If your company needs to comply with Croatia’s Cybersecurity Act, then you also have to comply with the related Croatia’s Cybersecurity Regulation that prescribes detailed rules for managing cybersecurity. Read the article to see a breakdown of the most important requirements of this regulation.
The basics of Croatia’s NIS2 Regulation
Croatia’s Cybersecurity Regulation (CCR) was published under the name “Uredba o kibernetičkoj sigurnosti” NN 135/2024, and it became valid on November 30, 2024. The official text can be found here (in Croatian).
The purpose of CCR is to define further details on how cybersecurity needs to be implemented for essential and important entities that need to comply with Croatia’s Cybersecurity Act.
See also: What are the additional requirements of Croatia’s Cybersecurity Act when compared to NIS 2?
The scope and structure of CCR
Here is how Croatia’s NIS2 regulation is structured:
- Part 1: General Provisions
- Part 2: Categorization of Entities
- Part 3: Lists of Key and Important Entities and Special Register of Entities
- Part 4: Management of Cybersecurity Risks
- Part 5: Rules for Reporting Cyber Threats and Incidents
- Part 6: Implementation of Reporting on Incidents and Cyber Threats as a Voluntary Mechanism
- Part 7: National System for Detecting Cyber Threats and Protection
- Part 8: Transitional and Final Provisions
- Annex I: List of Sectors and Activities
- Annex II: Measures for Managing Cybersecurity Risks
- Annex III: Specific Physical Security Measures for Entities in the Digital Infrastructure Sector
- Annex IV: Declaration of Compliance with Established Measures for Managing Cybersecurity Risks
For companies that need to comply with NIS2 in Croatia, the most interesting elements are Parts 4, 5, 6, and 7, as well as Annex II — these are analyzed in the next sections.
Management of cybersecurity risks (Part 4)
Part 4 of the CCR (articles 35 to 57) outlines the framework for managing cybersecurity risks among essential and important entities in Croatia. It mandates that a government body (competent authority) determines each entity’s risk level — low, medium, or high. Based on this assessment, entities must implement corresponding cybersecurity measures categorized as basic, medium, or advanced.
In its Annex II, the regulation details specific activities for each cybersecurity measure, and for each of them specifies whether they are mandatory (marked as “A”), conditional (“B”), or voluntary (“C”), depending on the entity’s risk level. In other words, when entities perform their own risk assessment, this will be relevant only for voluntary (and perhaps conditional) cybersecurity measures, whereas mandatory measures will not depend on entity’s own risk assessment.
Regular updates and self-assessments are required to maintain compliance. Additionally, the central cybersecurity authority provides guidelines and a risk calculator to ensure alignment with European standards and best practices, enhancing overall cybersecurity resilience.
Measures for Managing Cybersecurity Risks (Annex II)
Annex II provides detailed measures for the following areas:
- Commitment and responsibility of persons responsible for implementing measures for managing cybersecurity risks
- Management of software and hardware assets
- Risk management
- Security of human resources and digital identities
- Basic cyber hygiene practices
- Network cybersecurity assurance
- Control of physical and logical access to network and information systems
- Supply chain security
- Security in the development and maintenance of network and information systems
- Cryptography
- Incident handling
- Business continuity and cyber crisis management
- Physical security
These measures are pretty extensive, almost 40,000 words in total, so their description is outside the scope of this article — to learn about them, open the full text of the regulation here.
Handling incidents (Parts 5 and 6)
Part 5 outlines the mandatory procedures for key and important entities to report significant cyber incidents and threats. It defines what constitutes a significant incident based on specific criteria, such as the impact on service availability, data integrity, and public safety.
Entities are required to notify the national CSIRT (Computer Security Incident Response Team) promptly through designated channels, providing detailed information including incident description, affected systems, and mitigation measures.
The regulation mandates various types of reports, including initial alerts, progress updates, and final reports, ensuring timely and comprehensive communication. Additionally, it establishes a national platform for collecting, analyzing, and sharing data on cyber threats and incidents to enhance overall cybersecurity resilience.
Part 6 introduces voluntary reporting mechanisms for entities that are not classified as key or important, but that still play a role in cybersecurity. It encourages these organizations to report incidents and threats to contribute to a broader understanding of the cyber landscape.
The section outlines the requirements for participation, including regular self-assessments and adherence to best practices in cybersecurity. By facilitating voluntary engagement, Part 6 aims to foster a collaborative environment where all sectors can contribute to the national cybersecurity framework, enhancing collective protection and response capabilities against cyber threats.
Comparison with CIR 2024/2690
Since the cybersecurity measures in Annex II are pretty extensive, the question arises: Were they perhaps written after the Commission Implementing Regulation (CIR) 2024/2690 (Technical and methodological requirements of cybersecurity measures and specification for significant incidents for digital critical infrastructure companies)?
The answer is that while CIR 2024/2690 and CCR overlap significantly in structure and intent, the Croatian text often imposes more detailed, prescriptive, or sector-specific obligations that go beyond what CIR explicitly requires.
For example, CCR requires passwords of at least 14 characters for standard user accounts, 16 for privileged accounts, and 24 for service accounts; it allows the possibility of shorter passwords only if multi-factor authentication (MFA) is in place. On the other hand, CIR 2024/2690 does discuss secure authentication and MFA but does not prescribe minimum password lengths or the same degree of specificity on password composition.
Here is a summary of the most important requirements that exist in CCR but not in CIR 2024/2690:
- very specific password-length and complexity rules
- mandatory phishing simulations
- a strict minimum log-retention period (90 days)
- requirements for advanced endpoint-security tools
- periodic re-checks of criminal records
- detailed physical security rules for data centers / “digital infrastructure”
- formal mention of advanced penetration testing / “red teaming” / “purple teaming”
- explicit references to RTO/RPO/SDO (business continuity) and multi-site data center strategies
- tiered (basic, intermediate, advanced) approach to compliance levels
- more granular national-level crisis management coordination
Conclusion
The fact that Croatia’s legislators went beyond what is required in (the already detailed) CIR 2024/2690 means that Croatia is very serious when it comes to cybersecurity. So if your company is in the scope of NIS2 and it operates in Croatia, you should take cybersecurity very seriously.
To find all the documents needed for complying with the Croatian Cybersecurity Act and Cybersecurity Regulation, check out this NIS 2 Documentation Toolkit that includes all policies, procedures, plans, and other templates.