I still remember when the original Network and Information Systems Directive (NIS) first rolled out across the EU. It felt like the cybersecurity world suddenly had a common language, albeit a clunky and still-evolving one. Fast forward to 2025, and the second iteration, known formally as Directive (EU) 2022/2555, or NIS2, is reshaping how countries like Croatia enforce digital resilience. With scope expansions, stricter reporting mandates, and significant financial penalties, Croatia’s NIS2 implementation is a pivotal shift that impacts thousands of entities, from small municipalities to global telcos.
Without further ado, let’s dive into what NIS2 Croatia means in practice—from legislative timelines to sector-specific obligations, and what every company operating in Croatia should be doing right now.
A quick overview of where things stand
The Croatian Parliament (Hrvatski sabor) passed the Zakon o kibernetičkoj sigurnosti, its NIS2 transposition act, on January 26, 2024. This law repeals the 2018 legislation based on NIS1 and officially came into force on February 8, 2024. It expands the number of regulated entities from around 1,000 to a projected 8,000–10,000, reflecting the broader scope of NIS2.
Authorities have been designated as follows: the National Cyber-security Council (NVKS) sets the policy framework, while the Ministry of Digital Transformation acts as the central competent authority. The operational response, including incident coordination, falls to CERT-HR, which is also the country’s CSIRT (Computer Security Incident Response Team).
Key takeaways from the Croatian approach
Croatia’s implementation of NIS2 reflects both urgency and a structured approach. While the act itself is firm in expectations, especially around incident reporting and risk management, it also provides transitional leeway for existing NIS1 operators to adapt.
Key takeaways as of April 2025
| Theme | Current status |
| Transposition Act | Enacted via Zakon o kibernetičkoj sigurnosti (NN 14/2024) |
| Law Timeline | Draft: Sep 2023 → Enacted: Jan 2024 → In force: Feb 2024 |
| Entity Scope | Expanded to 8,000–10,000 operators |
| Incident Reporting | Alert: ≤24h, Update: ≤72h, Final report: ≤30 days via JISKB portal |
| Lead Authorities | NVKS (policy), Ministry of Digital Transformation, CERT-HR |
| Fines | Up to €10M or 2% of global turnover for essential entities |
| Public Sector Penalties | No monetary fines; corrective orders only |
This expansive scope, especially the inclusion of medium-sized manufacturers and all municipalities over 50,000 residents, dramatically broadens the compliance net.
Timeline of legislative and technical implementation
Croatia’s NIS2 journey has followed a rigorous timeline. The government engaged stakeholders early through the e-Savjetovanja platform, and the legislation moved rapidly through Parliament.
Croatia NIS2 implementation timeline
| Date | Milestone | Status |
| 01 Sep 2023 | Draft law released for public comment | Completed |
| 13 Dec 2023 | Final draft submitted to Parliament | Completed |
| 26 Jan 2024 | Law passed by Parliament | Completed |
| 08 Feb 2024 | Law enters into force | Completed |
| May 2024 | JISKB portal live; re-registration deadline | Completed |
| 22 Nov 2024 | Decree 135/2024 published – reporting templates & audit cycle | Completed |
| 31 Jan 2025 | NBIC publishes list of regulated entities | Pending |
| H2 2025 | Start of official supervisory audits | Pending |
By mid-2025, audits will begin—meaning compliance programs should already be in full swing for affected entities.
Who is affected and how compliance is determined
The NIS2 directive introduces a tiered classification: essential and important entities. In Croatia, these categories are assessed based on employee headcount and annual turnover thresholds. Notably, entities such as cloud providers, trust-service providers, and DNS services are covered regardless of size.
Entity classification criteria
| Classification | Criteria |
| Essential | ≥250 employees or €50M turnover |
| Important | ≥50 employees or €10M turnover |
| Automatically Included | Telcos, cloud services, DNS, trust providers |
This tiered system ensures that both high-impact and high-dependency sectors are adequately covered.
Sanctions and management accountability
Penalties under Croatia NIS2 directive compliance are notably steep. Essential entities risk fines of up to €10 million or 2% of global turnover, while important entities face up to €7 million or 1.4%. The law also introduces personal liability for executives, requiring board-level approval of cybersecurity strategies and enabling temporary disqualification for repeated negligence.
Public sector organizations, though exempt from financial penalties, are still subject to binding corrective directives.
Impact on industries across the Croatian economy
The Croatia NIS2 implementation reshapes how industries operate, especially those previously untouched by cybersecurity regulation. The shift is particularly significant for manufacturing, digital infrastructure, and healthcare.
Sector impact overview
| Sector | Key impacts |
| Manufacturing | OT/IT segmentation, annual pen-testing, biennial external audits |
| Energy & Utilities | New sectors (LNG, hydrogen) added, KPI reporting to HERA |
| Healthcare | Scope expands from 40 to 200+ entities, ISO 27001-based governance |
| Digital Infrastructure | Mandatory 24/7 SOC, critical vendor registers |
| Finance | Integrated with DORA, dual penalties possible |
| Public Administration | CISOs required, full reporting duties, but no financial penalties |
What companies need to do now
If your organization falls within the scope of NIS2 Croatia transposition, here’s what must be done immediately:
- Use the NBIC self-assessment wizard and register in the JISKB portal within 60 days of becoming in-scope.
- Map existing controls against Article 26 requirements—focus on multifactor authentication (MFA), supply-chain risk clauses, and rehearsal of incident procedures.
- Design a streamlined incident reporting SOP that merges GDPR obligations with NIS2 timelines.
- Schedule your biennial external security audit and document outcomes.
- Engage the board—get formal approval of the cybersecurity plan and log training initiatives.
Building resilience, one regulation at a time
Croatia’s proactive and comprehensive approach to NIS2 isn’t just about compliance—it’s a national strategy for cyber resilience. With broader sector coverage, tighter deadlines, and more severe penalties, it sends a clear signal: digital operational resilience is now a fundamental expectation, not an optional upgrade.
As the NBIC prepares its first official entity list and audits loom later in 2025, now is the time for Croatian companies to move from planning to action. Whether you’re a mid-sized manufacturer or a public sector agency, your digital backbone is about to undergo its most rigorous test yet.
For more on the legal text and latest developments, consult the Narodne Novine official site or the CERT-HR portal.
