Croatia’s financial landscape, which includes banks, insurers, and a burgeoning fintech sector, continues to evolve as technology reshapes how organizations deliver products and services. In this environment, the European Union’s Digital Operational Resilience Act (DORA) introduces uniform standards for ICT risk management, incident reporting, and third-party oversight.
Because DORA directly affects EU member states—and those providing critical IT services to regulated financial institutions—it holds particular significance for Croatia. This post explores how Croatia is adopting DORA, whether the local process differs from approaches in other EU countries, and how existing Croatian regulations already address DORA-like objectives. I’ll also highlight several audit firms in Croatia that can assist organizations navigating this regulatory shift.
Assess your DORA readiness for free!
Evaluate your organization’s compliance gaps and find areas for improvement—no prior DORA knowledge needed.
Why DORA matters in Croatia
DORA mainly targets financial entities such as banks, payment institutions, investment firms, and insurers, but its impact stretches to any industry supplying essential IT services. In Croatia, the Croatian National Bank (Hrvatska narodna banka, HNB) supervises the banking sector, while the Croatian Financial Services Supervisory Agency (HANFA) oversees insurance, pension, and capital markets. Both authorities have historically emphasized stable, well-managed operations. DORA reinforces these principles by creating a more cohesive EU-wide framework that demands explicit attention to ICT governance, mandatory incident reporting, and rigorous vendor due diligence.
Because many Croatian financial institutions operate cross-border or partner with foreign firms, aligning with DORA’s standards will be crucial for maintaining credibility within the EU market. Even purely domestic businesses can benefit from the regulation’s structured approach to cyber resilience, particularly if they aim to expand or build partnerships abroad.
PRO TIP
Start engaging your internal compliance, IT, and legal teams early. Joint planning between risk and technical stakeholders ensures DORA requirements don’t become siloed—especially for smaller institutions or service providers with limited resources.
Is the process different from other EU countries?
Every EU member state is expected to implement DORA’s core mandates, but the precise process can vary. In Croatia, HNB and HANFA typically coordinate and issue guidance to ensure local regulations reflect EU directives. Since both bodies already have processes in place for stakeholder consultation, the path to integrating DORA may be relatively smooth, especially when compared to nations with more fragmented supervisory frameworks.
That said, Croatian organizations should be prepared for any localized clarifications—such as how incidents are classified or the specific timelines for reporting them. In countries where multiple regulatory bodies overlap, additional coordination might be required. Nevertheless, the baseline obligations—effective ICT risk management, standardized incident reporting, and strong oversight of third parties—will mirror the EU’s overarching approach.
PRO TIP
Monitor updates from both HNB and HANFA in parallel. Dual oversight means you’ll need to stay aligned with both regulators—particularly if your services span multiple financial subsectors (e.g., banking and insurance).
Existing Croatian regulations aligning with DORA
Even prior to DORA, Croatia had regulations and guidelines that echo the Act’s emphasis on cybersecurity and operational resilience. The table below highlights notable examples:
| Croatian regulation or measure | Focus area | How it aligns with DORA |
| HNB Ordinances and Circulars on Risk Management | Require banks to maintain robust internal controls, vendor oversight, and ICT security | Reflect DORA’s call for structured governance of ICT risks, continuous monitoring, and strong accountability for third-party providers |
| HANFA guidelines for insurance and capital market participants | Emphasize operational continuity, incident response, and consumer protection | Complement DORA’s requirement for harmonized risk assessments and swift incident notifications |
| Implementation of the NIS Directive in Croatian law (Zakon o kibernetičkoj sigurnosti operatora ključnih usluga i davatelja digitalnih usluga) | Covers cybersecurity standards and reporting for essential services, including financial entities | Aligns with DORA’s focus on mandatory incident reporting, threat monitoring, and overall operational resilience |
For many Croatian financial firms, DORA effectively codifies and unifies standards they may already follow. However, its EU-wide uniformity might require adjustments to reporting formats, more detailed risk assessments, or stricter enforcement of existing rules.
Impact on all industries
Though aimed at financial entities, DORA extends its scope to external service providers that manage critical operations or sensitive data for those entities. That means cloud hosts, software vendors, cybersecurity consultancies, and other IT suppliers in Croatia could face indirect compliance obligations. A single security incident at a vendor could trigger mandatory reporting for a regulated financial institution, prompting more rigorous due diligence and contractual demands.
For Croatia’s growing tech community, these heightened standards can be viewed as both a challenge—raising the compliance bar—and an opportunity. Businesses that embed strong cyber defenses and operational continuity measures can differentiate themselves when competing for contracts with larger financial players.
PRO TIP
Review contracts now—before your clients push updates. Proactively aligning with DORA can turn you into a preferred vendor when financial institutions begin demanding formal third-party compliance documentation.
List of DORA auditors in Croatia
While DORA does not provide an official registry of approved auditors, several firms in Croatia specialize in cybersecurity, risk assessment, and regulatory compliance. Below is a concise overview of potential partners:
| Firm | Primary expertise | Additional notes |
| Deloitte Croatia | Cyber risk, regulatory audits, operational resilience | Part of a global network with Croatian teams familiar with local and EU financial regulations |
| KPMG Croatia | ICT risk management, compliance reviews, financial services audits | Known for advising banks and insurers on EU directives |
| PwC Croatia | Cybersecurity, data privacy, incident response, GRC (governance, risk, compliance) | Offers tailored solutions for midsize and large organizations |
| EY Croatia | IT audits, digital transformation, cross-border regulatory alignment | Experienced in guiding institutions through complex compliance demands |
| BDO Croatia | Internal controls, operational risk, mid-market advisory | Often works with smaller financial entities and tech companies |
| IN2 Group | Croatian-based IT and consulting services, including cybersecurity | Specialized local expertise in software solutions and system integrations |
Croatian organizations should evaluate each firm’s track record in local financial regulations (HNB/HANFA requirements) and familiarity with EU directives.
Ready to meet DORA requirements in Croatia?
Whether you’re a financial institution regulated by HNB or HANFA—or a tech provider supporting critical infrastructure—DORA compliance is now a strategic imperative. CyberUpgrade makes it simple to operationalize DORA’s key requirements with audit-ready tools, automated risk workflows, and localized support.
With modules tailored to Croatian and EU supervisory frameworks, our platform helps you stay compliant, mitigate risks, and build trust across borders.
Book your free DORA consultation now and take the first step toward long-term operational resilience.
Laying a foundation for resilience
DORA arrives in Croatia at a time when digitization and cross-border collaboration are accelerating. By codifying consistent standards around ICT governance, incident handling, and third-party oversight, DORA strengthens trust in the Croatian financial sector while providing a competitive advantage for organizations that meet or exceed these benchmarks. Rather than viewing DORA as an additional regulatory burden, businesses can leverage it as a clear roadmap to resilient operations and enhanced credibility in both local and EU markets.
Assess your DORA readiness for free!
Evaluate your organization’s compliance gaps and find areas for improvement—no prior DORA knowledge needed.
