NIS2 in Croatia

1. Quick SME Applicability Snapshot in Croatia

Does NIS2 apply to SMEs in Croatia?

Yes — depending on sector and size.

• Automatic applicability to medium-sized entities (≥50 employees and ≥€10 million turnover or balance sheet total) operating in covered sectors.
• Small or micro entities are included only if formally designated or operating in high-criticality sectors.
• Applies to entities established in Croatia and, in certain cases, foreign digital providers offering services in Croatia.

SMEs should assess whether they fall within Croatia's national cybersecurity regime based on sector and size thresholds.

2. Overview of NIS2 Implementation in Croatia

Croatia transposed NIS2 through the Cybersecurity Act (Zakon o kibernetičkoj sigurnosti, NN 14/2024), adopted on 26 January 2024 and in force since 15 February 2024 — making Croatia one of the earliest EU Member States to complete transposition. The law repeals the 2018 NIS1 legislation and expands the number of regulated entities from approximately 1,000 to an estimated 8,000–10,000.

A comprehensive Cybersecurity Regulation (Uredba o kibernetičkoj sigurnosti, NN 135/2024) was adopted on 22 November 2024 and entered into force on 30 November 2024, specifying technical requirements, categorization procedures, and compliance timelines in detail.

Croatia's implementation goes beyond the Directive baseline in several respects: the Education sector has been added to the scope, important entities must conduct self-assessments at least every two years, and the Regulation prescribes specific technical standards (including minimum password lengths and MFA requirements) that exceed the EU Implementing Regulation 2024/2690. Alignment with ISO/IEC 27001 and NIST standards is referenced in the Regulation's control catalogue.

3. Scope of Application in Croatia

Croatia's scope reflects Directive minimum categories without confirmed structural expansion.

4. Size Thresholds and SME Applicability in Croatia

The baseline thresholds apply:

• ≥50 employees, and
• ≥€10 million annual turnover or balance sheet total.

Entities meeting both criteria within covered sectors are automatically in scope.

Small and micro enterprises may be designated if considered critical to public security, economic stability, or societal functioning.

Croatian authorities retain formal designation powers where risk exposure justifies inclusion.

5. Entity Classification Framework in Croatia

Entities are classified as:

• Essential Entities — Subject to proactive supervision, including inspections and structured compliance monitoring.
• Important Entities — Subject primarily to reactive supervision. Notably, Croatia requires important entities to conduct a self-assessment and submit a declaration of conformity at least every two years — a national requirement beyond the Directive baseline.

Classification is determined by competent authorities based on sector and size. Entities are formally notified of their categorization — obligations are triggered from the date of notification, after which entities have 12 months to achieve full compliance. The government was required to compile the initial list of categorized entities by 15 February 2025.

Croatia follows the Directive's two-tier supervisory model.

6. Cybersecurity Risk Management Requirements in Croatia

Croatia's national regime aligns with Directive baseline obligations. In-scope entities must implement proportionate technical and organizational measures covering:

• Risk analysis and system protection
• Incident detection and response
• Business continuity and crisis management
• NIS2 supply chain Croatia risk controls
• Secure acquisition and development of ICT systems
• Access control and authentication safeguards
• Encryption and cryptographic protection
• Vulnerability handling procedures
• Staff cybersecurity training

Measures must reflect state-of-the-art standards and the entity's risk profile. Alignment with ISO/IEC 27001 and recognized Croatian cybersecurity guidance is encouraged.

Supply chain risk management includes vendor due diligence and contractual cybersecurity requirements.

7. Management Liability and Governance in Croatia

Management bodies must formally approve cybersecurity risk management measures and oversee implementation.

Under Croatia's framework:

• Boards are accountable for ensuring compliance.
• Senior management must maintain adequate cybersecurity awareness.
• Administrative sanctions may address governance failures.
• Temporary suspension of managerial functions may be available under Directive-aligned enforcement mechanisms.

NIS2 management liability Croatia standards elevate cybersecurity to executive-level responsibility.

8. Incident Reporting Obligations in Croatia

9. Supervisory Authorities and Enforcement Model in Croatia

Primary supervisory authority: Security and Intelligence Agency (SOA), acting through the National Cybersecurity Center (NCSC-HR). CERT.hr (CARNET) operates centralized incident reporting via the PiXi platform.

Croatia operates a mixed supervisory model: SOA/NCSC-HR leads for most sectors, while autonomous sector authorities (Croatian National Bank (HNB) for banking, Financial Services Supervisory Agency (HANFA) for financial services, Croatian Civil Aviation Agency (HACZ) for civil aviation) retain independent supervisory roles. The Information Systems Security Bureau (ZSIS) supports cybersecurity certification processes.

Supervisory powers include:

• Information requests
• Security audits
• On-site inspections
• Binding compliance instructions
• Participation in EU cybersecurity cooperation frameworks

The enforcement structure aligns with Directive-level coordination requirements.

10. NIS2 Fines and Sanctions in Croatia

Croatia applies Directive-aligned administrative penalties.

NIS2 fines Croatia enforcement may also include:

• Binding remediation orders
• Public identification of non-compliant entities
• Suspension of certifications or authorizations
• Managerial suspension powers

Criminal liability applies only where explicitly provided under Croatian legislation.

11. NIS2 Supply Chain and Vendor Security in Croatia

Entities must manage third-party cybersecurity exposure through:

• Vendor risk assessments
• Contractual security flow-down provisions
• Continuous ICT supplier monitoring
• Concentration risk analysis
• Incident propagation controls

Croatia's approach aligns with Directive baseline supply chain expectations without confirmed national expansion.

12. Registration and Self-Identification Duties in Croatia

Entities within scope must:

• Await formal notification from competent authorities of categorization as essential or important. Competent authorities were required to complete initial categorization by approximately February–April 2025.
• Provide corporate identification details
• Disclose sector classification
• Maintain updated incident reporting contacts

Croatia uses an authority-led notification model. Entities do not self-register; they are formally notified by competent authorities of their categorization. The initial categorization was due by approximately February–April 2025. Once notified, entities have 12 months to achieve full compliance.

Proactive preparation is strongly recommended even before formal notification. Entities meeting statutory criteria should begin compliance efforts immediately to avoid delays once the 12-month compliance window begins.

13. Interaction With GDPR and Other Laws in Croatia

The General Data Protection Regulation continues to apply concurrently.

Overlap considerations include:

• 72-hour personal data breach notification obligations
• Supervisory authority coordination
• Parallel cybersecurity and data protection investigations
• Sector-specific Croatian cybersecurity rules

A single incident may trigger dual reporting under both regimes.

14. Cross-Border Applicability

Entities with their main establishment in Croatia are supervised by Croatian authorities for cross-border services.

Foreign digital providers offering services in Croatia may be subject to Croatian oversight depending on establishment structure.

Representation requirements follow Directive standards for non-EU providers serving Croatian markets.

15. Implementation Timeline in Croatia

• Directive adoption: 2022
• Directive adopted: 14 December 2022
• Cybersecurity Act (NN 14/2024): Adopted 26 January 2024; in force 15 February 2024. Cybersecurity Regulation (NN 135/2024): Adopted 22 November 2024; in force 30 November 2024
• Commission notification: Croatia notified the Commission of transposition; no reasoned opinion issued
• Compliance: Initial categorization by 15 February 2025; entities have 12 months from notification date to achieve full compliance; important entities must conduct self-assessments every two years

Croatia is one of the earliest EU Member States to complete NIS2 transposition, with the primary law in force since February 2024 and a detailed implementing Regulation since November 2024. Active supervision and enforcement are underway.

16. Key Takeaways for SMEs in Croatia

• Medium-sized entities in covered sectors are automatically within scope.
• Small entities may be designated if critical to public or economic stability.
• Board-level oversight is mandatory. Important entities must also conduct a self-assessment and submit a declaration of conformity at least every two years under Croatia's Cybersecurity Regulation — a requirement beyond the Directive baseline.
• Incident reporting follows 24h / 72h / 1 month deadlines.
• Financial penalties can reach €10 million or 2% of global turnover.
• Vendor risk management is required. Croatia's Cybersecurity Regulation prescribes detailed technical controls (including specific password length minimums and MFA requirements) that go beyond the EU Implementing Regulation — entities should review these carefully.
• Early compliance preparation reduces enforcement risk.

FAQ: NIS2 Croatia SME Guide