Cybersecurity encompasses all activities necessary to protect network and information systems, the users of such systems, and other persons affected by cyber threats.
Cybersecurity refers to the measures taken to protect computers, servers, networks, data, and systems from malicious attacks, unauthorized access, and damage. The goal of cybersecurity is to ensure the authenticity, confidentiality, integrity, and availability of information by protecting sensitive data and preventing disruptions to business operations.
The National Cyber Security Centre (NCSC-HR) has been established within the Security and Intelligence Agency (SOA) with the aim of protecting the national cyber domain and performing the duties of the central government authority for cybersecurity, the competent authority for the implementation of cybersecurity requirements, the CSIRT, the body responsible for managing cyber crises, and the single point of contact pursuant to the Cybersecurity Act.
The most important tasks of the NCSC-HR are:
In response to growing challenges in the cyber domain, SOA established a cyber incident response team in 2017. After two years of development and expansion of the SK@UT system, the SOA Cyber Security Centre was established in 2019. The adoption of the Cybersecurity Act and the establishment of the National Cyber Security Centre represent a new step in strengthening the resilience of the Republic of Croatia to cyber attacks.
The challenges in the dynamic environment of cyberspace require the continuous development of organizational and technical measures for cyber protection. This includes proactive and reactive measures that are not always unique but depend on the specifics of individual organizations. Within the framework of implementing cyber protection activities and detecting and responding to cyber attacks, here are priority recommendations and best practices that can be applied by all organizations (at the moment, only the Croatian language version is available).
All classified entities are required to notify the competent CSIRT of every significant incident and may voluntarily notify the competent CSIRT of other incidents, avoided incidents, and cyber threats. Classified entities report significant incidents, other incidents, avoided incidents, and cyber threats to the competent CSIRT via the national platform for the collection, analysis, and exchange of data on cyber threats and incidents - the PiXi platform. Entities that are not classified may report incidents to the competent CSIRT via e-mail.
With a deadline of 30 days after classification under the Cybersecurity Act, entities that are classified (as important or essential entities) are obliged to report any significant incident, while reporting other incidents on a voluntary basis. The following question explains how to determine whether a cyber incident is significant.
Entities that are not classified will not have the obligation to report incidents.
The criteria for determining significant incidents and the deadlines for reporting or notifying the competent CSIRT are prescribed in the Regulation on Cybersecurity.
The criteria for determining significant incidents are prescribed by the Regulation on Cybersecurity.
A significant incident is any incident that meets at least one of the criteria for determining significant incidents set out in Articles 59 to 62 of the said Regulation, taking into account the criterion thresholds, where prescribed.
For entities referred to in Article 22 of the Cybersecurity Act that are also kept in the special registry of entities, i.e. DNS service providers, ccTLD name registry, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online marketplaces, providers of online search engines, providers of social networking services platforms, and trust service providers, special rules apply for determining cases in which an incident is considered significant under Commission Implementing Regulation (EU) 2024/2690.
Deadlines for reporting or notifying the competent CSIRT are prescribed by the Regulation on Cybersecurity.
Essential and important entities are required to submit the following types of notifications regarding a significant incident to the competent CSIRT:
An early warning of a significant incident must be submitted by essential and important entities to the competent CSIRT without delay, and no later than 24 hours from the moment they become aware of the significant incident.
An initial notification of a significant incident must be submitted by essential and important entities to the competent CSIRT without delay, and no later than 72 hours from the moment they become aware of the significant incident.
Essential and important entities are required to submit an intermediate report on a significant incident at the request of the competent CSIRT.
A final report on a significant incident must be submitted by essential and important entities to the competent CSIRT no later than 30 days from the date of submission of the initial notification of the significant incident. If the incident is still ongoing, a progress report must be submitted instead of the final report.
Exceptionally, stricter rules apply to trust service providers: they are required to submit an initial notification of a significant incident to the competent CSIRT without delay, and no later than 24 hours from the moment they become aware of the significant incident, including information on the date and time when they became aware of the incident.
