Croatia

(a) What is the NIS2 implementation status?

The Cybersecurity Act has been published in the Official Gazette of the Republic of Croatia and entered into force on 15 February 2024.

(b) What is the envisaged NIS2 implementation timeline?

In Croatia promulgation of the law is needed in order for it to enter into force, this is more of a procedural rule (the President cannot stop the enacting of the law) but nonetheless it should be taken into consideration and emphasized as one of the necessary parts of the procedure. We are aware that the official implementation deadline is 17 October 2024 but given the current situation, it is unlikely that the Republic of Croatia will fulfil its obligations within the set deadline. In light of the delay, i.e. slowing down in the legislative procedure it is possible that the Ministry of the defenders of the Republic of Croatia as the competent body for preparation of the draft of the act is considering great number of the received comments and critics during the public consultations, due to the fact that some of the proposals are perceived as quite controversial, such as appointing the business intelligence agency as the supervisory authority within the meaning of NIS2.

It stems form the Proposal of the Government of the Republic of Croatia for the adoption and implementation of the legal acquis of the European Union for the year 2024 that the Ministry of the defenders of the Republic of Croatia will refer the Ordinance on Cybersecurity to the procedure at 9 September 2024. We cannot anticipate whether all other bylaws will be enacted/referred to the procedure within the official implementation deadline. We are aware that the official implementation deadline is 17 October 2024, but given the current situation, it is unlikely that the Republic of Croatia will fulfil its obligations within the set deadline.

(c) What does the NIS2 mean for other national cybersecurity legislation?

The transposition of the Directive will inevitably cause changes to the entire so-called cyber security package of legislative acts (including bylaws). The Government will have to pass: the Ordinance from Article 24 of the draft of the bill, Medium-term act of strategic planning, National cybersecurity incidents management, Cybersecurity exercise plan.

The Government will have to harmonize: the Ordinance on the internal organization of the Office of the National Security Council (the head of the Office of the National Security Council will harmonize the Rulebook on the internal order of the Office of the National Security Council), the Ordinance on the internal organization of the Security and Intelligence Agency (the director of the Security and Intelligence Agency will harmonize the Rulebook on the internal order of the Security and Intelligence Agency); the Ordinance on the internal order of the Information Systems Security Bureau (the director of the Information Systems Security Bureau will harmonize the Rulebook on the internal order of the Information Systems Security Bureau), all in the prescribed time from entering into force of the Cybersecurity Act.

(d) Who will be the supervisory authority and how are they preparing the market?

The text of the bill determines that the supervisory authority for the Republic of Croatia should be the Security and Intelligence Agency (Cro.: “Sigurnosno obavještajna agencija – SOA”) and within the Agency The National Cyber Security Center should be established, which has been widely criticised during the public consultation procedure, as it rises questions of independence, conflict of interest, etc.

(e) What should you be doing/on the lookout for?

Given the currently very early phase of the legislative procedure that has not even started, it is difficult to provide concrete answer to this question. However, we can agree to keep you updated once the bill enters into the legislative procedure. Currently everyone is eagerly anticipating the publication of the Cybersecurity Act. Once the Cybersecurity Act is published and comes into effect, we will notify you when associated bylaws are enacted i.e. when they are supposed to be enacted.