Croatia
(a) What is the NIS2 implementation status?
In relation to the NIS2 Directive, the following bylaw, the Regulation on Cyber Security (Official Gazette 135/2024) (“Regulation”) was adopted on 22 November 2024 and entered into force on 30 November 2024.
(b) What is the envisaged NIS2 implementation timeline?
As per 30 November 2024, the NIS2 Directive has been implemented through the enforcement of the Regulation on Cyber Security (Official Gazette 135/2024).
(c) What does the NIS2 mean for other national cybersecurity legislation?
The transposition of the Directive will inevitably cause changes to the entire so-called cyber security package of legislative acts (including bylaws). The Government will have to pass: the Ordinance from Article 24 of the draft of the bill, Medium-term act of strategic planning, National cybersecurity incidents management, Cybersecurity exercise plan.
The Government will have to harmonize: the Ordinance on the internal organization of the Office of the National Security Council (the head of the Office of the National Security Council will harmonize the Rulebook on the internal order of the Office of the National Security Council), the Ordinance on the internal organization of the Security and Intelligence Agency (the director of the Security and Intelligence Agency will harmonize the Rulebook on the internal order of the Security and Intelligence Agency); the Ordinance on the internal order of the Information Systems Security Bureau (the director of the Information Systems Security Bureau will harmonize the Rulebook on the internal order of the Information Systems Security Bureau), all in the prescribed time from entering into force of the Cybersecurity Act.
(d) Who will be the supervisory authority and how are they preparing the market?
The supervisory authority of Croatia is the Security and Intelligence Agency (Cro.: “Sigurnosno obavještajna agencija – SOA”). Within this body, the National Cyber Security Center will be established, which has been widely criticised during the public consultation procedure as it raises questions of independence, conflict of interest, etc.
(e) What should you be doing/on the lookout for?
The Regulation deviates from the NIS2 Directive in its registration requirements for entities within its scope. According to its provisions, competent authorities will notify entities of their categorization as essential or important by February 2025 at the latest. The Regulation primarily regulates the criteria for classifying entities based on special criteria for the implementation of categorization of entities, criteria for conducting assessments for the purpose of categorizing entities of the public sector and entities from the education system, collecting data for the purpose of implementing the categorization of entities and maintaining a special register of entities, maintaining a list of key and important entities, maintaining a special register of entities, cyber security risk management measures and the manner of their implementation, conducting cyber security self-assessments, etc.
Additionally, the competent authorities have the right to request information from entities for categorization purposes, and entities must provide the requested information within 15 days of receiving the request.
While the Regulation closely follows the requirements of the NIS2 Directive, several bylaws are still being developed to specify further details, with some currently in the public consultation phase.
A notable deviation from the NIS2 Directive in the Regulation, is the introduction of a self-assessment requirement for important entities, which must be conducted at least once every two years.
Contact
Anamarija Livaja E: anamarija.livaja@savoric.com
Natalija Babic E: natalija.babic@savoric.com
© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.
Share this page