Croatia

(a) What is the NIS2 implementation status?

In relation to the NIS2 Directive, the following bylaw, the Regulation on Cyber Security (Official Gazette 135/2024) (“Regulation”) was adopted on 22 November 2024 and entered into force on 30 November 2024.

The Regulation primarily regulates the criteria for classifying entities based on special criteria for the implementation of categorization of entities, criteria for conducting assessments for the purpose of categorizing entities of the public sector and entities from the education system, collecting data for the purpose of implementing the categorization of entities and maintaining a special register of entities, maintaining a list of key and important entities, maintaining a special register of entities, cyber security risk management measures and the manner of their implementation, conducting cyber security self-assessments, etc.

The Regulation also contains four schedules as its integral part (i.e. (i) List of business sectors, (ii) Cyber security risk management measures, (iii) Special physical security measures for subjects from the digital infrastructure sector; (iv) and Declaration of conformity form).

(b) What is the envisaged NIS2 implementation timeline?

In Croatia promulgation of the law is needed in order for it to enter into force, this is more of a procedural rule (the President cannot stop the enacting of the law) but nonetheless it should be taken into consideration and emphasized as one of the necessary parts of the procedure. We are aware that the official implementation deadline is 17 October 2024 but given the current situation, it is unlikely that the Republic of Croatia will fulfil its obligations within the set deadline. In light of the delay, i.e. slowing down in the legislative procedure it is possible that the Ministry of the defenders of the Republic of Croatia as the competent body for preparation of the draft of the act is considering great number of the received comments and critics during the public consultations, due to the fact that some of the proposals are perceived as quite controversial, such as appointing the business intelligence agency as the supervisory authority within the meaning of NIS2.

It stems form the Proposal of the Government of the Republic of Croatia for the adoption and implementation of the legal acquis of the European Union for the year 2024 that the Ministry of the defenders of the Republic of Croatia will refer the Ordinance on Cybersecurity to the procedure at 9 September 2024. We cannot anticipate whether all other bylaws will be enacted/referred to the procedure within the official implementation deadline. We are aware that the official implementation deadline is 17 October 2024, but given the current situation, it is unlikely that the Republic of Croatia will fulfil its obligations within the set deadline.

(c) What does the NIS2 mean for other national cybersecurity legislation?

The transposition of the Directive will inevitably cause changes to the entire so-called cyber security package of legislative acts (including bylaws). The Government will have to pass: the Ordinance from Article 24 of the draft of the bill, Medium-term act of strategic planning, National cybersecurity incidents management, Cybersecurity exercise plan.

The Government will have to harmonize: the Ordinance on the internal organization of the Office of the National Security Council (the head of the Office of the National Security Council will harmonize the Rulebook on the internal order of the Office of the National Security Council), the Ordinance on the internal organization of the Security and Intelligence Agency (the director of the Security and Intelligence Agency will harmonize the Rulebook on the internal order of the Security and Intelligence Agency); the Ordinance on the internal order of the Information Systems Security Bureau (the director of the Information Systems Security Bureau will harmonize the Rulebook on the internal order of the Information Systems Security Bureau), all in the prescribed time from entering into force of the Cybersecurity Act.

(d) Who will be the supervisory authority and how are they preparing the market?

The text of the bill determines that the supervisory authority for the Republic of Croatia should be the Security and Intelligence Agency (Cro.: “Sigurnosno obavještajna agencija – SOA”) and within the Agency The National Cyber Security Center should be established, which has been widely criticised during the public consultation procedure, as it rises questions of independence, conflict of interest, etc.

(e) What should you be doing/on the lookout for?

Given the currently very early phase of the legislative procedure that has not even started, it is difficult to provide concrete answer to this question. However, we can agree to keep you updated once the bill enters into the legislative procedure. Currently everyone is eagerly anticipating the publication of the Cybersecurity Act. Once the Cybersecurity Act is published and comes into effect, we will notify you when associated bylaws are enacted i.e. when they are supposed to be enacted.