Croatia’s financial landscape, which includes banks, insurers, and a burgeoning fintech sector, continues to evolve as technology reshapes how organizations deliver products and services. In this environment, the European Union’s Digital Operational Resilience Act (DORA) introduces uniform standards for ICT risk management, incident reporting, and third-party oversight.
Because DORA directly affects EU member states—and those providing critical IT services to regulated financial institutions—it holds particular significance for Croatia. This post explores how Croatia is adopting DORA, whether the local process differs from approaches in other EU countries, and how existing Croatian regulations already address DORA-like objectives. I’ll also highlight several audit firms in Croatia that can assist organizations navigating this regulatory shift.
Why DORA matters in Croatia
DORA mainly targets financial entities such as banks, payment institutions, investment firms, and insurers, but its impact stretches to any industry supplying essential IT services. In Croatia, the Croatian National Bank (Hrvatska narodna banka, HNB) supervises the banking sector, while the Croatian Financial Services Supervisory Agency (HANFA) oversees insurance, pension, and capital markets. Both authorities have historically emphasized stable, well-managed operations. DORA reinforces these principles by creating a more cohesive EU-wide framework that demands explicit attention to ICT governance, mandatory incident reporting, and rigorous vendor due diligence.
Because many Croatian financial institutions operate cross-border or partner with foreign firms, aligning with DORA’s standards will be crucial for maintaining credibility within the EU market. Even purely domestic businesses can benefit from the regulation’s structured approach to cyber resilience, particularly if they aim to expand or build partnerships abroad.
Is the process different from other EU countries?
Every EU member state is expected to implement DORA’s core mandates, but the precise process can vary. In Croatia, HNB and HANFA typically coordinate and issue guidance to ensure local regulations reflect EU directives. Since both bodies already have processes in place for stakeholder consultation, the path to integrating DORA may be relatively smooth, especially when compared to nations with more fragmented supervisory frameworks.
That said, Croatian organizations should be prepared for any localized clarifications—such as how incidents are classified or the specific timelines for reporting them. In countries where multiple regulatory bodies overlap, additional coordination might be required. Nevertheless, the baseline obligations—effective ICT risk management, standardized incident reporting, and strong oversight of third parties—will mirror the EU’s overarching approach.
Existing Croatian regulations aligning with DORA
Even prior to DORA, Croatia had regulations and guidelines that echo the Act’s emphasis on cybersecurity and operational resilience. The table below highlights notable examples:
| Croatian regulation or measure | Focus area | How it aligns with DORA |
| HNB Ordinances and Circulars on Risk Management | Require banks to maintain robust internal controls, vendor oversight, and ICT security | Reflect DORA’s call for structured governance of ICT risks, continuous monitoring, and strong accountability for third-party providers |
| HANFA guidelines for insurance and capital market participants | Emphasize operational continuity, incident response, and consumer protection | Complement DORA’s requirement for harmonized risk assessments and swift incident notifications |
| Implementation of the NIS Directive in Croatian law (Zakon o kibernetičkoj sigurnosti operatora ključnih usluga i davatelja digitalnih usluga) | Covers cybersecurity standards and reporting for essential services, including financial entities | Aligns with DORA’s focus on mandatory incident reporting, threat monitoring, and overall operational resilience |
For many Croatian financial firms, DORA effectively codifies and unifies standards they may already follow. However, its EU-wide uniformity might require adjustments to reporting formats, more detailed risk assessments, or stricter enforcement of existing rules.
Impact on all industries
Though aimed at financial entities, DORA extends its scope to external service providers that manage critical operations or sensitive data for those entities. That means cloud hosts, software vendors, cybersecurity consultancies, and other IT suppliers in Croatia could face indirect compliance obligations. A single security incident at a vendor could trigger mandatory reporting for a regulated financial institution, prompting more rigorous due diligence and contractual demands.
For Croatia’s growing tech community, these heightened standards can be viewed as both a challenge—raising the compliance bar—and an opportunity. Businesses that embed strong cyber defenses and operational continuity measures can differentiate themselves when competing for contracts with larger financial players.
List of DORA auditors in Croatia
While DORA does not provide an official registry of approved auditors, several firms in Croatia specialize in cybersecurity, risk assessment, and regulatory compliance. Below is a concise overview of potential partners:
| Firm | Primary expertise | Additional notes |
| Deloitte Croatia | Cyber risk, regulatory audits, operational resilience | Part of a global network with Croatian teams familiar with local and EU financial regulations |
| KPMG Croatia | ICT risk management, compliance reviews, financial services audits | Known for advising banks and insurers on EU directives |
| PwC Croatia | Cybersecurity, data privacy, incident response, GRC (governance, risk, compliance) | Offers tailored solutions for midsize and large organizations |
| EY Croatia | IT audits, digital transformation, cross-border regulatory alignment | Experienced in guiding institutions through complex compliance demands |
| BDO Croatia | Internal controls, operational risk, mid-market advisory | Often works with smaller financial entities and tech companies |
| IN2 Group | Croatian-based IT and consulting services, including cybersecurity | Specialized local expertise in software solutions and system integrations |
Croatian organizations should evaluate each firm’s track record in local financial regulations (HNB/HANFA requirements) and familiarity with EU directives.
Laying a foundation for resilience
DORA arrives in Croatia at a time when digitization and cross-border collaboration are accelerating. By codifying consistent standards around ICT governance, incident handling, and third-party oversight, DORA strengthens trust in the Croatian financial sector while providing a competitive advantage for organizations that meet or exceed these benchmarks. Rather than viewing DORA as an additional regulatory burden, businesses can leverage it as a clear roadmap to resilient operations and enhanced credibility in both local and EU markets.
