NIS2 Country Guide

NIS2 Croatia: Cybersecurity Act, Regulation & Compliance Duties

See how Croatia has transposed the NIS2 Directive through its Cybersecurity Act and detailed Cybersecurity Regulation, which entities are in scope, how supervision works, and what steps your organisation should take to comply.

Get Ready Checklist Get Consultation
Croatia Cybersecurity Act in force: 15 Feb 2024 Cybersecurity Regulation in force: 30 Nov 2024

Introduction: NIS2 Directive & the Croatian context

Croatia is one of the earlier EU Member States to fully transpose NIS2. The new framework is built around the Cybersecurity Act (Zakon o kibernetičkoj sigurnosti) and a very detailed Cybersecurity Regulation, together setting out strict rules for essential and important entities.

The regime significantly expands the number of organisations in scope (thousands of entities across the NIS2 Annex I and Annex II sectors, with detailed national sub-classifications defined in the Cybersecurity Regulation), introduces a central government authority for cybersecurity, and defines structured processes for incident reporting, audits and crisis management.

Quick link: New to NIS2? Start with our general guides “What is NIS2?” and “NIS vs NIS2”.

NIS2 implementation in Croatia

The Croatian Cybersecurity Act entered into force on 15 February 2024 (Official Gazette No. 14/24), formally transposing the NIS2 Directive into national law and replacing the earlier NIS1-based framework.

To complement the Act, Croatia adopted a Cybersecurity Regulation (Uredba o kibernetičkoj sigurnosti, Official Gazette No. 135/24), which has been in force since 30 November 2024. The Regulation provides highly detailed security requirements for essential and important entities.

Status

NIS2 is fully implemented through the Cybersecurity Act and Cybersecurity Regulation; both are in force and binding for in-scope entities.

Scope expansion

The new regime brings an estimated several thousand organisations into scope, covering 19 sectors and 15 subsectors, far beyond the old NIS1 list of operators.

National framework

The Act establishes a central government authority for cybersecurity, defines competent authorities for each sector, and creates a national framework for cyber crisis management and coordinated incident response.

NIS2 Croatia: what you need to know about compliance

Croatia follows the NIS2 model of essential and important entities, but the Regulation adds a high level of detail on concrete security controls, audits and self-assessments.

Who is in scope?

  • Entities operating in NIS2 Annex I sectors (energy, transport, health, drinking water, digital infrastructure, public administration, etc.).
  • Entities in NIS2 Annex II sectors (postal and courier services, waste management, food, manufacturing of critical products, etc.).
  • Entities meeting NIS2 size thresholds (medium-sized and above).
  • Entities covered regardless of size (e.g. DNS services, TLD registries, trust services, key digital infrastructure and cloud services).

Core obligations

  • Implement risk-management measures and cybersecurity policies for relevant systems.
  • Introduce incident prevention, detection, response and recovery processes.
  • Report significant incidents to the competent authority / CSIRT within NIS2 timelines.
  • Manage supply-chain risk and integrate security into contracts with key partners and providers.
  • Ensure management-level oversight and regular training on cybersecurity responsibilities.
  • Participate in audits, self-assessments and other supervisory activities defined in the Act and Regulation.

Standards & frameworks

While no single certification is mandated, the Croatian Regulation describes detailed technical and organisational measures. Aligning with frameworks such as ISO/IEC 27001 or similar ISMS-based structures is a practical way to meet and evidence the required controls.

Designation model: Under the Act, competent authorities notify organisations of their status as essential or important entities. After notification, entities have a defined timeframe to provide additional information and reach compliance.

Competent authorities & CSIRT

The Croatian model distinguishes between the central government authority for cybersecurity, the national CSIRT function, the Single Point of Contact, and several sectoral supervisory authorities.

RoleAuthorityNotes
Central government authority for cybersecurity & main CSIRT National Cyber Security Centre (NCSC-HR) Performs central government cybersecurity tasks, acts as competent authority for most NIS2 sectors, and operates as national CSIRT for the majority of entities.
Single Point of Contact (SPOC) Office of the National Security Council Acts as Croatia’s Single Point of Contact towards the EU and other Member States for NIS2 coordination.
Sectoral competent authorities Various regulators and ministries Including the national regulatory authority for network industries, the Ministry of Justice and Public Administration, and other sector ministries designated under the Cybersecurity Act.

NIS2 timeline & key dates (Croatia)

15 Feb 2024 — Cybersecurity Act enters into force, transposing NIS2 into Croatian law.
30 Nov 2024 — Cybersecurity Regulation takes effect, specifying detailed security measures.
By early 2025 — Competent authorities notify entities of their categorisation as essential or important and request information where needed.
2025 onward — Registration, supervision, audits and national cyber crisis management framework fully operational.

Sector-specific notes for Croatia

  • Energy: electricity, gas and related infrastructure operators are treated as essential entities with stringent obligations and close supervision.
  • Transport: air, rail, road and maritime operators, including key logistics and port infrastructure, must comply with NIS2-aligned requirements.
  • Healthcare: hospitals, clinics, laboratories and core e-health services are subject to strengthened cybersecurity and incident reporting duties.
  • Water: drinking water and wastewater service providers are covered as essential or important entities under the Croatian framework.
  • Finance & public administration: selected financial institutions and public bodies fall in scope, in coordination with other EU financial and digital regulations.
  • Digital infrastructure & ICT providers: data centres, cloud providers, hosting, electronic communications networks and managed service providers play a central role and are strongly regulated.

Penalties for non-compliance

The Croatian Cybersecurity Act and Regulation adopt the NIS2 penalty model, with significant sanctions for organisations that fail to meet their obligations:

  • High administrative fines, aligned with NIS2 ceilings (larger of a fixed euro amount or a percentage of worldwide turnover).
  • Corrective orders, enhanced supervision and mandatory remediation measures where deficiencies are found.
  • In serious or repeated cases, potential restrictions on providing regulated services.
  • Possible liability for management in cases of persistent neglect of cybersecurity duties.

How to prepare for NIS2 in Croatia

  1. Confirm if you are in scope: map your services and size against NIS2 sectors and thresholds; assume you may be covered if you operate critical services or digital infrastructure.
  2. Gather information for designation: prepare legal, organisational and technical details that competent authorities may request when categorising entities.
  3. Perform a NIS2 gap assessment: compare your current security posture with obligations under the Cybersecurity Act and Regulation.
  4. Formalise your ISMS: build or strengthen an information security management system aligned with recognised standards.
  5. Enhance incident readiness: implement monitoring, incident response plans and escalation paths to NCSC-HR and sectoral authorities.
  6. Review third-party risk: update contracts with critical suppliers to include cybersecurity, audit and incident-notification clauses.
  7. Train leadership & staff: ensure awareness of NIS2 responsibilities, especially for top management and key technical teams.
  8. Document everything: maintain evidence of risk assessments, implemented measures, testing, training and incident handling for audits.
Run Eligibility Check Start Readiness Test

Official links & resources

🇭🇷 NCSC-HR — NIS2 transposition & Cybersecurity Act overview
📘 NCSC-HR — National Cyber Security Centre
🏛️ European Commission — NIS2 status for Croatia
📄 Guide: What is NIS2? · NIS vs NIS2

FAQ: NIS2 in Croatia

Has Croatia fully implemented NIS2?
Yes. NIS2 has been transposed via the Cybersecurity Act (in force since 15 February 2024) and the Cybersecurity Regulation (in force since 30 November 2024).
Who enforces NIS2 in Croatia?
The National Cyber Security Centre (NCSC-HR) is the central government authority and main CSIRT, working together with sectoral competent authorities and the Office of the National Security Council as Single Point of Contact.
Will we be contacted, or do we register ourselves?
Under the Croatian model, competent authorities notify organisations of their status as essential or important entities and may request additional information. Once notified, entities must provide the requested data and ensure compliance within the prescribed deadlines.
Do we need a specific certification?
Certification (e.g. ISO/IEC 27001) is not explicitly mandated, but it can significantly help to structure your security measures and demonstrate compliance with the detailed requirements in the Regulation.
What happens if we do nothing?
Non-compliance can lead to substantial fines, corrective orders, increased supervision and reputational damage. For many entities, waiting until after designation will not leave enough time to reach full compliance — early preparation is strongly recommended.
Information provided for general guidance; always consult the official Croatian Cybersecurity Act, Cybersecurity Regulation and NCSC-HR guidance, as well as legal counsel, for definitive NIS2 compliance requirements.