The Cybersecurity Act transposes the EU NIS2 Directive into national legislation (Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union).
The Act establishes a new cybersecurity governance system and defines the competent authorities in the field of cybersecurity, as well as their tasks and powers.
The Act determines the sectors, subsectors, and types of entities among which entities will be classified that are required to implement cybersecurity risk management measures and are subject to the obligation to report significant cybersecurity incidents.
In addition, the Cybersecurity Act establishes a strategic planning framework in the field of cybersecurity and defines the national framework for managing large-scale cybersecurity incidents and cybersecurity crises.
Entities subject to the Cybersecurity Act are legal persons operating in the sectors and subsectors listed in Annex I and Annex II of the Cybersecurity Act and that are classified as essential or important entities.
Citizens and non-classified legal persons are not subject to the Act.
Any legal person may verify whether an entity is subject to the classification procedure by answering the following questions:
It is also important to note that certain exceptions are provided in the form of classification criteria that apply regardless of the size of the entity (e.g. trust service providers).
All obligations under the Act apply to classified entities only after they have received an official notification of classification from the competent authority.
For the purposes of classifying entities under the Cybersecurity Act, the size of an entity is calculated based on the rules set out in the Act on the Promotion of Small Business Development („Official Gazette“, No. 29/02, 63/07, 53/12, 56/16, 121/16). The European Commission has published a detailed guide with explanations:
An entity is considered a medium-sized entity if it:
An entity is considered a large entity if it:
The management of information and communication technology (ICT) services, in the context of the Cybersecurity Act (the Act), refers to services provided by legal entities to other legal entities (B2B), which may be public or private entities as defined by the Act. In this context, two groups of service providers are distinguished: managed service providers and managed security service providers.
Managed services, in a broader sense, relate to ICT and include various services consisting of the management of network and information systems at the level of the entire system or specific segments of a network and information system, such as support in maintaining certain types of servers, specific types of network equipment, individual application systems, and similar components. In doing so, managed service providers use physical access to the premises where ICT equipment is installed and/or remotely access certain ICT equipment, regularly using high levels of access privileges to the ICT system, which are necessary for the provision of such managed services.
Managed security services also relate to ICT, but focus on the narrower segment of ICT security. In this case, the managed security service provider performs or assists with activities related to the management of cybersecurity risks. These include management areas such as incident response, penetration testing, security audits, or various types of consulting related to technical support or cybersecurity risk management. In these areas, managed security service providers play a particularly important role in assisting entities in their efforts to prevent and detect incidents, respond to them, or recover from them.
Providers of managed and managed security ICT services are themselves targets of cyber attacks and represent a specific cybersecurity risk due to their close integration into the operations of their clients. Therefore, all providers of managed services and managed security services that provide such services to classified essential and important entities within the meaning of the Act must themselves be classified as essential or important entities. If they have not previously been classified under the general criteria of the Act, they shall be classified under special criteria as service providers to classified entities and as important entities, regardless of their size (Regulation on Cybersecurity, Article 11).
Examples:
Providers of managed ICT services belong to the segment of outsourced IT system maintenance for classified entities. When classified entities that have their own organized IT teams and IT infrastructure engage external IT service providers to maintain applications in coordination with the local IT team, such providers are not considered managed ICT service providers, as they do not perform the service independently. A similar example is a large number of business software solutions such as SAP or registry management systems, which function in the same way - either through the classified entities’ own IT infrastructure and IT teams or as similar solutions hosted on cloud computing infrastructure. The same applies to commercial licensed software, ranging from commercial operating systems and office software packages to any similar Commercial Off-The-Shelf (COTS) products.
It could be said that managed ICT service providers are more prevalent in the segment of small and micro legal entities; however, in recent years the use of cloud computing has grown significantly even in this market segment, and such services most often do not fall within this segment of managed ICT services.
Another example of managed ICT service providers are software solutions that are used in the form of various software libraries, for example for geographic information system (GIS) support, where external companies provide entities with an autonomous layer of software support that they themselves maintain and update using external high-privilege access accounts to the network and information infrastructure of entities such as telecommunications operators and similar organizations. This is a classic example of managed ICT services.
Managed security ICT services are far more common in practice and have also been identified in the new amendments to the EU Cybersecurity Act (CSA+) of January 2025, which will be transposed into national legislation through amendments to the Act on the Implementation of Cybersecurity Certification („Official Gazette”, No. 63/22), together with the ongoing broader revision of the said EU CSA. In CSA+, a managed security service is defined as „a service provided to a third party consisting of performing activities related to the management of cybersecurity risks, such as incident handling, penetration testing, security audits, and consulting, including expert advice related to technical support, or providing assistance in performing such activities“.
Addressing the challenges of identifying providers of managed and managed security ICT services will be achieved in the forthcoming period of implementation of the Cybersecurity Act through audit procedures and, subsequently, expert supervision procedures. Given that there is a very small distinction between the measure regulating the supply chain and managed ICT service providers, over time classified entities will formalize supplier records, thereby more clearly confirming the potential status of managed and managed security ICT service providers.
It is important to note that the fact that certain legal entities are providers of managed and managed security ICT services, and are therefore themselves entities subject to the Act, does not change their contractual obligations toward classified entities under supply chain measures. Instead, due to the sensitivity of managed ICT services, it introduces an additional obligation for their own classification. At the same time, classified entities that enter into contractual relationships with other legal entities, regardless of whether those legal entities are classified or not, are responsible for ensuring that the content of their contracts complies with the requirements set out in Annex II of the Regulation on Cybersecurity, in accordance with Measure 8 - Supply Chain Security.
Entities subject to the Cybersecurity Act are required to implement cybersecurity requirements consisting of:
In addition, essential and important entities are required to periodically verify the compliance of the cybersecurity risk management measures established within their entity with the prescribed cybersecurity risk management measures. In this regard, essential entities are required to conduct cybersecurity audits, while important entities are required to carry out cybersecurity self-assessments.
The Cybersecurity Act defines a total of 19 sectors and 15 subsectors under which entities are classified. Annex III of the Act specifies the division of responsibilities in the field of cybersecurity, namely the competent authorities responsible for enforcing cybersecurity requirements and the competent CSIRTs for sectors, subsectors, and types of entities, as listed in the table below.
The National Cyber Security Centre (NCSC-HR) serves as the competent authority for enforcing cybersecurity requirements for 14 sectors and 14 subsectors, and as the competent CSIRT for 15 sectors and 15 subsectors.
LIST OF COMPETENCIES IN THE FIELD OF CYBERSECURITY
| SECTOR | SUBSECTOR | COMPETENT AUTHORITY | CSIRT |
|---|---|---|---|
| ENERGY | Electricity | NCSC-HR | NCSC-HR |
| District heating and cooling systems | |||
| Oil | |||
| Gas | |||
| Hydrogen | |||
| TRANSPORT | Rail | NCSC-HR | NCSC-HR |
| Water | |||
| Road | |||
| Air | HACZ | NCSC-HR | |
| BANKING | HNB | NCERT | |
| FINANCIAL MARKET INFRASTRUCTURE | HANFA | NCERT | |
| HEALTH | NCSC-HR | NCSC-HR | |
| WATER INTENDED FOR HUMAN CONSUMPTION | NCSC-HR | NCSC-HR | |
| WASTE WATER | NCSC-HR | NCSC-HR | |
| DIGITAL INFRASTRUCTURE | NCSC-HR MZOM MPUDT HAKOM |
NCSC-HR NCERT |
|
| ICT SERVICE MANAGEMENT (B2B) | NCSC-HR | NCSC-HR | |
| PUBLIC SECTOR | UVNS | NCSC-HR | |
| SPACE | NCSC-HR | NCSC-HR | |
| POSTAL AND COURIER SERVICES | NCSC-HR | NCSC-HR | |
| WASTE MANAGEMENT | NCSC-HR | NCSC-HR | |
| MANUFACTURE, PRODUCTION AND DISTRIBUTION OF CHEMICALS | NCSC-HR | NCSC-HR | |
| PRODUCTION, PROCESSING AND DISTRIBUTION OF FOOD | NCSC-HR | NCSC-HR | |
| MANUFACTURING | Manufacture of medical devices and in vitro diagnostic medical devices | NCSC-HR | NCSC-HR |
| Manufacture of computer, electronic and optical products | |||
| Manufacture of electrical equipment | |||
| Manufacture of machinery and equipment n.e.c. | |||
| Manufacture of motor vehicles, trailers and semi-trailers | |||
| Manufacture of other transport equipment | |||
| DIGITAL PROVIDERS | NCSC-HR | NCSC-HR | |
| RESEARCH | MZOM | NCERT | |
| EDUCATION SYSTEM | MZOM | NCERT |
Additionally, within the digital infrastructure sector, the division of responsibilities in the field of cybersecurity is defined according to the type of entity, as shown in the table below.
DIGITAL INFRASTRUCTURE
| SECTOR | TYPE OF ENTITY | COMPETENT AUTHORITY | CSIRT |
|---|---|---|---|
| DIGITAL INFRASTRUCTURE | Internet Exchange Point providers | NCSC-HR | NCSC-HR |
| DNS service providers, excluding operators of root name servers | NCSC-HR | NCSC-HR | |
| ccTLD name registry | MZOM | NCERT | |
| cloud computing service providers | NCSC-HR | NCSC-HR | |
| data centre service providers | NCSC-HR | NCSC-HR | |
| content delivers network providers | NCSC-HR | NCSC-HR | |
| trust service providers | MPUDT | NCSC-HR | |
| providers of public electronic communications networks | HAKOM | NCSC-HR | |
| providers of publicly available electronic communications services | HAKOM | NCSC-HR |
The Cybersecurity Act defines the competent authorities responsible for enforcing cybersecurity requirements, the competent authorities responsible for enforcing special laws, and the competent CSIRTs.
The competent authorities responsible for enforcing cybersecurity requirements carry out the classification of entities, maintain list of essential and important entities, and conduct expert supervision of essential and important entities. In the process of classification, handling significant incidents, and carrying out expert supervision, they closely cooperate with and coordinate their activities with the state administration authorities responsible for the specific sector in which the entities under their jurisdiction operate.
The competent authorities responsible for enforcing special laws shall ensure the implementation of cybersecurity requirements pursuant to laws that also address cybersecurity matters and that will apply as an equivalent or stricter lex specialis to the banking and finance sectors and the air transport subsector. The competent authorities for enforcing special laws are the Croatian National Bank (HNB), the Croatian Financial Services Supervisory Agency (HANFA), and the Croatian Civil Aviation Agency (HACZ).
CSIRT bodies, i.e. the competent authorities for the prevention of and protection against cybersecurity incidents, are the CSIRT within the National Cyber Security Centre (NCSC-HR) and the National CERT within the CARNET. The National CERT is the competent CSIRT for the banking sector, financial market infrastructure, research, the education system, and the ccTLD name registry, while the CSIRT within NCSC-HR is competent for all other sectors, subsectors, and types of entities.
Essential entities are required to conduct a cybersecurity audit at least once every two years, and an audit may also be carried out before the expiry of this period if requested by the competent authority responsible for enforcing cybersecurity requirements.
Important entities are required to carry out a cybersecurity self-assessment at least once every two years, while they are required to conduct a cybersecurity audit only when requested by the competent authority responsible for enforcing cybersecurity requirements as a supervisory measure.
Cybersecurity audits of essential and important entities are carried out by cybersecurity auditors. Auditors are managed security service providers that have been issued a national security certificate for cybersecurity auditing or an appropriate cybersecurity certificate under the applicable European cybersecurity certification scheme.
By way of exception, the cybersecurity auditor for state administration bodies and other state bodies is the Information Systems Security Bureau (ZSIS), as the central government authority responsible for performing tasks in the technical fields of information security.
The national security certificate for cybersecurity auditing is issued by ZSIS, in its role as the central government authority responsible for performing tasks in the technical fields of information security, in a procedure and in accordance with the requirements to be laid down in the security certification rules.
Cybersecurity self-assessments are carried out by the entity using its own human resources, or the entity may engage an external service provider to conduct the self-assessment.
The rules, technical requirements, standards, templates, and procedures applied in cybersecurity self-assessment processes are prescribed by the Regulation on Cybersecurity.
Expert supervision is carried out by the authorities competent for enforcing cybersecurity requirements.
Expert supervision of the implementation of cybersecurity requirements for essential entities is carried out at least once within a period of three to five years (so-called ex-ante supervision). In addition, expert supervision of an essential entity may be conducted before the expiry of this period if the competent authority responsible for enforcing cybersecurity requirements possesses information indicating that the entity is not implementing cybersecurity risk management measures in accordance with the prescribed obligations, is not fulfilling the obligations related to reporting cybersecurity threats and incidents in the prescribed manner and within the prescribed or allowed deadlines, or is not complying with the requirements of the competent authorities under the Cybersecurity Act (so-called ex-post supervision).
Expert supervision of an important entity is conducted when the competent authority responsible for enforcing cybersecurity requirements possesses information indicating that the entity is not implementing cybersecurity risk management measures in accordance with the prescribed obligations, is not fulfilling the obligations related to reporting cybersecurity threats and incidents in the prescribed manner and within the prescribed or allowed deadlines, or is not complying with the requirements of the competent authorities under the Cybersecurity Act (so-called ex-post supervision).
Expert supervision is conducted in such a way that the supervised entity has given direct access to data, documentation, conditions, and the methods of implementing cybersecurity risk management measures, fulfilling the prescribed obligations to report cybersecurity threats and incidents, and responding to the requirements of the competent authorities.
In addition, expert supervision may be carried out through the review of reports on conducted cybersecurity audits and, if necessary, other additionally requested and provided data and documentation of the supervised entity.
The competent authority responsible for enforcing cybersecurity requirements is obliged to notify the supervised entity of the implementation of expert supervision no later than five days before the start of the supervision.
Expert supervision may also be conducted without prior notice in cases where there are reasons indicating the need for urgent action by the entity in response to a significant incident or to prevent or mitigate risks arising from a serious cybersecurity threat.
The Cybersecurity Act introduces voluntary cybersecurity mechanisms intended for broader application, including entities that are not classified as essential or important entities.
Any entity that is not classified as an essential or important entity under the Cybersecurity Act may carry out cybersecurity self-assessments for the network and information systems it uses in its operations or in providing its services.
Such entities may also voluntarily notify the competent CSIRT of any significant incident, other incidents, cybersecurity threats, or near misses, provided that they periodically conduct cybersecurity self-assessments.
To enhance the overall capability and resilience in the field of cybersecurity, the central government authority for cybersecurity continuously develops the national system for detecting cybersecurity threats and protecting the cyber environment.
Essential entities, important entities, and other entities not classified as essential or important under this Act may voluntarily exchange cybersecurity information with each other to increase the level of cybersecurity or to respond to incidents.
Finally, any natural or legal person may anonymously report a vulnerability to the CSIRT coordinator for vulnerability detection.
