The Cybersecurity Act applies to the overall operations of classified entities, and the Act does not require the establishment of a specific organizational unit within an entity for the implementation of the Act. The Act requires entities to appoint responsible persons, contact persons for the submission of data, and persons for incident reporting (all of whom may be the same natural persons), while the internal organization remains the responsibility of the entity itself, in accordance with its business processes.
In this context, it is important to distinguish the main roles as defined by the Cybersecurity Act: „the members of management bodies of essential and important entities or the heads of state administrative authorities, other state authorities, executive bodies of local and regional self-government units (hereinafter: persons responsible for the management of measures) are responsible for the implementation of cybersecurity riskmanagement measures.” The main role always refers to the management of the entity, i.e. generally to the person authorized to represent the legal entity in its operations (minister, director general, director, president/member of the management board, procurator, etc.). Furthermore, there are operational roles defined by the Regulation on Cybersecurity: „Appoint a dedicated person operationally responsible for cybersecurity at the level of the entire entity and who is provided with adequate access to the persons responsible for the implementation of measures in the entity” which should be carried out by managers of the entity’s technical segments, such as a CISO, CIO, deputy director for IT, head of an administration/department, or similar. Where necessary, an internal by-law may further establish the obligation to report to the top responsible person, which must also be defined for the local cybersecurity risk assessment conducted annually and adopted by the main responsible person, based on a consolidated proposal of all so-called risk owners (lines of work or business processes within the entity), with the risk assessment proposal being consolidated by the aforementioned operationally responsible person.
With regard to this entity risk assessment process, NCSC-HR has published the Guidelines for Classified Entities on Cybersecurity Risk Management (only available in the Croatian language version at the moment).
If a classified entity does not comply with the obligations set out in the Cybersecurity Act, both the classified entity (the legal entity) and the designated person who is the main responsible person of the entity and has the authority to represent it in business operations (a natural person) may be held liable for an infringement.
Cyber incidents can occur on their own and do not automatically constitute an infringement. An exception could be situations where the same type of incident occurs repeatedly, or where it can be assessed that the incidents were caused by a failure to comply with legal obligations. Even in such cases, this would first need to be confirmed through an extraordinary expert supervision.
After receiving the notification of completed classification, entities are required to comply with several different deadlines for alignment with and implementation of the Cybersecurity Act.
Within 15 days of receiving the notification of completed classification, they are required to submit entity data to the competent authority in accordance with the instructions set out in the notification.
Within 30 days of receiving the notification of completed classification, they are required to begin reporting significant cybersecurity incidents to the competent CSIRT via the PiXi platform, and prior to that, to register on the PiXi platform.
Within one year of receiving the notification of completed classification, they are required to carry out the initial implementation of cybersecurity risk management measures, in accordance with the risk level determined in the national risk assessment (low, medium, or high level of measures). In the second year, to enhance the measures through local risk management and in the third year from receipt of the notification, to carry out the first cybersecurity self-assessment or cybersecurity audit.
In the event of incomplete compliance after the described process carried out during the first three years from classification, depending on the level of non-compliance and the resulting seriousness of the cybersecurity posture of the classified entity, the competent authorities may conduct an extraordinary expert supervision and impose appropriate corrective measures, or submit a report to the authorized prosecutor in accordance with Articles 101 to 104 of the Cybersecurity Act. If minor non-compliances are identified in the cybersecurity self-assessment/audit, the classified entity is required to remedy them as soon as possible and to continue conducting an annual local risk assessment and a biennial cybersecurity self-assessment/audit. Essential entities will be subject every three to five years (counting from the date of expiry of the first year for the initial implementation of measures) to regular expert supervision by the sectoral competent authority that classified them, or by the main competent authority in the case of multiple classifications by different sectoral competent authorities, in accordance with the notification sent to them after the conclusion of a protocol between the multiple competent authorities pursuant to Article 59 of the Cybersecurity Act.
The level of cybersecurity risk management measures is determined in accordance with the National Cybersecurity Risk Assessment. The document, together with the accompanying calculator, is available on the official website of NCSC-HR in the section Documents/Guidelines and Instructions under the title “Guidelines for Competent Authorities on the National Cybersecurity Risk Assessment” (only available in the Croatian language version at the moment).
Depending on the identified level of cybersecurity risk, each classified entity is required to implement one of three levels of cybersecurity risk management measures:
The level of cybersecurity risk management measures that a classified entity is required to implement is indicated in the notification of completed classification.
The need to purchase additional devices and solutions depends on what classified entities already have in place. Some classified entities are already fully compliant, while others will need to make additional investments to meet the required level of cybersecurity risk management measures.
The introduction of such testing should be done gradually, starting with periodic vulnerability checks and penetration testing, and progressing to more extensive cybersecurity attack simulations only once the entity has fully complied with the required level of cybersecurity risk management measures (basic, intermediate, or advanced) and when a need for such testing has been assessed.
This is described in the measure 5.8 of Annex II of the Regulation on Cybersecurity, which states:
"Implement mechanisms for periodic or regular vulnerability checks of all network and information systems to detect the lack of application of security patches or improper system configuration in due time. Entities are required, based on the risk assessment, to determine the need and frequency of this type of security testing (penetration tests, red teaming, purple teaming, etc.) to detect vulnerabilities in the implementation of the network and information system. The results of security testing and vulnerability check should be prioritised, used to improve the security of the network and information system, and monitored until they are resolved. Policies and procedures should be updated as necessary. An entity may limit this measure to critical software and hardware assets under Measure 2.1".
The Cybersecurity Act and the Regulation on Cybersecurity do not prescribe a specific format for maintaining a classified entity’s cybersecurity documentation; they only define the mandatory content.
Classified entities are responsible for preparing, maintaining, and updating all necessary documentation in line with their internal business procedures.
Standardized documents cannot be provided, as classified entities differ significantly in sector, size, business model, and the standards they may follow.
When preparing documentation, attention should be given to two main parts:
The framework for self-assessment and audits requires evaluation of both parts.
It is also important to indicate the document’s author and ensure that all documentation is verified by the designated responsible person of the classified entity (such as a member of the entity’s management body, the state official in state administration authorities and other state authorities or executive body of the local and regional self-government unit).
The organization and number of internal acts depend on how each classified entity implements the measures. The regulatory framework of the Cybersecurity Act only specifies the content that must be developed, depending on the level of measures indicated in the notification of completed classification of entity. Grouping documentation is best done in accordance with the framework used to implement cybersecurity measures.
For example, if a classified entity already follows ISO 27001, it can align its documentation with existing materials and map the measures from the Regulation on Cybersecurity to this standard. If a classified entity is implementing cybersecurity measures under the Cybersecurity Act for the first time, having previously relied on informal best practices, it is recommended to use the controls developed by the Information Systems Security Bureau (ISSB) within the self-assessment framework, and to group document titles accordingly. This approach also simplifies later self-assessment and compliance checks.
Monitoring of security events (detection) and the obligation to report significant cybersecurity incidents are two separate processes.
Each entity, in the course of using network and information infrastructure, records events on its systems. The reporting obligation arises at the moment an assessment determines that the entity is facing a significant cybersecurity incident in accordance with the criteria set out in the Regulation on Cybersecurity, as described in Articles 59 to 63. From the moment of this assessment, the entity has a deadline of 24 hours to report the significant incident to the competent CSIRT via the PiXi platform. It is recommended to report all incidents and, if necessary, change the incident category to significant after assessment using the criteria set out in the Regulation.
The cybersecurity risk management measures set out in the Regulation on Cybersecurity do not prescribe specific tools or organizational models. A Security Operations Center (SOC) is a combination of both tools and organizational structure.
Classified entities are free to choose the tools that best enable them to meet the required measures according to their assigned level and to establish an appropriate organizational setup. What is essential is the general monitoring and logging of all system events (e.g., login attempts, security alerts, etc.) and the analysis of this information to detect potential attacks or suspicious activity on the system.
List of essential and important entities maintained in accordance with Article 17 of the Cybersecurity Act (the Act) are not publicly available, nor will they be published by the competent authorities responsible for enforcing cybersecurity requirements, in accordance with Article 73 of the Act.
For essential and important entities, it is recommended to verify whether a potential provider of managed ICT services has been classified. This verification is carried out by submitting an inquiry to the National Cyber Security Centre (NCSC-HR). If the entity has not yet been classified, such an inquiry initiates the process of assessing the entity and assigning its category. Even in cases where such suppliers are classified, entities remain subject to the same obligation to establish appropriate contracts governing business cooperation, procurement, or the provision of services, in accordance with the cited Measure 8 of the Regulation on Cybersecurity.
The management of information and communication technology (ICT) services, in the context of the Cybersecurity Act (the Act), refers to services provided by legal entities to other legal entities (B2B), which may be public or private entities as defined by the Act. In this context, two groups of service providers are distinguished: managed service providers and managed security service providers.
Managed services, in a broader sense, relate to ICT and include various services consisting of the management of network and information systems at the level of the entire system or specific segments of a network and information system, such as support in maintaining certain types of servers, specific types of network equipment, individual application systems, and similar components. In doing so, managed service providers use physical access to the premises where ICT equipment is installed and/or remotely access certain ICT equipment, regularly using high levels of access privileges to the ICT system, which are necessary for the provision of such managed services.
Managed security services also relate to ICT, but focus on the narrower segment of ICT security. In this case, the managed security service provider performs or assists with activities related to the management of cybersecurity risks. These include management areas such as incident response, penetration testing, security audits, or various types of consulting related to technical support or cybersecurity risk management. In these areas, managed security service providers play a particularly important role in assisting entities in their efforts to prevent and detect incidents, respond to them, or recover from them.
Providers of managed and managed security ICT services are themselves targets of cyber attacks and represent a specific cybersecurity risk due to their close integration into the operations of their clients. Therefore, all providers of managed services and managed security services that provide such services to classified essential and important entities within the meaning of the Act must themselves be classified as essential or important entities. If they have not previously been classified under the general criteria of the Act, they shall be classified under special criteria as service providers to classified entities and as important entities, regardless of their size (Regulation on Cybersecurity, Article 11).
Examples:
Providers of managed ICT services belong to the segment of outsourced IT system maintenance for classified entities. When classified entities that have their own organized IT teams and IT infrastructure engage external IT service providers to maintain applications in coordination with the local IT team, such providers are not considered managed ICT service providers, as they do not perform the service independently. A similar example is a large number of business software solutions such as SAP or registry management systems, which function in the same way - either through the classified entities’ own IT infrastructure and IT teams or as similar solutions hosted on cloud computing infrastructure. The same applies to commercial licensed software, ranging from commercial operating systems and office software packages to any similar Commercial Off-The-Shelf (COTS) products.
It could be said that managed ICT service providers are more prevalent in the segment of small and micro legal entities; however, in recent years the use of cloud computing has grown significantly even in this market segment, and such services most often do not fall within this segment of managed ICT services.
Another example of managed ICT service providers are software solutions that are used in the form of various software libraries, for example for geographic information system (GIS) support, where external companies provide entities with an autonomous layer of software support that they themselves maintain and update using external high-privilege access accounts to the network and information infrastructure of entities such as telecommunications operators and similar organizations. This is a classic example of managed ICT services.
Managed security ICT services are far more common in practice and have also been identified in the new amendments to the EU Cybersecurity Act (CSA+) of January 2025, which will be transposed into national legislation through amendments to the Act on the Implementation of Cybersecurity Certification („Official Gazette”, No. 63/22), together with the ongoing broader revision of the said EU CSA. In CSA+, a managed security service is defined as „a service provided to a third party consisting of performing activities related to the management of cybersecurity risks, such as incident handling, penetration testing, security audits, and consulting, including expert advice related to technical support, or providing assistance in performing such activities.”
Addressing the challenges of identifying providers of managed and managed security ICT services will be achieved in the forthcoming period of implementation of the Cybersecurity Act through audit procedures and, subsequently, expert supervision procedures. Given that there is a very small distinction between the measure regulating the supply chain and managed ICT service providers, over time classified entities will formalize supplier records, thereby more clearly confirming the potential status of managed and managed security ICT service providers.
It is important to note that the fact that certain legal entities are providers of managed and managed security ICT services, and are therefore themselves entities subject to the Act, does not change their contractual obligations toward classified entities under supply chain measures. Instead, due to the sensitivity of managed ICT services, it introduces an additional obligation for their own classification. At the same time, classified entities that enter into contractual relationships with other legal entities, regardless of whether those legal entities are classified or not, are responsible for ensuring that the content of their contracts complies with the requirements set out in Annex II of the Regulation on Cybersecurity, in accordance with Measure 8 - Supply Chain Security.
In the initial phase of implementing the Cybersecurity Act, which begins during 2026, it is recommended to verify whether a potential provider of managed ICT services has been classified. This verification is carried out by submitting an inquiry to the National Cyber Security Centre (NCSC-HR). If the entity has not yet been classified, such an inquiry initiates the process of assessing the entity and assigning its category.
Classification is carried out only for those suppliers who are providers of managed and managed security services referred to in point 9 of Annex I of the Cybersecurity Act. Even in cases where such suppliers are classified, entities remain subject to the same obligation to establish appropriate contracts governing business cooperation, procurement, or service provision, in accordance with the cited Measure 8 of the Regulation on Cybersecurity. This classification primarily serves to provide additional security for entities when using these managed and managed security services, which represent an additional, higher cybersecurity risk for them.
At present, it is not possible to require certificates for providers of managed or managed security ICT services, as such certificates have not yet been prescribed either at the European Union level or at the national level.
The only relevant verification at this moment is the entity’s classification status.
At the national level, the only certificate currently prescribed is for cybersecurity auditors under the Cybersecurity Act. The list of certified providers of managed security services for cybersecurity audits is publicly available on the official website of the Information Systems Security Bureau (ZSIS).
The Cybersecurity Act does not prescribe mandatory equipment certifications. The certification system will be introduced gradually in the coming years through amendments to the Cybersecurity Certification Act („Official Gazette”, No. 63/22), as well as through the implementation of European acts - the Cyber Solidarity Act and the Cyber Resilience Act. There are no specific restrictions regarding the origin of the equipment, provided that procurement is carried out in accordance with applicable regulations.
When using external ICT services, it is recommended that contracts include minimum compliance requirements with the Cybersecurity Act, for example:
If the external service, by its scope, falls under the requirements of the Cybersecurity Act (e.g. maintenance of firewalls, VPNs, or similar equipment), then the relevant measures must also be applied to the external service provider, as such an external provider belongs to the sector of managed ICT services, i.e. managed services or managed security services. Such providers are classified according to specific criteria as service providers to classified entities and as important entities, regardless of their size (Regulation on Cybersecurity, Article 11).
Relations between legal entities with regard to data availability and data transfer are primarily contractual in nature, and the authorities responsible for enforcing cybersecurity requirements are not competent to resolve such disputes.
Such situations will not occur in entities that comply with the prescribed cybersecurity measures, particularly within the implementation of Measure 8 (especially sub-measure 8.3) set out in Annex II to the Regulation on Cybersecurity.
Only end providers of cloud computing capacity (e.g. global or national cloud infrastructure providers) are considered cloud computing service providers.
Entities that use such capacity to offer cloud migration, development, or management services are considered intermediaries or, depending on the level of service, providers of managed ICT services, but not cloud computing service providers within the meaning of the Cybersecurity Act.
Cybersecurity self-assessments are conducted by the classified entity using its own human resources, or the entity may engage an external service provider to conduct the self-assessment. Regardless of whether the same or a different provider is used, each subsequent self-assessment after two years typically involves updating the previous assessment’s documentation to reflect the current state.
Guidelines for conducting cybersecurity self-assessments are available on the Information Systems Security Bureau (ISSB) official website (only in the Croatian language version at the moment).
Self-assessment documentation must be retained by the classified entity for 10 years, while only the Statement of Compliance of Established Cybersecurity Risk Management Measures from Annex IV of the Regulation on Cybersecurity needs to be submitted to the competent authority.
Supervision of the implementation of the Cybersecurity Act is structured through three layers:
Expert supervision of the implementation of cybersecurity requirements for essential entities is carried out at least once within a period of three to five years (so-called ex-ante supervision). In addition, expert supervision of an essential entity may be conducted before the expiry of this period if the competent authority responsible for enforcing cybersecurity requirements possesses information indicating that the entity is not implementing cybersecurity risk management measures in accordance with the prescribed obligations, is not fulfilling the obligations related to reporting cybersecurity threats and incidents in the prescribed manner and within the prescribed or allowed deadlines, or is not complying with the requirements of the competent authorities under the Cybersecurity Act (so-called ex-post supervision).
Expert supervision of an important entity is conducted when the competent authority responsible for enforcing cybersecurity requirements possesses information indicating that the entity is not implementing cybersecurity risk management measures in accordance with the prescribed obligations, is not fulfilling the obligations related to reporting cybersecurity threats and incidents in the prescribed manner and within the prescribed or allowed deadlines, or is not complying with the requirements of the competent authorities under the Cybersecurity Act (so-called ex-post supervision).
Expert supervision is conducted in such a way that the supervised entity provides direct access to data, documentation, conditions, and methods of implementing cybersecurity risk management measures, fulfilling prescribed reporting obligations regarding cybersecurity threats and incidents, and responding to the requirements of the competent authorities.
Additionally, expert supervision may be carried out through the review of reports on conducted cybersecurity audits and, if necessary, other additionally requested and provided data and documentation of the supervised entity.
The competent authority for implementing cybersecurity requirements is obliged to notify the supervised entity of the conduction of expert supervision no later than five days before the start of the supervision.
Expert supervision may also be conducted without prior notice if there are reasons indicating the need for urgent action by the entity in response to a significant incident or to prevent or mitigate risks arising from a serious cybersecurity threat.
System security supervision relates to employee usernames and/or passwords, workstations, and other technical data of the network and information system. As such, it is not restricted by the GDPR or the Labor Act.
At the same time, this connection can be leveraged in practice: certain measures and controls can be designed in a way that simultaneously ensures compliance with requirements across multiple regulatory areas.
Log files are part of the network and information system and are used exclusively for ensuring information security. In general, they do not process data in a form that allows direct identification of employees, nor are they maintained as part of a structured collection of employee personal data, which is kept separately.
For additional guidance on processing data through log files and protecting personal data, classified entities may consult their Data Protection Officer (DPO).
Entities classified under the Cybersecurity Act are required to implement the prescribed cybersecurity risk management measures across their entire network and information infrastructure used in business operations.
If related legal entities use the network and information infrastructure of a classified entity, they should implement equivalent cybersecurity risk management measures. This should be formalized through agreements (contracts) between the legal entities or by a group-level decision within the group of related companies.
In the event of a cybersecurity incident on the network, the classified entity is responsible for reporting the incident.
If such alignment of measures is not possible, the networks of the entities must be segregated.
Article 29 of the Cybersecurity Act stipulates that the persons responsible for the implementation of cybersecurity risk management measures shall attend appropriate trainings and enable employees of the entity to attend appropriate trainings. The obligation focuses on attending relevant educational activities, but it does not require a specific certificate as proof of the suitability of a seminar, course, conference, or similar professional event. The legal provisions emphasize knowledge and skills, rather than a specific certificate, program, or standardized level of training.
Responsible persons (members of management bodies, ministers, directors, CEOs, authorized representatives, etc.) are primarily required to acquire knowledge of cybersecurity risk management, understand the obligations under the Cybersecurity Act, and periodically participate in internal meetings or external events to enhance security awareness and keep up with developments in technology and the cyber domain.
Employees of the classified entity should have access to training on the implementation of cybersecurity risk management measures (as defined in Annex II of the Cybersecurity Regulation) through appropriate courses (e.g., the Cybersecurity Act, NIS2, ISO, NIST, CIS, etc.), as well as on adherence to and implementation of cybersecurity policies, depending on the role of each employee or organizational unit. They should also periodically participate in internal or external events to enhance security awareness and understanding of technological and cyber developments.
Classified entities must be able to demonstrate that the training was adequate and appropriate for the role, either through certificates issued by the organizer or by documenting the content of internally organized training. Detailed requirements are specified in Measure 4, “Security of human resources and digital identities”, in Annex II of the Regulation on Cybersecurity. Documentation and monitoring of these processes are required as part of the implementation of this measure.
The Cybersecurity Act does not prescribe the implementation of specific technical solutions for classified entities, but rather sets functional requirements that must be achieved through the implementation of mandatory cybersecurity risk-management measures. It is essential to assess how the implementation of a particular measure affects the overall level of risk and, if necessary, adapt the implementation of individual measures to the local risk assessment.
Risk acceptance depends on the specific case. Since it is not possible to completely eliminate all risks, a certain level of risk (especially low-level risk) may be acceptable. However, classified entities are required to implement all cybersecurity risk-management measures from Annex II of the Regulation on Cybersecurity, in accordance with the level of risk determined for the entity (basic, medium, advanced). This risk level is determined through the National Cybersecurity Risk Assessment as part of the classification process. The National Cybersecurity Risk Assessment, together with the accompanying calculator, is available on the official website of NCSC-HR in the section Documents/Guidelines and Instructions under the title “Guidelines for Competent Authorities on the National Cybersecurity Risk Assessment” (only available in the Croatian language version at the moment).
The purpose of the entity’s local risk assessment is to gain a more detailed understanding of the entity’s own risks and to better tailor the implementation of mandatory measures to the local risk profile, or, where necessary, to introduce additional measures beyond those that are mandatory based on the entity’s classification.
The use of the National Cybersecurity Incident Taxonomy is expected exclusively when reporting incidents through the PiXi platform. The National Cybersecurity Incident Taxonomy does not need to be formally integrated into the internal systems of classified entities.
The criteria for a significant incident are defined in Articles 59 to 62 of the Regulation on Cybersecurity, and additionally for entities referred to in Article 22 of the Cybersecurity Act that are listed in the Special Registry of Entities, they are also defined in Commission Implementing Regulation (EU) 2024/2690. These criteria must be applied in the context of each individual entity.
Common examples of significant incidents include attacks involving unauthorized access to critical system components and service outages that meet the defined criteria. However, entities should not rely on reports from other entities, but should instead apply the defined criteria in the context of their own operations.
The Cybersecurity Act does not prescribe certification of classified entities in accordance with ISO 27001:2022, but instead requires the implementation of cybersecurity risk-management measures as set out in Annex II of the Regulation on Cybersecurity.
Certification under ISO 27001:2022 is not mandatory, but it may be beneficial for achieving compliance. If a classified entity already uses this standard, it may leverage existing documentation and map the measures from the Regulation on Cybersecurity to the standard.
Until EU cybersecurity certification schemes for cybersecurity auditing are adopted, the auditing of cybersecurity for the purposes of implementing the requirements of the Cybersecurity Act is carried out exclusively by certified cybersecurity auditors entered in the Register of Certified Managed Security Service Providers for cybersecurity auditing.
