In the initial phase of implementing the Cybersecurity Act, which begins during 2026, it is recommended to verify whether a potential provider of managed ICT services has been classified. This verification is carried out by submitting an inquiry to the National Cyber Security Centre (NCSC-HR). If the entity has not yet been classified, such an inquiry initiates the process of assessing the entity and assigning its category.
Classification is carried out only for those suppliers who are providers of managed and managed security services referred to in point 9 of Annex I of the Cybersecurity Act. Even in cases where such suppliers are classified, entities remain subject to the same obligation to establish appropriate contracts governing business cooperation, procurement, or service provision, in accordance with the cited Measure 8 of the Regulation on Cybersecurity. This classification primarily serves to provide additional security for entities when using these managed and managed security services, which represent an additional, higher cybersecurity risk for them.
List of essential and important entities maintained in accordance with Article 17 of the Cybersecurity Act (the Act) are not publicly available, nor will they be published by the competent authorities responsible for enforcing cybersecurity requirements, in accordance with Article 73 of the Act.
For essential and important entities, it is recommended to verify whether a potential provider of managed ICT services has been classified. This verification is carried out by submitting an inquiry to the National Cyber Security Centre (NCSC-HR). If the entity has not yet been classified, such an inquiry initiates the process of assessing the entity and assigning its category. Even in cases where such suppliers are classified, entities remain subject to the same obligation to establish appropriate contracts governing business cooperation, procurement, or the provision of services, in accordance with the cited Measure 8 of the Regulation on Cybersecurity.
At present, it is not possible to require certificates for providers of managed or managed security ICT services, as such certificates have not yet been prescribed either at the European Union level or at the national level.
The only relevant verification at this moment is the entity’s classification status.
At the national level, the only certificate currently prescribed is for cybersecurity auditors under the Cybersecurity Act. The list of certified providers of managed security services for cybersecurity audits is publicly available on the official website of the Information Systems Security Bureau (ZSIS).
The Cybersecurity Act does not prescribe mandatory equipment certifications. The certification system will be introduced gradually in the coming years through amendments to the Cybersecurity Certification Act („Official Gazette”, No. 63/22), as well as through the implementation of European acts - the Cyber Solidarity Act and the Cyber Resilience Act. There are no specific restrictions regarding the origin of the equipment, provided that procurement is carried out in accordance with applicable regulations.
When using external ICT services, it is recommended that contracts include minimum compliance requirements with the Cybersecurity Act, for example:
If the external service, by its scope, falls under the requirements of the Cybersecurity Act (e.g. maintenance of firewalls, VPNs, or similar equipment), then the relevant measures must also be applied to the external service provider, as such an external provider belongs to the sector of managed ICT services, i.e. managed services or managed security services. Such providers are classified according to specific criteria as service providers to classified entities and as important entities, regardless of their size (Regulation on Cybersecurity, Article 11).
Monitoring of security events (detection) and the obligation to report significant cybersecurity incidents are two separate processes.
Each entity, in the course of using network and information infrastructure, records events on its systems. The reporting obligation arises at the moment an assessment determines that the entity is facing a significant cybersecurity incident in accordance with the criteria set out in the Regulation on Cybersecurity, as described in Articles 59 to 63. From the moment of this assessment, the entity has a deadline of 24 hours to report the significant incident to the competent CSIRT via the PiXi platform. It is recommended to report all incidents and, if necessary, change the incident category to significant after assessment using the criteria set out in the Regulation.
The management of information and communication technology (ICT) services, in the context of the Cybersecurity Act (the Act), refers to services provided by legal entities to other legal entities (B2B), which may be public or private entities as defined by the Act. In this context, two groups of service providers are distinguished: managed service providers and managed security service providers.
Managed services, in a broader sense, relate to ICT and include various services consisting of the management of network and information systems at the level of the entire system or specific segments of a network and information system, such as support in maintaining certain types of servers, specific types of network equipment, individual application systems, and similar components. In doing so, managed service providers use physical access to the premises where ICT equipment is installed and/or remotely access certain ICT equipment, regularly using high levels of access privileges to the ICT system, which are necessary for the provision of such managed services.
Managed security services also relate to ICT, but focus on the narrower segment of ICT security. In this case, the managed security service provider performs or assists with activities related to the management of cybersecurity risks. These include management areas such as incident response, penetration testing, security audits, or various types of consulting related to technical support or cybersecurity risk management. In these areas, managed security service providers play a particularly important role in assisting entities in their efforts to prevent and detect incidents, respond to them, or recover from them.
Providers of managed and managed security ICT services are themselves targets of cyber attacks and represent a specific cybersecurity risk due to their close integration into the operations of their clients. Therefore, all providers of managed services and managed security services that provide such services to classified essential and important entities within the meaning of the Act must themselves be classified as essential or important entities. If they have not previously been classified under the general criteria of the Act, they shall be classified under special criteria as service providers to classified entities and as important entities, regardless of their size (Regulation on Cybersecurity, Article 11).
Examples:
Providers of managed ICT services belong to the segment of outsourced IT system maintenance for classified entities. When classified entities that have their own organized IT teams and IT infrastructure engage external IT service providers to maintain applications in coordination with the local IT team, such providers are not considered managed ICT service providers, as they do not perform the service independently. A similar example is a large number of business software solutions such as SAP or registry management systems, which function in the same way - either through the classified entities’ own IT infrastructure and IT teams or as similar solutions hosted on cloud computing infrastructure. The same applies to commercial licensed software, ranging from commercial operating systems and office software packages to any similar Commercial Off-The-Shelf (COTS) products.
It could be said that managed ICT service providers are more prevalent in the segment of small and micro legal entities; however, in recent years the use of cloud computing has grown significantly even in this market segment, and such services most often do not fall within this segment of managed ICT services.
Another example of managed ICT service providers are software solutions that are used in the form of various software libraries, for example for geographic information system (GIS) support, where external companies provide entities with an autonomous layer of software support that they themselves maintain and update using external high-privilege access accounts to the network and information infrastructure of entities such as telecommunications operators and similar organizations. This is a classic example of managed ICT services.
Managed security ICT services are far more common in practice and have also been identified in the new amendments to the EU Cybersecurity Act (CSA+) of January 2025, which will be transposed into national legislation through amendments to the Act on the Implementation of Cybersecurity Certification („Official Gazette”, No. 63/22), together with the ongoing broader revision of the said EU CSA. In CSA+, a managed security service is defined as „a service provided to a third party consisting of performing activities related to the management of cybersecurity risks, such as incident handling, penetration testing, security audits, and consulting, including expert advice related to technical support, or providing assistance in performing such activities.”
Addressing the challenges of identifying providers of managed and managed security ICT services will be achieved in the forthcoming period of implementation of the Cybersecurity Act through audit procedures and, subsequently, expert supervision procedures. Given that there is a very small distinction between the measure regulating the supply chain and managed ICT service providers, over time classified entities will formalize supplier records, thereby more clearly confirming the potential status of managed and managed security ICT service providers.
It is important to note that the fact that certain legal entities are providers of managed and managed security ICT services, and are therefore themselves entities subject to the Act, does not change their contractual obligations toward classified entities under supply chain measures. Instead, due to the sensitivity of managed ICT services, it introduces an additional obligation for their own classification. At the same time, classified entities that enter into contractual relationships with other legal entities, regardless of whether those legal entities are classified or not, are responsible for ensuring that the content of their contracts complies with the requirements set out in Annex II of the Regulation on Cybersecurity, in accordance with Measure 8 - Supply Chain Security.
Only end providers of cloud computing capacity (e.g. global or national cloud infrastructure providers) are considered cloud computing service providers.
Entities that use such capacity to offer cloud migration, development, or management services are considered intermediaries or, depending on the level of service, providers of managed ICT services, but not cloud computing service providers within the meaning of the Cybersecurity Act.
Relations between legal entities with regard to data availability and data transfer are primarily contractual in nature, and the authorities responsible for enforcing cybersecurity requirements are not competent to resolve such disputes.
Such situations will not occur in entities that comply with the prescribed cybersecurity measures, particularly within the implementation of Measure 8 (especially sub-measure 8.3) set out in Annex II to the Regulation on Cybersecurity.
After receiving the notification of completed classification, entities are required to comply with several different deadlines for alignment with and implementation of the Cybersecurity Act.
Within 15 days of receiving the notification of completed classification, they are required to submit entity data to the competent authority in accordance with the instructions set out in the notification.
Within 30 days of receiving the notification of completed classification, they are required to begin reporting significant cybersecurity incidents to the competent CSIRT via the PiXi platform, and prior to that, to register on the PiXi platform.
Within one year of receiving the notification of completed classification, they are required to carry out the initial implementation of cybersecurity risk management measures, in accordance with the risk level determined in the national risk assessment (low, medium, or high level of measures). In the second year, to enhance the measures through local risk management and in the third year from receipt of the notification, to carry out the first cybersecurity self-assessment or cybersecurity audit.
In the event of incomplete compliance after the described process carried out during the first three years from classification, depending on the level of non-compliance and the resulting seriousness of the cybersecurity posture of the classified entity, the competent authorities may conduct an extraordinary expert supervision and impose appropriate corrective measures, or submit a report to the authorized prosecutor in accordance with Articles 101 to 104 of the Cybersecurity Act. If minor non-compliances are identified in the cybersecurity self-assessment/audit, the classified entity is required to remedy them as soon as possible and to continue conducting an annual local risk assessment and a biennial cybersecurity self-assessment/audit. Essential entities will be subject every three to five years (counting from the date of expiry of the first year for the initial implementation of measures) to regular expert supervision by the sectoral competent authority that classified them, or by the main competent authority in the case of multiple classifications by different sectoral competent authorities, in accordance with the notification sent to them after the conclusion of a protocol between the multiple competent authorities pursuant to Article 59 of the Cybersecurity Act.
The Cybersecurity Act applies to the overall operations of classified entities, and the Act does not require the establishment of a specific organizational unit within an entity for the implementation of the Act. The Act requires entities to appoint responsible persons, contact persons for the submission of data, and persons for incident reporting (all of whom may be the same natural persons), while the internal organization remains the responsibility of the entity itself, in accordance with its business processes.
In this context, it is important to distinguish the main roles as defined by the Cybersecurity Act: „the members of management bodies of essential and important entities or the heads of state administrative authorities, other state authorities, executive bodies of local and regional self-government units (hereinafter: persons responsible for the management of measures) are responsible for the implementation of cybersecurity riskmanagement measures.” The main role always refers to the management of the entity, i.e. generally to the person authorized to represent the legal entity in its operations (minister, director general, director, president/member of the management board, procurator, etc.). Furthermore, there are operational roles defined by the Regulation on Cybersecurity: „Appoint a dedicated person operationally responsible for cybersecurity at the level of the entire entity and who is provided with adequate access to the persons responsible for the implementation of measures in the entity” which should be carried out by managers of the entity’s technical segments, such as a CISO, CIO, deputy director for IT, head of an administration/department, or similar. Where necessary, an internal by-law may further establish the obligation to report to the top responsible person, which must also be defined for the local cybersecurity risk assessment conducted annually and adopted by the main responsible person, based on a consolidated proposal of all so-called risk owners (lines of work or business processes within the entity), with the risk assessment proposal being consolidated by the aforementioned operationally responsible person.
With regard to this entity risk assessment process, NCSC-HR has published the Guidelines for Classified Entities on Cybersecurity Risk Management (only available in the Croatian language version at the moment).
