Dejan KosuticCroatia may be the latest country to join the European Union, but it seems to be the quickest when it comes to NIS 2 — it is the first country to enact local legislation based on the NIS 2 Directive. Its Cybersecurity Act (Zakon o kibernetičkoj sigurnosti NN 14/2024) came into effect in February 2024 — so, did this Act really follow NIS 2, and how much did it add on its own?
Croatia’s Cybersecurity Act follows NIS 2 very closely, clarifies some vague points from NIS 2 like audit and supervision, and adds some new requirements like self-assessment.
The basics of Croatia’s Cybersecurity Act
Croatia’s Cybersecurity Act (CCA) was published in February 2024, and its official text can be found here (in Croatian): https://narodne-novine.nn.hr/clanci/sluzbeni/2024_02_14_254.html
The most important goal of CCA is to define cybersecurity rules for critical infrastructure organizations (essential and important entities) that operate in Croatia. By publishing CCA, Croatia is enacting NIS 2 into local legislation — this process is called transposition.
Croatia’s Cybersecurity Act replaces the old Act on cybersecurity of operators of essential services and digital service providers (NN 64/18) that was published in 2018, as well as Regulation on cybersecurity of operators of essential services and digital service providers (NN 68/18).
The rest of this article will focus on cybersecurity requirements that essential and important entities need to comply with — the purpose of this article is not to describe the role of government bodies that need to enforce CCA compliance.
| Croatia’s Cybersecurity Act (CCA) compared to NIS 2 | |
| Which companies must comply | The same criteria as in NIS 2, but only for companies that are registered in Croatia. The exceptions are providers of public electronic communications networks and providers of publicly available electronic communications services — they have to be compliant with CCA no matter where they are registered. |
| Deadlines | The competent authority will notify essential and important entities by February 2025 at the latest, and they must comply within 1 year of this notification. |
| Responsibilities of senior management | The same as NIS 2. |
| Importance of training | The same as NIS 2. |
| Risk-based approach to cybersecurity | The same as NIS 2. |
| Cybersecurity measures | The same as NIS 2. |
| Supply chain security | The same as NIS 2. |
| Incident reporting obligations | The same as NIS 2. |
| Using certified IT products and services | The same as NIS 2. |
| Supervision and enforcement | Supervision for essential entities must be performed every 3 to 5 years. A cybersecurity audit for essential entities must be performed at least once every 2 years. |
| Fines | For essential entities: between €10,000 and €10 million or between 0.5% and 2% of annual turnover (whichever is higher); for members of the senior management: between €1,000 and €6,000. For important entities: between €5,000 and €7 million or between 0.2% and 1.4% of annual turnover (whichever is higher); for members of the senior management: between €500 and €3,000. |
| Completely new requirements | Cybersecurity self-assessment for important entities must be performed at least once every 2 years. |
Which companies must comply with Croatia’s Cybersecurity Act?
CCA is relevant for companies registered in Croatia that provide products and services in any EU country. There is an exception to this rule, because CCA mandates that the following companies must comply with CCA even if they are not registered in Croatia, if they are providing their services in the country:
- Providers of public electronic communications networks
- Providers of publicly available electronic communications services
CCA defines the same criteria as NIS 2 for categorizing companies and other organizations as essential and important entities. However, CCA has two additional requirements that do not exist in NIS 2:
- Public administration bodies at the local level are considered important entities if they are assessed as crucial for performing societal or economic activities.
- Educational institutions are considered important entities if they are assessed as crucial for performing educational activities.
See also: Which companies must comply with NIS 2? Essential vs. important entities.
Deadlines
Competent authorities will notify entities of their categorization as essential or important by February 2025 at the latest, and essential and important entities must implement all cybersecurity measures within 1 year of this notification.
This means, if competent authorities are very slow in sending these notifications, the latest deadline for compliance will be February 2026.
Supervision and enforcement
CCA mandates that supervision for essential entities must be performed every 3 to 5 years, while for important entities the supervision is done only if it does not comply with cybersecurity laws and regulations. Supervision is performed by competent authorities.
CCA also defines the obligation of the cybersecurity audit — essential entities must perform such audit at least once every 2 years, while important entities must perform it only on the request of a competent authority. Cybersecurity audits are performed only by licensed cybersecurity auditors.
There is one pretty powerful stipulation in CCA — if an essential entity does not perform the corrective actions requested by a competent authority, the competent authority can withdraw its business license, and it can forbid the top management from performing its managerial duties in the company.
Fines
Fines for noncompliance with CCA are the following:
- For essential entities — between 10,000 EUR and 10,000,000 EUR or between 0.5% and 2% of annual turnover (whichever is higher); for members of the senior management — between 1,000 EUR and 6,000 EUR.
- For important entities — between 5,000 EUR and 7,000,000 EUR or between 0.2% and 1.4% of annual turnover (whichever is higher); for members of the senior management — between 500 EUR and 3000 EUR.
New requirements in CCA
Since regular cybersecurity supervision and audits are mandatory for essential entities (but not for important entities), CCA has introduced a completely new requirement that covers the gap for important entities: regular self-assessment.
This cybersecurity self-assessment is mandatory only for important entities, and they must perform it at least once every 2 years. The rules for self-assessment will be prescribed by the government’s cybersecurity regulation that will be published later on (see the next section).
Requirements that are the same as in NIS 2
There is a lot in CCA that is the same as in NIS 2:
- Responsibilities of the senior management — see the details here: What is NIS 2 Directive? A detailed and straightforward guide
- Importance of training — learn more: How to perform training and awareness according to NIS 2
- Risk-based approach to cybersecurity — learn more: The 8 most important cybersecurity and reporting requirements in NIS2
- Cybersecurity as a mixture of technical, operational, and organizational measures — see also: List of required documents according to NIS 2
- Supply chain security
- Incident reporting obligations — see also: What are reporting obligations according to NIS 2?
- Using certified IT products and services
However, CCA mandates that the Croatian government will enact a regulation that will further specify cybersecurity risk management, incident reporting, and other important rules — this cybersecurity regulation will be published by November 2024 at the latest.
Croatia’s Cybersecurity Act vs. NIS 2
Overall, Croatia was really quick to publish CCA, and this law follows NIS 2 very closely. Further, CCA clarifies some vague points from NIS 2 like audit and supervision, and adds some interesting new requirements like self-assessment.
However, a lot will depend on the cybersecurity regulation that will be published by the Croatian government — I hope this one is a pleasant surprise as well.
For more information about NIS2, download this free white paper: Comprehensive guide to the NIS 2 Directive.