Croatia

(a) What is the NIS2 implementation status?

In relation to the NIS2 Directive, the following bylaw, the Regulation on Cyber Security (Official Gazette 135/2024) (“Regulation”) was adopted on 22 November 2024 and entered into force on 30 November 2024.

(b) What is the envisaged NIS2 implementation timeline?

As per 30 November 2024, the NIS2 Directive has been implemented through the enforcement of the Regulation on Cyber Security (Official Gazette 135/2024).

(c) What does the NIS2 mean for other national cybersecurity legislation?

The transposition of the Directive will inevitably cause changes to the entire so-called cyber security package of legislative acts (including bylaws). The Government will have to pass: the Ordinance from Article 24 of the draft of the bill, Medium-term act of strategic planning, National cybersecurity incidents management, Cybersecurity exercise plan.

The Government will have to harmonize: the Ordinance on the internal organization of the Office of the National Security Council (the head of the Office of the National Security Council will harmonize the Rulebook on the internal order of the Office of the National Security Council), the Ordinance on the internal organization of the Security and Intelligence Agency (the director of the Security and Intelligence Agency will harmonize the Rulebook on the internal order of the Security and Intelligence Agency); the Ordinance on the internal order of the Information Systems Security Bureau (the director of the Information Systems Security Bureau will harmonize the Rulebook on the internal order of the Information Systems Security Bureau), all in the prescribed time from entering into force of the Cybersecurity Act.

(d) Who will be the supervisory authority and how are they preparing the market?

The supervisory authority of Croatia is the Security and Intelligence Agency (Cro.: “Sigurnosno obavještajna agencija – SOA”). Within this body, the National Cyber Security Center will be established, which has been widely criticised during the public consultation procedure as it raises questions of independence, conflict of interest, etc.

(e) What should you be doing/on the lookout for?

The Regulation deviates from the NIS2 Directive in its registration requirements for entities within its scope. According to its provisions, competent authorities will notify entities of their categorization as essential or important by February 2025 at the latest. The Regulation primarily regulates the criteria for classifying entities based on special criteria for the implementation of categorization of entities, criteria for conducting assessments for the purpose of categorizing entities of the public sector and entities from the education system, collecting data for the purpose of implementing the categorization of entities and maintaining a special register of entities, maintaining a list of key and important entities, maintaining a special register of entities, cyber security risk management measures and the manner of their implementation, conducting cyber security self-assessments, etc.

Additionally, the competent authorities have the right to request information from entities for categorization purposes, and entities must provide the requested information within 15 days of receiving the request.

While the Regulation closely follows the requirements of the NIS2 Directive, several bylaws are still being developed to specify further details, with some currently in the public consultation phase.

A notable deviation from the NIS2 Directive in the Regulation, is the introduction of a self-assessment requirement for important entities, which must be conducted at least once every two years.