On 15 February 2024 the Cybersecurity Act entered into force (Official Gazette No 14/24.) transposing into national law the EU NIS2 Directive (Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union). The Cybersecurity Act introduced a new, more comprehensive framework for the management of cybersecurity in the Republic of Croatia.
The Act stipulates the procedures for categorisation of essential and important entities, regulates the obligations of essential and important entities in the implementation of cybersecurity requirements, defines the framework for carrying out cybersecurity audits and self-assessments, regulates all issues relevant for carrying out expert supervision of the implementation of cybersecurity requirements, and ultimately prescribes sanctions for non-compliance with prescribed obligations.
The Act establishes a new cybersecurity governance system, defines who the competent authorities are in the field of cybersecurity and what their tasks and powers are, while introducing a new functionality in the field of cybersecurity - the central government authority for cybersecurity. The tasks of the central government authority for cybersecurity will be performed by the National Cyber Security Centre (NCSC-HR) established within the Security and Intelligence Agency (SOA).
The Act introduces and elaborates voluntary cyber protection mechanisms for wider use, i.e. entities that are not classified as essential and important entities. One of the voluntary cyber protection mechanisms is the national system for detecting cyber threats and protecting cyberspace. The national system aims to enhance overall cybersecurity capabilities and resilience. The Act also provides a framework for coordinated vulnerability detection, where any natural and legal person can anonymously report vulnerability to the CSIRT vulnerability detection coordinator.
Also, the Cybersecurity Act establishes a strategic planning and decision-making framework in the field of cybersecurity and sets out national frameworks for the management of large-scale cyber incidents and cyber crises.
Pursuant to Article 24 of the Cybersecurity Act (Official Gazette No. 14/24.), at its meeting held on 21 November 2024, the Government of the Republic of Croatia adopted the Regulation on Cybersecurity (Official Gazette No. 135/24.).
The Regulation regulates criteria for classifying entities based on specific criteria for implementing categorisation of entities, measures to manage and implement cybersecurity risks, conducting cybersecurity self-assessments, criteria for identifying significant cyber incidents, notification of incidents, as well as other issues relevant to raising the level of cybersecurity.
Four annexes are also an integral part of the Regulation. Annex I contains lists of sectors and activities. Annex II defines measures to manage and implement cybersecurity risks. Each measure contains the objective, subsets of measures, applicability of the measure in the context of IT and OT systems, and a tabulation of the distribution of subsets of measures. Annex III lists specific physical security measures for entities in the digital infrastructure sector. Annex IV contains template for the declaration of conformity.
The National Cyber Crisis Management Programme is a bylaw of the Cybersecurity Act, which governs the cybersecurity crisis management framework in the Republic of Croatia in its entirety.
The Programme describes cyber crisis management capacities, resources and procedures. The Programme shall also set out the objectives of cyber crisis management, compliance with the European Union cyber crisis management framework and the tasks and responsibilities of the authorities involved in cyber crisis management.
The Programme defines the technical, operational and strategic level of cyber crisis management, which shall be consistent with the national crisis management framework in the Homeland Security system. At operational level, a Cyber Crisis Management Coordination shall be introduced with a view to linking as effectively as possible the technical and operational level of cyber crisis management with the strategic and political level, the timely exchange of information among the stakeholders involved and appropriate information sharing to the public.
Coordination is an inter-departmental body chaired by the National Cyber Security Centre (NCSC-HR), and other stakeholders - state administration bodies, local units, private and academic sector may be involved in the Coordination if necessary.
