NIS2 Croatia Compliance Guide: Cybersecurity Act (Zakon o kibernetičkoj sigurnosti) and AZOP Requirements for 2026

Croatia was one of the first EU Member States to transpose the NIS2 Directive into national law, passing the Cybersecurity Act (Zakon o kibernetičkoj sigurnosti, Official Gazette NN 14/2024) on 26 January 2024 — well ahead of the 17 October 2024 EU deadline. Croatia’s transposition goes well beyond the Directive’s minimum standards, adding sectors (education, local government), prescriptive technical requirements (password lengths, phishing simulations, red teaming), a three-tier risk classification system, and a mandatory self-assessment regime for important entities.

This guide covers Croatia’s NIS2 transposition, the roles of UVNS (Office of the National Security Council) as SPOC and NCSC-HR as the central cybersecurity authority, CERT.hr incident reporting, entity classification, sector-specific requirements, penalties, implementation milestones, and practical steps for compliance.

Croatia’s NIS2 Transposition: Where Things Stand

The Legal Framework

Croatia implemented NIS2 through a comprehensive new Cybersecurity Act that replaced the 2018 Act on Cybersecurity of Operators of Essential Services and Digital Service Providers (NN 64/18):

• Cybersecurity Act (Zakon o kibernetičkoj sigurnosti, NN 14/2024): Passed by Parliament on 26 January 2024, promulgated 1 February 2024, entering into force on 15 February 2024. Contains 10 parts, 116 articles, and 4 annexes. Expands scope to all NIS2 sectors plus Croatian additions (education, local government), establishes entity categorization procedures, introduces personal liability for management, and sets enforcement framework
• Cybersecurity Regulation (Uredba o kibernetičkoj sigurnosti, NN 135/2024): Adopted 21 November 2024, entering into force on 30 November 2024 (some articles deferred to 1 January 2026). Contains 8 parts and 4 annexes with detailed technical requirements, including a three-tier risk classification system (Low/Medium/High) and prescriptive security measures
• National Cyber Crisis Management Programme: Adopted 9 May 2025

Key Dates and Timeline

Milestone	Status
NIS2 Directive adopted	January 2023
Draft law published for public comment	September 2023
Final draft submitted to Parliament	13 December 2023
Parliament passed Cybersecurity Act	26 January 2024
Promulgated by President	1 February 2024
Law enters into force	15 February 2024
JISKB reporting portal live	May 2024
Cybersecurity Regulation (NN 135/24) adopted	21 November 2024
Regulation enters into force	30 November 2024
Entity categorization deadline	4 April 2025 (702 entities categorized)
Competent authorities deliver categorization notices	5 May 2025
National Cyber Crisis Management Programme adopted	9 May 2025
Initial cybersecurity measures implementation deadline	4 April 2026
First self-assessment/audit deadline	4 April 2028

Important: Croatia was on time with NIS2 transposition. It is NOT among the 19 Member States that received reasoned opinions from the European Commission on 7 May 2025 for failing to notify full transposition. The EC lists Croatia’s status as “Transposed.”

As of April 2025, 702 entities have been categorized — approximately 140 as essential entities and 562 as important entities.

Comparison with Other EU Countries

Croatia’s approach is comparable to other EU states in our country guide series:

• Slovenia (SI-CERT/URSIV): Former Yugoslav neighbor, similar regional challenges
• Hungary (NBI/NKH): Central European neighbor, comparable multi-authority model
• Austria (NISG 2026): Similar early transposition timeline
• Romania (ANSI): Southeast European model, comparable scope expansion
• Czech Republic (NUKIB): Similar entity classification approach
• Germany (BSI): More prescriptive technical requirements, comparable tier system

Key Regulatory Bodies

UVNS — Office of the National Security Council (Ured Vijeća za nacionalnu sigurnost)

UVNS serves as Croatia’s Single Point of Contact (SPOC) under NIS2:

• National SPOC for EU-level NIS2 coordination
• Policy coordination across competent authorities
• EU CSIRTs Network participation — represents Croatia in cross-border coordination
• National Cyber Crisis Management — coordinates the national cyber crisis framework

Contact: spoc@uvns.hr | +385 1 4681 222 | Jurjevska 34, Zagreb

NCSC-HR — National Cyber Security Centre

NCSC-HR operates within SOA (Security and Intelligence Agency / Sigurnosno-obavještajna agencija) as the central government authority for cybersecurity:

• Central coordination of the national cybersecurity framework
• National threat detection system (SK@UT): Distributed sensor network across 80+ government bodies forming a National SOC network
• Threat intelligence sharing with EU counterparts
• Security advisories and vulnerability alerts
• Coordinates but does NOT directly operate CSIRT services

CERT.hr — National CSIRT

Croatia operates a dual CSIRT structure:

CERT.hr (operated by CARNET — Croatian Academic and Research Network):

• Handles incident reporting for banking, financial market infrastructures, digital infrastructure, DSPs, research, education, and the private sector
• Manages the PiXi/JISKB national reporting platform
• Issues vulnerability alerts and security advisories

Contact: incident@cert.hr | cert@cert.hr | +385 1 6661 650 | https://www.cert.hr | Josipa Marohnića 5, 10000 Zagreb

ZSIS (Information Systems Security Bureau / Zavod za sigurnost informacijskih sustava):

• Handles incident reporting for energy, transport, health, drinking water, and government services
• Provides cybersecurity audit certification

Sectoral Competent Authorities

Croatia uses a multi-authority model with sectoral regulators:

Authority	Sector
HAKOM	Electronic Communications
HNB (Croatian National Bank)	Banking
Hanfa	Financial Services
HERA	Energy
MMPI (Ministry of the Sea, Transport & Infrastructure)	Transport
Ministry of Health	Health
Ministry of Economy	Energy, Water
AZOP (Personal Data Protection Agency)	Data protection coordination

Which Entities Are Affected?

Essential Entities

Under NIS2, Croatia designates essential entities in these sectors:

Sectors covered:

• Energy (electricity, hydrogen, district heating, petroleum, natural gas, LNG)
• Transport (air, rail, water, road)
• Banking
• Financial market infrastructure
• Health (hospitals, laboratories, medical device manufacturers)
• Drinking water supply and distribution
• Wastewater management
• Digital infrastructure (DNS, TLD registries, cloud, data centers, CDNs)
• ICT service management (managed security, managed IT, B2B)
• Space
• Public administration

Entities covered regardless of size:

• Qualified trust service providers
• ccTLD registries
• DNS service providers
• Electronic invoice information intermediaries
• Critical entities under critical infrastructure legislation
• Public electronic communications providers (medium-sized or larger)

Important Entities

Croatia identifies important entities from additional sectors:

• Postal and courier services
• Waste management
• Chemical manufacturing and distribution
• Manufacturing of critical products
• Digital providers (online marketplaces, search engines, social networks)
• Scientific research organisations
• Education system (Croatia-specific — both public and private)
• Local public administration (Croatia-specific — municipalities and local government)

Size Thresholds

Criterion	Essential Entities	Important Entities
Employees	≥250	≥50
Annual turnover	≥€50 million	≥€10 million

Special Classification Criteria

Entities may be classified regardless of size if:

• Sole provider of service in at least one county area
• Disruption impacts public safety, security, or health
• Market share ≥25% in Croatia (for energy, transport, digital infrastructure)
• Regional/local entities with ≥40% market share in one county
• Designated by Government as entity of special national interest

Municipalities with 50,000+ residents are in scope as important entities.

Entity Designation Process

Croatia does not allow self-assessment. Entities are designated through an administrative process:

1. Sectoral competent authorities proactively identify and categorize entities
2. Competent authorities deliver formal categorization notices to designated entities (completed by 5 May 2025)
3. Entities must establish incident reporting via the national platform within 30 days of notice
4. 702 entities have been categorized as of April 2025 (~140 essential, ~562 important)

Croatia-Specific Requirements (Beyond NIS2 Minimums)

Croatia goes significantly beyond NIS2 minimum standards in several areas:

Additional Sectors

• Education system — both public and private educational institutions classified as important entities
• Local public administration — municipalities and local government bodies
• Electronic invoice information intermediaries — covered regardless of size
• Note: Domain name registration service providers (listed in NIS2 Annex I) are NOT included in Croatia’s transposition

Prescriptive Technical Requirements (Regulation NN 135/24)

Requirement	Croatian Specification
Password length	Standard users: 14 chars; Privileged: 16 chars; Service accounts: 24 chars (shorter only with MFA)
Phishing simulations	Mandatory
Log retention	Minimum 90 days
Endpoint security	Advanced tools required
Background checks	Periodic criminal record re-checks required
Penetration testing	Advanced pen testing, red teaming, purple teaming
Business continuity	Explicit RTO/RPO/SDO specifications; multi-site data center strategies
Physical security	Detailed data center rules for digital infrastructure (Annex III of Regulation)

Three-Tier Risk Classification System

Croatia uniquely introduces a three-tier risk rating based on national cybersecurity risk assessment by the competent authority:

• Low → Basic measures
• Medium → Intermediate measures
• High → Advanced measures

Each measure is classified as Mandatory (“A”), Conditional (“B”), or Voluntary (“C”).

Mandatory Self-Assessment for Important Entities

• Essential entities: Must undergo cybersecurity audit by licensed auditor at least every 2 years
• Important entities: Must complete self-assessment at least every 2 years (not required by NIS2)
• Expert supervision: Every 3–5 years for essential entities; risk-based for important entities

National Threat Detection System (SK@UT)

Croatia has deployed a distributed sensor network across 80+ government bodies forming a National SOC network, available to essential and important entities for threat detection and intelligence sharing.

Penalties and Enforcement

Entity-Level Fines

Croatia’s penalties are aligned with NIS2 maximum thresholds, with explicit minimums:

Violation Type	Entity Category	Minimum Fine	Maximum Fine
Risk management or reporting breach	Essential	€10,000	Higher of €10,000,000 or 2% of total worldwide annual turnover
Risk management or reporting breach	Important	€5,000	Higher of €7,000,000 or 1.4% of total worldwide annual turnover
Non-compliance with corrective measures	Both	—	Corrective orders

Public sector entities are subject to corrective orders but not financial penalties.

Personal Liability for Management

NIS2 requires Croatia to hold management bodies personally liable for cybersecurity failures:

Violation	Fine Range
Management member of essential entity failing obligations	€1,000 – €6,000
Management member of important entity failing obligations	€500 – €3,000
Business license withdrawal	Essential entities that fail corrective actions
Management ban	Authority can forbid top management from performing duties

Board-level approval of cybersecurity strategies is mandatory, and decisions must be recorded in board minutes as due diligence evidence.

Compliance Requirements

Article 21 Risk Management Measures

Croatian essential and important entities must implement measures covering 13 areas (per Annex II of Regulation NN 135/24):

1. Commitment and responsibility of persons
2. Software and hardware asset management
3. Risk management
4. Human resources and digital identity security
5. Basic cyber hygiene practices
6. Network cybersecurity assurance
7. Physical and logical access control including multi-factor authentication
8. Supply chain security (vendor risk management)
9. Development and maintenance security
10. Cryptography (encryption, key management)
11. Incident handling
12. Business continuity and cyber crisis management
13. Physical security of premises and data centers

Incident Reporting Requirements

Croatian entities must report significant incidents through CERT.hr or ZSIS via the PiXi/JISKB national platform:

Reporting Stage	Timeline	Content
Early Warning	Within 24 hours of becoming aware	Event summary, impact assessment, whether suspected criminal offense, indicators of compromise
Incident Notification	Within 72 hours of early warning	Technical/business impact, containment status, investigation progress
Final Report	Within 30 days of initial notification	Detailed description, root cause, type of threat, remediation, lessons learned

Entities must also notify service recipients where appropriate. Repeated smaller incidents with a shared root cause can collectively qualify as a significant incident.

Supply Chain Security

NIS2 requires Croatian entities to assess and manage cybersecurity risks across their supply chain:

• Supplier audit rights in contracts
• Security requirements for critical vendors
• Concentration risk assessment (single-vendor dependencies)
• Supply chain incident reporting obligations

This aligns with our guide on NIS2 supply chain and third-party risk management.

Implementation Roadmap for Croatian Entities

Phase 1: Categorization and Foundation (Completed by May 2025)

• Entity categorization completed by sectoral competent authorities (702 entities designated)
• Formal categorization notices delivered by 5 May 2025
• Incident reporting established via JISKB national platform

Phase 2: Initial Measures (By April 2026)

• Implement initial cybersecurity measures per Regulation NN 135/24 (deadline: 4 April 2026)
• Conduct gap analysis against the 13 security measure areas (see our NIS2 gap analysis guide)
• Deploy baseline security controls (access management, encryption, logging with 90-day retention)
• Establish password policies (14/16/24 character minimums)
• Begin phishing simulation program
• Map supply chain dependencies
• Appoint cybersecurity governance responsibility

Phase 3: Full Compliance (2026–2028)

• Implement risk-tiered measures (Low/Medium/High) per competent authority assessment
• Complete supply chain security assessments
• Conduct business continuity and disaster recovery testing (RTO/RPO/SDO aligned)
• Implement vulnerability disclosure process
• Complete background checks for security-critical personnel
• Prepare for first self-assessment (important entities) or audit (essential entities) by 4 April 2028
• Prepare for competent authority expert supervision (see our NIS2 audit preparation guide)
• Sign formal Declaration of Conformity (template in Annex IV of Regulation)

Cyber Insurance Implications for Croatian Entities

Why Croatian Entities Need Cyber Insurance

NIS2 creates significant new liability exposure for Croatian organizations:

• Fines up to €10M for essential entities — insurance can cover defense costs and regulatory investigation expenses
• Business license withdrawal for non-compliant essential entities — D&O insurance must be reviewed for cyber exclusions
• Management bans — personal liability for senior executives, requiring D&O coverage review
• Business interruption from mandatory system shutdowns during incident response
• Third-party claims from customers affected by data breaches or service disruptions
• Mandatory security audit costs — authorities can order audits at the entity’s expense
• Explicit minimum fines (€10,000/€5,000) — even minor breaches carry significant cost
• 702 entities now in scope — the broad categorization creates liability for previously unregulated sectors (education, local government)

What Underwriters Should Ask About Croatian Entities

Cyber insurance underwriters assessing Croatian risks should ask:

1. Entity classification — Is the insured designated as an essential or important entity?
2. Categorization notice date — When was the entity formally notified? (Determines compliance deadlines)
3. Risk tier — Has the competent authority assigned a Low/Medium/High risk classification?
4. Initial measures deadline — Will the entity meet the 4 April 2026 implementation deadline?
5. Incident history — Any incidents reported via JISKB platform?
6. Management training — Has leadership completed cybersecurity governance training?
7. Self-assessment/audit status — Has the entity completed its first self-assessment (important) or audit (essential)?
8. Supply chain audit program — Does the entity audit critical vendors?
9. SK@UT integration — Has the entity connected to the national threat detection system?
10. Physical security — Does the entity meet the detailed data center requirements (Annex III)?

Coverage Considerations

For Croatian entities, ensure the policy covers:

• Regulatory investigation costs under NIS2 enforcement actions
• Business interruption during authority-mandated system reviews
• Notification costs for multi-stage incident reporting (24h/72h/30-day)
• Crisis management and reputational harm
• Security audit costs when mandated by competent authorities
• Supply chain losses from vendor incidents (see supply chain attack loss scenarios)
• Management liability — D&O coverage for management ban and license withdrawal exposure
• Minimum fine coverage — even procedural breaches can trigger significant costs
• Background check costs for security-critical personnel

Use our cyber insurance buying guide to compare coverage options and our NIS2 compliance checker to assess your current compliance status.

Key Takeaways

1. Croatia was an early NIS2 transposer, passing the Cybersecurity Act on 26 January 2024 — well ahead of the EU deadline
2. UVNS (Office of the National Security Council) is the SPOC, while NCSC-HR (within SOA) serves as the central cybersecurity authority
3. CERT.hr and ZSIS form a dual CSIRT structure, with incident reporting via the PiXi/JISKB national platform (24h/72h/30-day timelines)
4. 702 entities have been categorized (~140 essential, ~562 important) through an authority-led process with no self-assessment
5. Croatia goes well beyond NIS2 minimums with additional sectors (education, local government), prescriptive technical requirements (14/16/24-char passwords, mandatory phishing simulations, red/purple teaming), three-tier risk classification, and mandatory self-assessment for important entities
6. Penalties align with NIS2 maximums — up to €10M or 2% global turnover for essential entities, plus management bans and business license withdrawal
7. Initial cybersecurity measures must be implemented by 4 April 2026 — entities face imminent compliance deadlines
8. Cyber insurance is essential for Croatian entities facing new NIS2 liability exposure, including minimum fines, compulsory audit costs, management liability, and license withdrawal risk

---

For more NIS2 compliance resources, explore our NIS2 compliance checklist, penalties guide, and technical measures requirements. Compare your country’s approach with our essential vs important entity classification guide.