  • Temporarily prohibiting the performance of management functions
  • Other corrective measures provided for under the Cybersecurity Act

Administrative fines

Administrative fines are laid down by law and may amount to up to €10,000,000 for essential entities and up to €7,000,000 for important entities, depending on the infringement.

Fines applicable to important entities

  • From €5,000 to €7,000,000 or from 0.2% to 1.4% of the total annual global turnover of the entity concerned (Article 102).
  • From €1,000 to €6,000 for natural persons responsible for managing the cybersecurity measures of the entity.
  • From €2,000 to €20,000 where requested information relating to the categorisation of entities is not provided in due time (Article 103).
  • From €200 to €1,000 for the person responsible for the entity.

Fines applicable to essential entities

  • From €10,000 to €10,000,000 or from 0.5% to 2% of the total annual global turnover of the entity concerned (Article 101).
  • From €500 to €3,000 for natural persons responsible for managing the cybersecurity measures of the entity.
  • From €2,000 to €20,000 where requested information relating to the categorisation of entities is not provided in due time (Article 103).
  • From €200 to €1,000 for the person responsible for the entity.

Want to understand how these enforcement powers and sanctions apply to your organisation? Preparing clear documentation and evidence of compliance can significantly reduce enforcement risks during inspections.

NIS2 implementation timeline and deadlines in Croatia

The Croatian Cybersecurity Act entered into force on 15 February 2024. From that date onward, organisations that qualify as essential or important entities are required to comply with the applicable cybersecurity obligations. This includes implementing minimum cybersecurity risk management measures, reporting significant incidents in accordance with the prescribed procedures, and cooperating with the competent authorities.

Below is an overview of the key milestones and deadlines relevant for NIS2 compliance in Croatia:

  • 15 February 2024: Entry into force of the Croatian Cybersecurity Act.
  • By 15 February 2025: Deadline for the Croatian authorities to compile and finalise the list of essential and important entities.
  • Within 15 to 45 days after notification: Notified entities must provide the competent CSIRT with the required information.
  • Within 12 months after notification: Implementation of the required organisational and cybersecurity risk management measures.
  • From the first working day after this period: Obligation to undergo cybersecurity audits, where applicable.

Please note that the exact timing of certain obligations depends on the date on which an organisation is formally notified of its classification as an essential or important entity by the competent authority.

Unsure how these deadlines apply to your organisation? A structured planning or readiness assessment can help translate this timeline into concrete and prioritised actions.

Competent authorities for NIS2 in Croatia (Annex III Cybersecurity Act)

For the implementation and supervision of the NIS2 Directive in Croatia, multiple competent authorities have been designated. Croatian legislation covers 19 sectors and 15 subsectors, as specified in Annex III of the Cybersecurity Act. Each authority is responsible for supervising compliance within its respective sector.

Below is an overview of the main sectoral competent authorities:

  • Croatian National Bank (CNB): banking sector
  • Croatian Financial Services Authority (HANFA): financial market infrastructure
  • Croatian Civil Aviation Authority (HACZ): air traffic
  • Office of the National Security Council (UVNS): public sector
  • Regulatory Authority for Network Industries (HAKOM): electronic communications sector
  • Central State Office for the Development of the Digital Society (SDURDD): trust service providers
  • Ministry of Science and Education (MZO): education and research sector

National cybersecurity centres

National Cybersecurity Centre (NCSC-HR)
The National Cybersecurity Centre is part of the Croatian Security and Intelligence Agency (SOA). It is responsible for supervising and coordinating cybersecurity measures in all sectors and subsectors that are not covered by the sectoral authorities listed above. In addition, NCSC-HR acts as the competent CSIRT for 15 sectors and 15 subsectors.

National CERT (CERT.hr)
The National CERT plays a key role in handling cybersecurity incidents in several sectors, including banking, financial markets, digital infrastructure, education and research. It operates within the Croatian Academic and Research Network (CARNET).

For a comprehensive and legally binding overview of all competent authorities, please refer to Annex III of the Cybersecurity Act . Further explanations of the roles of these authorities are also available in the FAQs published by the National Cybersecurity Centre .

Not sure which authority supervises your organisation under NIS2 Croatia? Clarifying the competent authority is an important first step in preparing for supervision, incident reporting and compliance activities.

Frequently asked questions about NIS2 in Croatia

Does NIS2 apply to my organisation in Croatia?

NIS2 applies to organisations that qualify as essential or important entities under the Croatian Cybersecurity Act. This depends on the sector in which the organisation operates, the services it provides, its size and whether it is established in Croatia. In certain cases, organisations may also be included in scope following designation by the competent authority.

What is the difference between essential and important entities?

Essential entities are organisations whose disruption of services could have a significant impact on society, the economy or public security. Important entities operate in relevant sectors but are generally subject to a less intensive supervisory regime. Both categories must comply with NIS2 obligations, although supervision and enforcement may differ.

Do organisations need to register under NIS2 in Croatia?

No. Organisations are not required to proactively register themselves. The National Cyber Security Centre (NCSC-HR) compiles a list of essential and important entities and formally notifies organisations of their classification. Following notification, entities must provide the required information to the competent authority within the prescribed timeframe.

Which authority supervises NIS2 compliance in Croatia?

Several competent authorities supervise NIS2 compliance in Croatia, depending on the sector. The National Cyber Security Centre (NCSC-HR) coordinates supervision in sectors not covered by sectoral authorities and also acts as the national CSIRT. Other authorities, such as the Croatian National Bank and HAKOM, supervise specific sectors.

What cybersecurity measures are required under NIS2 in Croatia?

Essential and important entities must implement appropriate technical and organisational measures to manage cybersecurity risks. These measures include, among others, risk analysis, incident management, business continuity, supply-chain security, access control, cryptography and cybersecurity training.

Are organisations required to report cyber incidents?

Yes. Essential and important entities must report significant incidents to the competent CSIRT. Incidents must be reported via the PiXi platform, or by email if the platform is unavailable. In certain cases, service recipients must also be informed.

When is an incident considered significant?

An incident is considered significant if it causes or may cause serious operational disruption or financial loss, or if it affects other persons by causing significant material or non-material damage. Additional criteria apply to certain digital and trust service providers under EU Implementing Regulation 2024/2690.

Are audits required under NIS2 in Croatia?

Yes. Essential entities are required to undergo an independent cybersecurity audit at least every two years and upon request of the competent authority. Important entities must conduct self-assessments and may also be required to undergo external audits.

Is there an official NIS2 certification?

No. NIS2 does not introduce an official certification scheme. However, independent audits or certifications, such as ISO/IEC 27001, can serve as supporting evidence of compliance with the Croatian Cybersecurity Act.

What penalties apply in case of non-compliance?

Non-compliance may result in administrative measures or administrative fines imposed by the competent authorities. Fines can reach up to €10,000,000 or 2% of global annual turnover for essential entities and up to €7,000,000 or 1.4% for important entities, depending on the infringement.

What are the key deadlines for NIS2 in Croatia?

The Croatian Cybersecurity Act entered into force on 15 February 2024. Authorities must finalise the list of essential and important entities by 15 February 2025. After notification, organisations must implement required measures within defined timeframes and comply with audit obligations where applicable.