Croatia
(a) What is the NIS2 implementation status?
In relation to the NIS2 Directive, the following bylaw, the Regulation on Cyber Security (Official Gazette 135/2024) (“Regulation”) was adopted on 22 November 2024 and entered into force on 30 November 2024.
(b) What is the envisaged NIS2 implementation timeline?
As per 30 November 2024, the NIS2 Directive has been implemented through the enforcement of the Regulation on Cyber Security (Official Gazette 135/2024).
(c) What does the NIS2 mean for other national cybersecurity legislation?
The transposition of the Directive has caused changes across the entire national cybersecurity legislative framework, including bylaws. As part of these changes, the Government of the Republic of Croatia has adopted the National Programme for the Management of Cybersecurity Incidents and Crises. The purpose of this Programme is to establish an organizational framework for the timely and coordinated implementation of operational procedures aimed at preventing and resolving cyber crises.
It introduces a new operational level of national coordination in cyber crisis management, while preserving the existing competences of the authorities involved as defined by the laws and regulations under which they were established. It also does not affect the application of procedures and mechanisms that apply in cases where a crisis has an impact on the foreign, security, or defence policy of the Republic of Croatia.
In addition to the National Programme, the Government must adopt the Ordinance referred to in Article 24 of the draft Cybersecurity Act, a Medium-term Strategic Planning Act, a Cybersecurity Incidents Management Plan, and a Cybersecurity Exercise Plan.
The Government has also aligned several key regulations with the Cybersecurity Act, including the Regulation on the Internal Organization of the Office of the National Security Council, the Regulation on the Internal Organization of the Security and Intelligence Agency, and the Regulation on the Internal Organization of the Information Systems Security Bureau. The heads of these institutions are also required to harmonize their respective internal rulebooks in accordance with these updated regulations. All obligations must be fulfilled within the time limits prescribed from the entry into force of the Cybersecurity Act.
(d) Who will be the supervisory authority and how are they preparing the market?
The supervisory authority of Croatia is the Security and Intelligence Agency (Cro.: “Sigurnosno obavještajna agencija – SOA”). Within this body, the National Cyber Security Center will be established, which has been widely criticised during the public consultation procedure as it raises questions of independence, conflict of interest, etc.
(e) What should you be doing/on the lookout for?
The Regulation deviates from the NIS2 Directive in its registration requirements for entities within its scope. According to its provisions, competent authorities will notify entities of their categorization as essential or important by February 2025 at the latest.
The Regulation primarily regulates the criteria for classifying entities based on special criteria for the implementation of categorization of entities, criteria for conducting assessments for the purpose of categorizing entities of the public sector and entities from the education system, collecting data for the purpose of implementing the categorization of entities and maintaining a special register of entities, maintaining a list of key and important entities, maintaining a special register of entities, cyber security risk management measures and the manner of their implementation, conducting cyber security self-assessments, etc.
The authorities have started sending out the Notifications regarding the completed categorisation to all key and important entities. Along with these, they’ve also provided information on the prerequisites for registration on the PiXi Platform. This includes details about the authentication and authorisation process via the NIAS system, which is required to access the service.
Additionally, the competent authorities have the right to request information from entities for categorization purposes, and entities must provide the requested information within 15 days of receiving the request.
While the Regulation closely follows the requirements of the NIS2 Directive, several bylaws are still being developed to specify further details, with some currently in the public consultation phase.
A notable deviation from the NIS2 Directive in the Regulation, is the introduction of a self-assessment requirement for important entities, which must be conducted at least once every two years.
Contact
Anamarija Livaja E: anamarija.livaja@savoric.com
Emma Marković E: emma.markovic@savoric.com
© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.
Share this page