EU NIS2 in Croatia
Croatia was among the earlier EU members to transpose the NIS2 Directive. The national implementation of the NIS2 Directive in Croatia is based on the Cybersecurity Act (CCA) Zakon o kibernetičkoj sigurnosti. The law was published and entered into force in February 2024, repealing the 2018 act that implemented the original NIS Directive.
The Croatian NIS2 implementation in CCA affects existing laws that were adopted to implement the original NIS Directive. For example, has the Act on Cybersecurity of Operators of Essential Services and Digital Service Providers (Zakona o kibernetičkoj sigurnosti operatora ključnih usluga i davatelja digitalnih usluga, 64/2018) been repealed.
In November 2024, the Croatian government adopted a comprehensive Cybersecurity Regulation, Zakon o kibernetičkoj sigurnosti, Narodne novine 135/2024 (Official Gazette) to specify technical details and procedures under the new law for NIS2 Cybersecurity requirements.
Implementation in Croatia
Current status
In Croatia, the Office of the National Security Council (UVNS, Ured Vijeća za nacionalnu sigurnost) coordinated the implementation of the NIS2 Directive. The Croatian Ministry of Defence (MORH) published the initial draft of the Cybersecurity Act CCA in September 2023. CCA was enacted in January 2024 (Official Gazette 14/2024) and entered into force on 15 February 2024.
A detailed Regulation on Cybersecurity specifying technical requirements and categorization procedures followed in November 2024 (Official Gazette 135/2024) was enacted. Transition periods of up to nine months apply. Competent authorities planned to notify entities of their status by April 2025, after which affected entities haveup to one year to comply with the cybersecurity obligations in full.
Authorities
The national regulator is the Croatian Security and Intelligence Agency (SOA, Sigurnosno-obavještajna agencija), which hosts the National Cyber Security Center (NCSC-HR) and coordinates the implementation of NIS2. Competent authorities began the process of categorizing essential and important entities across all sectors in late 2024, scheduled to be completed in April 2025, when organizations falling under the law will have received an official notification of their status.
Supervising authorities in Croatia are assigned primarily on a sectoral basis. different authorities oversee compliance depending on the (sub)sector or type of service provided, with SOA/NCSC-HR providing centralized coordination and sectoral regulators handling oversight within their respective domains.
The Croatian National Computer Emergency Response Team (CERT.hr), within CARNET, supports NCSC-HR as the CSIRT and is responsible for operating the national reporting platofrm (PiXi).
NIS2 Requirements
National differences
- Compliance: For essential entities, compliance can only be proven through audits. The audit cycle is two years, but shorter cycles may be required by the competent authority. Important entities may conduct a self-assessment. However, the competent authority may require an audit in exceptional cases.
- Incident reporting: Essential and important entities must report significant incidents. Unlike the NIS2 Directive, the Croatian draft omits the 24h/72h reporting deadlines. The reporting platform will be operated by CARNET, the Croatian academic and research network.
- Authority-led affectedness determination: Entities are not required to self-identify as essential or important entities. The competent authority proactively notifies all affected entities of their obligations.
- Threat detection system: The Croatian intelligence agency SOA will develop a national system for detecting cyber threats, which essential and important entities can access.
- Additional sectors: Croatia expands the scope beyond NIS2 by including:
- Public administration on the local level (optional under Art. 2(5)(a) NIS2)
- Education System (Sustav Obrazovanja) — both public and private institutions are listed in Annex II
- New entity category: Croatia introduces a new type of essential entity not covered by NIS2:
- Information intermediaries involved in the exchange of electronic invoices between companies, regardless of their size
- Omissions: Domain name registration service providers (covered in Annex I of the NIS2 Directive) are not included in the Croatian law.
- Different CSIRTs: Generally, the Croatian National Cybersecurity Centre acts as the CSIRT. For banking, financial market infrastructure, digital infrastructure, research, and the education system, the national CSIRT is directly responsible.
Entities and sectors
Sectors
Croatia aligns it sector definitions closely with EU NIS2. The Cybersecurity Act directly references the EU criteria for essential (ključni) and important (važni) entities, and defines them accordingly. However, Croatia introduces the Education System (Sustav Obrazovanja) an additional sector compared to the original NIS2 framework.
Entities are categorized by competent authorities with a process starting in 2024 and entities receiving notifications in early 2025. These formal notices trigger the entities’ obligations under the law. Entities only become obliged to comply once they are informed of being classified as essential or important entities.
Annex I Sectors
| Sub-Sector | Services | Supervising Authority |
|---|---|---|
| Energetika Energy |
||
| Električna energija Electricity |
Electricity supply companies Distribution system operators Transmission point operators Electricity producers Nominated electricity market operators Charging point operators Service providers for aggregation, demand-side management, and energy storage (ADMS providers) |
Croatian Energy Regulatory Agency (HERA) |
| Centralizirano grijanje i hlađenje Centralized Heating and Cooling |
Operators of central heating or cooling facilities | HERA |
| Nafta Oil |
Operators of oil pipelines Operators of oil production, refining, storage, and transportation facilities |
Ministry of Economy and Sustainable Development |
| Plin Gas |
Natural gas suppliers, including public service Distribution system operators Gas transmission operators Gas storage operators Operators of LNG terminals Natural gas companies Operators of natural gas refining and processing plants |
HERA |
| Vodik Hydrogen |
Operators of hydrogen production, storage, and transport | Ministry of Economy and Sustainable Development and/or HERA |
| Promet Transport |
||
| Zračni promet Air transport |
Commercial air transport operators (airlines) Airport operators and support staff Air navigation service providers |
Croatian Civil Aviation Agency (CCAA) |
| Željeznički promet Rail transport |
Rail infrastructure operators Rail infrastructure managers, personnel, and service facility operators |
Croatian Regulatory Authority for Network Industries (HAKOM) |
| Vodeni promet Water transport |
Passenger and freight transport companies on inland waterways including longer routes (classified as maritime transport under EU Regulation 725/2004) Port management and facility operators Providers of port infrastructure and facilities (Support services) Vessel traffic service providers |
Ministry of the Sea, Transport and Infrastructure (MMPI) |
| Cestovni promet Road transport |
Providers of road traffic management and control services Operators of intelligent transport systems (ITS) |
MMPI |
| Bankarstvo Banking |
Credit institutions | Croatian National Bank (HNB) |
| Infrastruktura financijskog tržišta Financial Market Infrastructures |
Trading venue operators Central counterparties (CCPs) |
Croatian Financial Services Supervisory Agency (Hanfa) |
| Zdravstvo Health |
Healthcare providers | Ministry of Health (Ministarstvo zdravstva) |
| EU Reference Laboratories | Ministry of Health | |
| R&D of Medicinal Products | Agency for Medicinal Products and Medical Devices (HALMED) | |
| Manufacturing of medicinal products | HALMED | |
| Manufacturing of emergency-use medical products and devices | HALMED | |
| Voda za ljudsku potrošnju Drinking water |
Suppliers and distributors of water intended for human consumption (excluding those distributors for whom water distribution for human consumption is not a core part of their overall activity) | Ministry of Health |
| Otpadne vode Waste water |
Companies collecting, disposing of, or treating urban, domestic, or industrial wastewater | Ministry of Economy and Sustainable Development |
| Digitalna infrastruktura Digital Infrastructure |
||
| Internet exchange points, DNS, TLD |
Internet exchange point operators DNS service providers, except root name servers Top-level domain name registry |
HAKOM |
| Cloud, data centre, and content delivery services |
Cloud service providers Data centre service providers Content delivery network providers |
HAKOM |
| Electronic communications and trust services |
Trust service providers Providers of public electronic communications networks Providers of publicly available electronic communications services |
HAKOM |
| Upravljanje uslugama IKT-a (B2B) ICT Service Management (B2B) |
||
| Managed service providers Managed security service providers Information intermediaries as defined by the regulation governing the exchange of electronic invoices between entrepreneurs |
HAKOM | |
| Javni sektor Public Administration |
State administration bodies Other public bodies and legal entities with public authority Private and public entities that manage, develop, or maintain state information infrastructure Local and regional self-government units |
Ministry of Justice and Public Administration |
| Svemir Space |
Operators of ground-based infrastructure supporting space-based services, is state- or privately owned, is managed by EU Member States or private parties | Ministry of Science and Education |
Annex II Sectors
| Sub-Sector | Services | Supervising Authority |
|---|---|---|
| Poštanske i kurirske usluge Postal and Courier Services |
Postal services and courier delivery, including express and universal postal services | HAKOM |
| Gospodarenje otpadom Waste Management |
Entities engaged in waste management, excluding entities for which waste management is not the main economic activity | Ministry of Economy and Sustainable Development |
| Izrada, proizvodnja i distribucija kemikalija Manufacture, Production and Distribution of Chemicals |
Entities handling industrial chemical production and distribution | Ministry of Health / Croatian Institute of Public Health (HZJZ) |
| Proizvodnja računala i elektroničkih i optičkih proizvoda Manufacture of Computer, Electronic and Optical Products |
Companies manufacturing computer, electronic, and optical products as defined in NACE Rev. 2 Division 26 | Ministry of Economy and Sustainable Development |
| Proizvodnja električne opreme Manufacture of Electrical Equipment |
Companies manufacturing electrical equipment as defined in NACE Rev. 2 Division 27 | Ministry of Economy and Sustainable Development |
| Proizvodnja strojeva i uređaja d. n. Manufacture of Machinery and Equipment n.e.c. |
Companies manufacturing machinery and equipment n.e.c. as defined in NACE Rev. 2 Division 28 | Ministry of Economy and Sustainable Development |
| Proizvodnja motornih vozila i prikolica Manufacture of Motor Vehicles and Trailers |
Companies manufacturing motor vehicles, trailers, and semi-trailers as defined in NACE Rev. 2 Division 29 | Ministry of Economy and Sustainable Development |
| Proizvodnja ostalih prijevoznih sredstava Manufacture of Other Transport Equipment |
Companies manufacturing other transport equipment as defined in NACE Rev. 2 Division 30 | Ministry of Economy and Sustainable Development |
| Pružatelji digitalnih usluga Digital Service Providers |
Online marketplaces, search engines, social networking platforms | HAKOM |
| Istraživanje Research |
Public and private research institutions critical to national research or innovation | Ministry of Science and Education |
| Školsko obrazovanje Education system |
Private and public entities from the education system | Ministry of Science and Education |
Requirements
Cybersecurity
Risk Management
The CCA and its implementing regulation define detailed cybersecurity risk management obligations that go beyond the general requirements of the NIS2 Directive. These are laid out in Articles 35–57, where the CCA formalizes a structured, multi-level risk assessment and control system based on national profiling and sectoral exposure.
Entities categorized as essential or important must undergo a national cybersecurity risk assessment, which determines the binding level of risk management obligations based on factors such as:
- Size and sector of the entity
- Relevance of typical cyberattacks (e.g., espionage, sabotage, disinformation)
- Severity and probability of sector-specific threats
- Profile and capability of threat actors (e.g., APTs, terrorists, cybercriminals)
- Historical and global cybersecurity trends
This national risk assessment results in a low, medium, or high risk rating per entity Art. 38 with corresponding cybersecurity obligations:
- Basic measures for low risk
- Intermediate measures for medium risk
- Advanced measures for high risk
Each level consists of predefined cybersecurity practice bundles set out in Annex II, including:
- Technical, operational, and organizational controls
- Risk management processes and documentation
- IT/OT system applicability
- Mandatory (“A”), conditional (“B”), or voluntary (“C”) subsets of measures
A formalized scoring system calculates an entity’s compliance and maturity level, supported by official guidelines and a state-issued risk calculator. Art. 43–45, 57 Mandatory updates to risk management measures must occur at least annually, or after major incidents, business changes, or audit findings. Art. 48
Security Measures
Croatia introduces a graded and measurable framework to implement cybersecurity risk management requirements via:
- Three-tiered measure levels linked to assessed risk
- Mandatory vs. voluntary control subsets per Annex II
- Regular updates and reviews based on incidents, audits, or organizational changes
- Entity self-assessments every two years for important entities Art. 52 scored and documented through a formal Declaration of Conformity Art. 55
- Physical security extensions for digital infrastructure providers Art. 46
- Guidelines and calculators for both public and private actors, ensuring consistency with international standards Art. 40, 49, 50
Entities not formally categorized under the Act (e.g., SMEs or startups) may still voluntarily adopt basic-level controls or use published best practice guidelines. Arts. 47, 50
To ensure implementation and comparability, the central cybersecurity authority in Croatia publishes:
- Guidelines for risk assessments and self-assessments
- Mapping tables between Croatian controls and EU/international standards
- Official forms and scoring tools for audits and maturity evaluation
Reporting Obligations
Incident Reporting
Croatia’s NIS2 implementation sets out a detailed and highly structured framework for incident notification by key and important entities. A "significant incident" is defined using detailed technical and impact criteria (Arts. 59–62), including service downtime, data compromise, financial loss, reputational damage, or harm to third parties. Repeated smaller incidents with a shared root cause can also qualify as significant.
Entities must report incidents to the competent CSIRT in several stages Art. 65
- Early warning within 24 hours of awareness Art. 66
- Initial notification within 72 hours Art. 67
- Final report within 30 days Art. 70
- Progress reports every 30 days if the incident is ongoing Art. 71
- Interim reports if requested by the CSIRT Art. 69
Reports must be submitted via the national PiXi platform Art. 94 which all entities are required to use. The responsible authorities must notify entities of their platform access and ensure accounts are set up. Art. 95–97 CSIRTs provide feedback, coordinate incident resolution, and report significant cross-border or cross-sector incidents to the single point of contact. Art. 76–83 Entities must also inform affected service recipients within 72 hours Art. 85 and, where applicable, warn them of serious threats. Art. 86
In addition to mandatory reporting, Croatia also allows and encourages the voluntary reporting of other security incidents, cyber threats, and near misses (Arts. 87–89). These reports must be submitted via the national platform within 30 days, and CSIRTs may offer operational advice or reclassify the event as a significant incident if criteria are met. This mechanism helps identify emerging threats and fosters early intervention, even when thresholds for formal incident reporting are not met.
The reporting timelines, formats, and follow-ups are standardized across sectors, with optional sector-specific guidelines issued where necessary. Art. 72–74 Compared to other Member States, Croatia’s model stands out for its high level of procedural formalization and emphasis on centralized coordination between CSIRTs, sectoral authorities, and the single point of contact. This prescriptive and platform-integrated approach contrasts with the more flexible model adopted in NIS2 in Finland, where reporting requirements allow for more discretion and sectoral adaptation.
Sanctions
The Croatian Cybersecurity Act outlines the sanctions framework in Art. 101–102. Sanctions can be imposed if an operator fails to comply with cybersecurity obligations, including:
- Implementing appropriate cybersecurity risk management measures Art. 42
- Conducting a cybersecurity self-assessment and submitting a declaration of conformity Art. 51–55
- Timely reporting of incidents, threats, and near misses Art. 64–74
For essential entities Art. 101 fines range from 10k to 10m EUR or 0.5% to 2% of global annual turnover, whichever is higher. For responsible individuals, fines range from 1000 to 6k EUR.
For important entities Art. 102 fines range from 5k EUR to 7m EUR or 0.2% to 1.4% of global annual turnover. Responsible individuals may be fined 500 to 3k EUR.
Audits
Croatia mandates biennial cybersecurity audits for essential entities. Art. 51–57 These audits assess the entity’s compliance with the prescribed risk management level.
Important entities must perform self-assessments and submit a declaration of conformity Art. 55 but are not subject to regular audits by default. Audits may be required in case of non-compliance, serious incidents, or supervisory requests.
Audits must be conducted by qualified internal or external staff with appropriate certifications Art. 56 The central authority provides scoring guidelines and tools for assessment. Art. 57
Sources
- Tagesordnung der 253. Regierungssitzung mit Link zum zweiten NIS2-Gesetzesentwurf, Webseite der kroatischen Regierung, 27.09.2023
- Finaler NIS2-Gesetzesentwurf, Webseite der kroatischen Regierung, 13.12.2023
- Tagesordnung der 271. Regierungssitzung mit Link zum finalen NIS2-Gesetzesentwurf, Webseite der kroatischen Regierung, 13.12.2023
- Konsultationsergebnisse zum ersten kroatischen NIS2-Gesetzesentwurf, Webseite des kroatischen Konsultationsdienstes, 16.08.2023
- Erster NIS2-Gesetzesentwurf, Webseite des kroatischen Konsultationsdienstes, 17.07.2023