Cybersecurity regulation in Croatia (2026)

Croatia's government formally adopted the National Cyber Crisis Management Programme, establishing coordinated procedures and roles for managing large-scale cybersecurity crises across public administration and critical infrastructure. This completes the secondary legislative package under the 2024 Cybersecurity Act.

Deadline passed for entities to register in Croatia's national cybersecurity information portal (JISKB), completing the initial identification of essential and important operators under the NIS2-transposing Cybersecurity Act. Supervisory audits of essential entities are scheduled to commence in H2 2025.

Adopted by the Croatian government on 21 November 2024, this implementing regulation specifies risk-management measures, entity-categorisation criteria, self-assessment procedures for important entities, and mandatory significant-incident reporting timelines, completing the NIS2 secondary legislation.

The LockBit group attacked the University Hospital Centre Zagreb, forcing diversion of emergency patients to other hospitals and a full revert to paper-based operations for ~24 hours; radiological systems were especially disrupted. Patient records, organ-donor data, and staff information were reportedly exfiltrated and later published on LockBit's leak site.

Croatia's Zakon o kibernetičkoj sigurnosti, passed by Parliament on 26 January 2024, entered into force, repealing the 2018 NIS1 act. It expanded regulated entities from ~1,000 to an estimated 8,000–10,000, established NCSC-HR within the Security and Intelligence Agency (SOA) as the central cybersecurity authority, and introduced a nationally added Education sector beyond NIS2's original scope.

Croatia's Financial Services Supervisory Agency (HANFA) suffered a ransomware attack that downed its website and internal email for two days. The breach potentially exposed personal identification numbers, addresses, and insurance/financial contract data; HANFA filed a criminal complaint, notified the data protection authority, and subsequently overhauled its authentication systems.

Led by the Information Systems Security Bureau (ZSIS), a revised Action Plan containing 77 specific implementation measures was published to operationalise Croatia's National Cybersecurity Strategy, covering cybercrime, international cooperation, incident reporting, R&D, and baseline security requirements.

Croatia transposed EU Directive 2016/1148 (NIS1) by enacting the Act on Cybersecurity of Operators of Essential Services and Digital Service Providers (NN 64/2018), supplemented by the Regulation (NN 68/2018). This was the first Croatian law extending mandatory cybersecurity obligations beyond government bodies to private critical-sector operators.

The Croatian government adopted the National Cyber Security Strategy (Official Gazette 108/2015), establishing the country's first strategic cybersecurity framework with goals aligned to ENISA's classification, including cybercrime prevention, international cooperation, incident response capability, and baseline security requirements.

Croatia established its National Computer Emergency Response Team (CERT.hr) as a department of the Croatian Academic and Research Network (CARNET) pursuant to the 2007 Information Security Act, providing the country's first centralised capability for detecting, analysing, and coordinating responses to cybersecurity incidents.

Croatia ratified the Council of Europe's Budapest Convention on Cybercrime, the first binding international treaty harmonising national cybercrime laws and cross-border investigative cooperation. This aligned Croatian criminal law with international standards on computer offences, illegal interception, and electronic evidence.