Chief Information Security Officer

Jun 26, 2025

7 min. read

ISO 27001 regulations and implementation in Croatia

Share:

ISO 27001 regulations and implementation in Croatia

Croatia’s push toward digital sovereignty over the past decade has turned ISO 27001 from a voluntary quality badge into something closer to a passport for doing business. Although the core clauses remain identical to the international text, Parliament, sectoral regulators and the Croatian Accreditation Agency (HAA) have layered on a surprisingly dense web of national rules, translations and audit check-lists. These overlays mean a multinational can land in Zagreb with a pristine certificate, yet still fail a local cyber-inspection the very next day. 

In this article I dissect where those traps lie, how seasoned security managers sidestep them and why compliance has quietly become a competitive edge.

Between global standard and local law

Most of the friction comes from a handful of legal acts that graft ISO 27001 concepts onto Croatian administrative culture. Before unpacking the implementation tactics, it helps to see the moving parts in one view. Table 1 maps the main Croatian overlays, the extra effort they demand and the legal texts behind them.

AreaCroatian requirement or schemeWhat it adds on top of ISO 27001
Certification & accreditationCroatian Accreditation Agency (HAA) accreditation; e-Akreditacija registerOnly HAA-accredited bodies may issue certificates that regulators accept
National standard textHRN EN ISO/IEC 27001:2023 Croatian translationFrom November 2024 all audits must use the bilingual text
Cyber-Security Act (NIS 1)Act 64/2018 on cyber-security of OES/DSPMandatory risk-based ISMS, 24 h / 72 h incident notice, two-year external cyber-audit
Implementing regulationGazette 68/2018 regulation93 security measures mapped line-by-line to ISO 27001
Audit methodologyDecree 436/2019 (NBÚ)Compulsory two-yearly audit checklist aligned with ISO 27001
NIS 2 transpositionCroatian Cyber-Security Act, “CCR” (NN 14/2024)Scope expands to ≈ 3 700 entities, adds self-assessment and KPI uploads
State-sector dataInformation Security Act 79/2007 + Regulation 46/2008ISO controls mandatory for ministries, municipalities and contractors
National security projectsUVNS security clearances & SK@UT SOC decisionsISO-style ISMS review for “RESTRICTED” data projects
Telecom & 5GElectronic Communications Act + HAKOM rulesAnnual ISO-aligned security report, 24 h outage notice
Financial servicesCroatian National Bank circulars adopting EBA Guidelines on ICT and security risk managementISO 27001 clause 9 KPIs must feed the yearly ICT-risk report; mapping to DORA from 2025
Data-protection interplayGDPR + Personal Data Protection Act 42/2018ISO controls treated as “state-of-the-art” technical measures
Croatian regulatory overlays to ISO 27001

Taken together, these rows explain why Croatian auditors expect an SoA to reference local Gazette numbers and why bilingual evidence is practically a must. With the legal landscape sketched, the next question is how organisations weave these strands into a single, living management system.

Designing an ISMS that satisfies every inspector

When I coach project teams, the mantra is simple: “one ISMS, many badges.” The trick lies in layering the statutory extras onto the 2022 edition without letting paperwork explode. Table 2 summarises the practices that seasoned compliance leads follow and why each one earns back its effort.

StepGood practiceWhy it helps
Scope & overlaysStart with plain ISO 27001; add Act 64/2018 annexes if you are an OES/DSP; layer CCR 14/2024 deltas for NIS 2; bolt on telecom or banking annexes only if sector-specificPrevents duplicated documents and hidden gaps during NBÚ or UVNS audits
Cross-map onceBuild a matrix that links every ISO clause to Gazette 68/2018, CCR 135/2024 and sector rules, then attach it to the SoAAuditors ask for exactly this cross-reference
Use Croatian artefactsKeep risk analyses, incident SOPs and audit reports in Croatian, with English columns for multinationalsSatisfies language rules and speeds up foreign certification reviews
Synchronise auditsAlign the ISO year-two surveillance visit with the compulsory NBÚ cyber-audit and reuse the same pentest evidence for CCR uploadsOne evidence harvest feeds two certificates and four regulator portals
Automate evidenceTag vulnerability scans once and stream dashboards into ISO KPIs, NBÚ checklists, CCR quarterly uploads and CNB reports“Collect once – comply many” becomes reality
Typical Croatian implementation path

Following this path means a leaner audit calendar and far fewer surprises when ministries, HAKOM or the central bank ask for proof. The payoff, however, goes well beyond audit comfort, as the next section shows.

Turning compliance into advantage

What began as a defensive move against fines now routinely tilts tender scores and insurance premiums. Croatian buyers and underwriters consult the public HAA register before awarding a contract or quoting a policy, and they reward organisations that can provide a single certificate covering five regimes. The table below lays out the most frequent business effects I have witnessed across finance, telecoms and the public cloud market.

Impact areaPractical effect
Tender & cloud eligibilityState RFPs and all SK@UT cloud frameworks require ISO 27001 — without it, bids fail technical review
Regulatory shieldA valid certificate counts as “state-of-the-art” under GDPR Art 32 and slashes the scope of NBÚ, CCR and HAKOM inspections
Supply-chain trustCustomers halve vendor-risk questionnaires once a certificate number is verified in the HAA portal
Insurance & EU fundsCyber-insurers cut deductibles; Horizon Europe and Recovery-and-Resilience grants award bonus points
Operational resilienceThe ISO Plan-Do-Check-Act loop dovetails with 24 h / 72 h incident SLAs and DORA stress-tests, speeding recovery
Business impact of ISO 27001 in Croatia

These outcomes transform the compliance narrative from sunk cost to market differentiator. Yet even seasoned leaders ask what to tell the board when the next law inevitably lands.

Steering the compliance ship

After fifteen Croatian implementations, my answer distills to four sentences, shown in the table below. They serve as talking points when budgets tighten or a new sector rule appears on the horizon.

MessageRationale
One ISMS, many badgesA single ISO 27001:2022 core can satisfy five statutes with minimal overlays
Stay under the HAA umbrellaOnly HAA-accredited certificates pass public-buyer scrutiny
Collect evidence onceA well-tagged evidence lake feeds every portal from NBÚ to CNB
Get CCR-ready earlyAn ISO-mapped ISMS delivers roughly 80 % of NIS 2 compliance on day one
Key takeaways for Croatian security leaders

Simplify Croatian ISO 27001 with CyberUpgrade

Navigating Croatia’s accreditation, NIS-related audits, and sector checklists can derail even the most seasoned security teams. CyberUpgrade centralizes your control mappings and automates bilingual evidence tagging so one Statement of Applicability covers ISO 27001, mandatory cyber-audits, telecom outage reports, and financial-sector KPIs without duplicate work. Real-time Slack or Teams prompts guide you through 24 h/72 h incident notifications and audit prep, cutting manual effort by up to 80 %.

Automated SIEM integrations feed vulnerability scans and KPI dashboards directly into every regulator’s portal—from HAA to NBÚ and HAKOM—enabling a “collect once, report everywhere” approach. Fractional CISO support tailors your ISMS annexes only where contracts demand, keeping scope lean and focused. This unified system frees your team to strengthen security controls rather than chase paperwork.

With CyberUpgrade, compliance becomes a competitive edge: win more public tenders, secure lower insurance premiums, and stay audit-ready as Croatian regulations evolve. Treat ISO 27001 as a living management system, and you’ll pass the next inspection with your evidence already in hand.

Next moves on the Croatian cyber chessboard

Croatian lawmakers have shown a habit of importing new EU cyber mandates quickly and then adding their own reporting twists. That rhythm is unlikely to slow as DORA stress-tests start in 2025 and the first CCR self-assessment KPIs hit supervisory dashboards. Organisations that already treat ISO 27001 as the backbone rather than the ceiling will absorb the next wave with minor annex work. Those still chasing separate checklists will face another scramble. The strategic question, therefore, is not whether ISO 27001 still matters in Croatia, but whether your documentation and dashboards are nimble enough to absorb the next decree without breaking stride.

Automate Your Cybersecurity and Compliance

It's like an in-house cybersecurity & compliance team for a monthly subscription! No prior cybersecurity or compliance experience needed.

Share this article

Post on Linkedin
Post on Facebook
Post on X

How useful was this post?

0 / 5. 0

Chief Information Security Officer

He is a cybersecurity leader with over a decade of experience building secure, resilient IT environments for fintech and tech firms. He specializes in ISO 27001–based security management, ITIL service delivery, and process automation, with deep expertise in IAM, risk assessment (GDPR, NIS2, DORA), and security governance. Zbignev advises on emerging security trends, helping organizations turn compliance and risk challenges into strategic advantages.

Explore further