Cybersecurity - Croatia

The Cybersecurity Act (NN 14/2024) entered into force on 15 February 2024, repealing the earlier NIS1-based law. It is supplemented by the Regulation on Cybersecurity (NN 135/2024, in force 30 November 2024), which sets out technical security levels, audit cycles and standardised incident-report templates.

SOA (Sigurnosno-obavještajna agencija) is designated the central state body for cybersecurity. Its National Cyber Security Center (NCSC-HR) is the national CSIRT and competent authority for 15 sectors; sector-specific regulators (e.g. HAKOM for electronic communications, Croatian National Bank for banking) act as competent authorities in their own domains.

Essential and important entities must submit: an early warning within 24 hours of becoming aware of a significant incident, a formal incident notification within 72 hours, and a final report within 30 days. Reporting is made to the relevant CSIRT via the national JISKB portal.

The Act covers 19 sectors (up from 7 under NIS1), bringing an estimated 8,000–10,000 entities in scope. Entities were required to register via the JISKB portal by 1 March 2025 and must implement initial security measures within one year of receiving their categorisation notice (essential or important).

For essential entities: fines up to €10 million or 2% of global annual turnover (whichever is higher); individual managers up to €6,000. For important entities: up to €7 million or 1.4% of global turnover; individual managers up to €3,000. These thresholds exceed the NIS2 minimum requirements.

Financial entities subject to Croatia's Cybersecurity Act are also subject to EU Regulation 2022/2554 (DORA, applicable from 17 January 2025), which takes precedence as lex specialis for ICT-risk management and major-incident reporting in the financial sector. Croatia's Cybersecurity Act explicitly accounts for this sectoral overlay.