NIS2 Croatia: a compliance guide for international companies

13 min read

The NIS2 Directive requires every essential and important entity operating in Croatia to implement the 10 security measures from Article 21. If you run a company in a covered sector, or if you sell into one, NIS2 compliance in Croatia is a legal obligation, not a recommendation.

The thing that catches most non-EU companies off guard: NIS2 reaches into supply chains. A US SaaS vendor selling to a Croatian energy operator can land in scope through Article 21(d). So can a German fintech with a Zagreb subsidiary, or an Italian logistics provider serving a Croatian hospital. None of them needs to have ever heard of the Croatian Cybersecurity Act.

It is manageable. Even without an in-house security team, with the right expert support.

This guide is the short version: who is in scope, what you have to do, what it costs, what the deadlines look like. No theory you do not need.

Key takeaways

  • Croatia's Cybersecurity Act (ZKS) has been in force since February 2024, and the supplementing Regulation since November 2024. NIS2 is not coming. It is already here.
  • NIS2 covers a far broader set of companies than the original NIS Directive, including suppliers of essential entities, even small ones.
  • The 10 measures from Article 21 are the backbone of everything, but you don't have to implement them all at once. Prioritise based on a gap analysis.
  • Management bodies are personally liable for non-compliance: €250 to €6,000 per person per violation under Croatian law.
  • If you already have ISO 27001, you cover a significant share of NIS2 requirements (60–80% of the technical controls, depending on the mapping). A real head start.
Quick glossary of Croatian terms used in this guide
  • ZKSZakon o kibernetičkoj sigurnosti, the Cybersecurity Act; Croatia's NIS2 transposition (NN 14/2024, in force 15 February 2024).
  • Uredba o KS — the Cybersecurity Regulation (NN 135/2024, in force 22 November 2024) fleshing out the Act's technical detail.
  • NNNarodne novine, the Croatian Official Gazette.
  • Nacionalni CERT — Croatia's National CERT, operated within CARNET, handles civilian-sector incident reporting.
  • ZSIS-CERT — the CSIRT at SOA's Information Systems Security Bureau, for classified-information infrastructure.
  • SOASigurnosno-obavještajna agencija, the Croatian Security and Intelligence Agency.
  • CARNET — the Croatian Academic and Research Network, host of Nacionalni CERT.

What is NIS2, and why does it matter for Croatia?

NIS2 (Network and Information Security Directive 2) is EU Directive 2022/2555. It sets common cybersecurity standards across critical sectors in the EU. The scope is broader than its predecessor, the penalties are higher, and for the first time the directive makes management personally liable. For the directive landing page, see the European Commission's NIS2 policy page; ENISA publishes additional implementation guidance.

What changed from NIS to NIS2?

The original NIS Directive from 2016 covered a relatively narrow set of operators of essential services. In Croatia, that meant about fifty companies. NIS2 changes the picture in three ways.

The number of covered sectors went from 7 to 18. Fines jumped from symbolic amounts to up to €10 million or 2% of global turnover, whichever is higher. And the part directors really care about: personal liability. A CEO can no longer point at the IT department and walk away.

How did Croatia transpose NIS2 (the ZKS)?

Croatia transposed NIS2 through the Cybersecurity Act (Zakon o kibernetičkoj sigurnosti, abbreviated ZKS), published in the Official Gazette (Narodne novine) 14/2024. It came into force on 15 February 2024, so it has been law here for over two years. The full Croatian text is at zakon.hr.

ZKS follows the structure of the NIS2 Directive but adds Croatia-specific details. The National CERT (operated within CARNET) is the central reporting body for civilian sectors; ZSIS-CERT at SOA handles classified-information infrastructure. The Act defines entity categories, obligations, incident reporting deadlines, and penalties.

The Cybersecurity Regulation

The implementation of ZKS is fleshed out in the Cybersecurity Regulation (Uredba o kibernetičkoj sigurnosti, NN 135/2024), which entered into force on 22 November 2024. The Regulation prescribes concrete technical and organisational measures, the methodology for self-assessment, risk assessment, and the details of incident reporting.

In practice, the Regulation will matter more to you than the Act itself. It tells you exactly what to document, how to perform risk assessments, and what the minimum technical standards are.

Timeline from NIS1 directive (2016) to Croatia's NIS2 implementation: NIS2 published 2022, ZKS in force 15 February 2024, Regulation on essential entities in force 22 November 2024, obligations applicable from 2026. obligations in force 2016 NIS1 EU Directive (2016/1148) December 2022 NIS2 published EU 2022/2555 21-month transposition window 15 February 2024 ZKS in force Cybersecurity Act 22 November 2024 Regulation in force on essential entities 2026 TODAY fully applicable Linear time scale (1 year ≈ 100 viewBox units).
Timeline from NIS1 (2016) to Croatia's implementation: ZKS in force 15 February 2024, Regulation on essential entities 22 November 2024, obligations permanently applicable.

NIS2 obligations in Croatia: are you in scope?

The question I get asked most often. The answer depends on three things: your sector, your size, and (the one many companies miss) the supply chain you are part of.

Decision tree for determining NIS2 obligation: sector check, size threshold, and supply chain, with outcomes essential entity, important entity, or not in scope. Q1 · START Is your primary sector on the NIS2 list? YES · essential sector YES · important sector NO · not on the list Essential sectors 11 • Energy • Transport • Banking • Fin. market infra. • Health • Drinking water • Waste water • Digital infra. • Managed ICT (B2B) • Public admin. • Space → go to Q2 (size, essential) Important sectors 7 • Postal and courier services • Waste management • Chemical industry • Food production and distribution • Manufacturing • Digital service providers • Research → go to Q2 (size, important) Outside 18 sectors You are not in any of the 18 directly regulated sectors. The sector test does not apply, but you may still be in scope via supply chain. → go to Q3 (supply chain) Q2 · ESSENTIAL 250+ employees OR €50M+ revenue (or €43M+ balance sheet)? Q2 · IMPORTANT 50+ employees OR €10M+ revenue? Q3 · SUPPLY CHAIN Do you supply services to an essential entity? (supplier, MSP, partner) YES NO YES NO YES NO OUTCOME ESSENTIAL ENTITY strictest regime OUTCOME IMPORTANT ENTITY medium-sized OUTCOME IMPORTANT ENTITY threshold met OUTCOME Likely not in scope check Q3 → OUTCOME MAYBE in scope contact: legal counsel OUTCOME Not in scope outside NIS2 scope OUTCOME LEGEND Essential entity strictest regime, CSIRT report in 24h Important entity regular obligations, ex-post supervision Not / maybe supply chain check or outside scope
Decision tree for NIS2 scope: 11 essential and 7 important sectors, size thresholds (250+/€50M for essential, 50+/€10M for important), and supply-chain impact.

Which sectors are NIS2 essential entities?

Essential entities are the companies in sectors that keep the state and the economy running. Strictest requirements, highest fines.

Essential-entity sectors under NIS2
Sector Examples
Energy Electricity, gas distribution, oil, district heating
Transport Air, rail, water, road transport
Banking Credit institutions
Financial market infrastructure Trading venues, central counterparties
Health Hospitals, laboratories, medical device manufacturers
Drinking water Distribution and supply
Waste water Collection and treatment systems
Digital infrastructure DNS, TLD, cloud, data centres, CDN, trust services
Managed ICT services (B2B) Managed service providers, managed security service providers
Public administration Central and regional government bodies
Space Ground infrastructure operators

Thresholds: large enterprises (250+ employees or €50M+ revenue / €43M+ balance sheet). Some entities are in scope regardless of size: DNS service providers, TLD registries, and qualified trust service providers.

Which sectors are NIS2 important entities?

Important entities cover a broader set of sectors. The requirements are the same, but penalties are somewhat lower.

Important-entity sectors under NIS2
Sector Examples
Postal and courier services Postal operators
Waste management Collection, treatment, recycling
Chemical industry Production and distribution of chemicals
Food production and distribution Food industry, wholesale
Manufacturing Medical devices, computers, electronics, machinery, motor vehicles
Digital service providers Online marketplaces, search engines, social media platforms
Research Research organisations

Thresholds: medium-sized enterprises (50+ employees or €10M+ revenue / €10M+ balance sheet).

Self-check: 5 questions

If you're not sure whether you're in scope for NIS2, run through these five questions:

  1. Is your primary sector on one of the lists above?
  2. Do you have 50 or more employees?
  3. Does your annual revenue exceed €10 million?
  4. Do you supply services to any essential entity as part of their supply chain?
  5. Does your company provide digital services (cloud, SaaS, managed IT) to other businesses?

If you answered "yes" to any one of these, you are likely in scope.

A typical scenario: the supplier who doesn't know they're in scope

Picture a 60-person manufacturer making components for the energy sector. Firewall, antivirus, and that is roughly it on security. Then their essential-entity customer in energy says: "We need proof you meet NIS2 requirements because you are in our supply chain." Suddenly all 10 Article 21 measures are on the table, and there is no starting point.

I see this regularly. Companies usually find out they are in scope through a customer's contract requirement, not through their own sector classification. International suppliers tend to be the most surprised. The assumption that "we are not an EU regulated entity" turns out to be irrelevant.

NIS2 and ISO 27001: allies, not competitors

"If I have ISO 27001, do I still need to worry about NIS2?" I get this question at least once a week. ISO 27001 gives you a big head start, but it is not enough on its own.

ISO 27001 vs. NIS2 requirements
Area ISO 27001 NIS2 / ZKS
Risk assessment Yes (Annex A) Yes (Art. 21, measure 1)
Incident management Yes (A.5.24–A.5.28) Yes, with stricter deadlines (24h/72h/30d)
Business continuity Yes (A.5.29–A.5.30) Yes (Art. 21, measure 3)
Supply chain Yes (A.5.19–A.5.23) Yes, with explicit requirements (Art. 21, measure 4)
Access management Yes (A.5.15–A.5.18, A.8) Yes (Art. 21, measures 9–10)
Employee training Yes (A.6.3) Yes (Art. 21, measure 7)
Cryptography Yes (A.8.24) Yes (Art. 21, measure 8)
Regulator reporting No (not mandatory) Yes (24h/72h/30d deadlines)
Personal management liability No Yes (fines on natural persons)
Legal sanction No (voluntary standard) Yes (up to €10M)

Depending on the mapping, ISO 27001 covers 60–80% of the technical NIS2 requirements. The table above shows where the two overlap and where NIS2 goes further. The main differences are the incident reporting deadlines (ISO has none), personal liability of management (ISO does not address it), and regulatory penalties (ISO is voluntary).

If you have ISO 27001, your path to NIS2 is shorter and cheaper. If you do not, a parallel implementation is worth considering because the investment overlaps significantly. For the full ISO 27001 picture in Croatia (2013 vs. 2022, the 93 Annex A controls, a 6-month roadmap, the internal audit), see our ISO 27001 guide.

What are the 10 NIS2 Article 21 measures?

Article 21 of the NIS2 Directive (transposed in ZKS) defines 10 mandatory security measures. Legal requirements, not recommendations. Here's what each one means once you sit down to do the work.

10 mandatory measures from NIS2 Article 21
Measure What it means in practice Effort
1. Risk analysis and policies Documented risk assessment methodology, formal policies Medium
2. Incident handling Incident response plan, defined escalation, contact list Medium
3. Business continuity Backup, disaster recovery, BCP, recovery testing High
4. Supply chain Vendor assessment, security clauses in contracts Medium
5. Acquisition, development, and maintenance security Patch management, security testing, SDLC Medium to high
6. Effectiveness assessment Internal audits, pen tests, policy reviews Medium
7. Cyber hygiene and training Security awareness training, phishing simulations, regular security education Low
8. Cryptography Data encryption, key management, standards Medium
9. Access management, HR security, and asset management RBAC, principle of least privilege, access reviews, background checks, NDAs, asset inventory and classification Medium
10. MFA and secure communications Multi-factor authentication on critical systems, encrypted voice/video channels, secured emergency communication systems Low

What are the first three NIS2 measures to implement?

You don't have to do everything at once. From client work, this is the order that tends to make the most sense:

  1. Risk assessment (measure 1). Everything else flows from it. Without a risk assessment you don't know what you're protecting or against what.
  2. MFA on critical systems (measure 10). The fastest win with the best effort-to-impact ratio.
  3. Incident response plan (measure 2). Reporting deadlines start on day one. Improvising in the middle of a crisis is not an option.

What are the NIS2 incident reporting deadlines?

The directive sets a three-stage timeline in Article 23 of NIS2 (transposed into Croatian law via Article 16 of ZKS).

Reporting deadlines:

  • 24 hours: early warning. From the moment you become aware of an incident, you have 24 hours to send an early warning to the CSIRT. It doesn't have to be a detailed analysis, but it must include basic information on what happened.
  • 72 hours: incident notification. A detailed report with severity assessment, impact, indicators of compromise, and the mitigations already taken.
  • 1 month: final report. Complete incident analysis, root cause, corrective measures taken, and lessons learned.

Where to report (per Art. 16 ZKS):

  • National CERT (operated within CARNET): for most sectors, including the private sector, public administration, all civilian essential and important entities.
  • ZSIS-CERT at SOA (Zavod za sigurnost informacijskih sustava, the Information Systems Security Bureau): for government bodies handling classified information and national-security infrastructure.

What happens without an incident response plan?

Imagine you get a call from the National CERT: suspicious network flows detected from your network. You have 72 hours for a full report. You have no incident response plan, no log management, no forensic capability. Your only option: engage external help at premium rates, because you didn't have a retainer.

Reactive is always more expensive than proactive.

What are the penalties for NIS2 non-compliance?

The penalty schedule comes from Article 34 of NIS2. They are designed to hurt.

Penalties for NIS2 / ZKS non-compliance
Category Maximum fine Alternative
Essential entities €10,000,000 or 2% of total annual global turnover
Important entities €7,000,000 or 1.4% of total annual global turnover
Personal management liability €250 – €6,000 per person per violation Repeat offences: €2,000 – €6,000
Comparison of maximum NIS2 and ZKS penalties: essential entities up to €10 million, important up to €7 million, personal management liability €250 to €6,000 per violation per person, with note that it accumulates. ENTITY MAXIMUM PENALTY Essential entities €10,000,000 or 2% of global annual turnover Important entities €7,000,000 or 1.4% of global annual turnover Management personal ≈ ×1,000 smaller €250 – €6,000 per violation · per management member repeat: €2,000 – €6,000 0 €2M €4M €6M €8M €10M linear scale in euros (€1M = €1,000,000) IMPORTANT FOR INTERPRETATION Personal management fines look small on a corporate scale, but they accumulate: per violation, per management member. Five management members × five repeated violations at €6,000 = €150,000 in direct personal liability.
Maximum NIS2 / ZKS penalties — corporate up to €10 million; personal management €250 – €6,000 per violation (accumulates per management member).

The higher amount applies: the fine or the percentage of turnover, whichever is greater.

Personal management liability deserves a closer look. The €250 to €6,000 range per violation does not sound alarming until you do the math: repeat violations start at €2,000, and they add up across breaches and across management members. Honestly, the money is not even the worst part. The regulatory record and the reputational fallout for a named individual is what hurts long term.

How to prepare for NIS2 — practical steps for SMBs

NIS2 compliance doesn't have to be an endless project. Five steps.

1. Determine whether you're in scope

Use the five-question self-check from this article. If you're unsure, get a consultation. Knowing beats assuming. The National CERT maintains a registry of entities, but even without formal registration you can assess your status.

2. Gap analysis: where you are today vs. where you need to be

Walk systematically through all 10 measures from Article 21 and score where you stand. What's documented? What do you do but haven't formalised? What aren't you doing at all? The gap analysis gives you a clear picture of priorities.

3. Prioritise the measures: you don't have to do everything at once

Based on the gap analysis, decide what you tackle first. My recommendation for most companies:

  1. Risk assessment (measure 1): everything else flows from it
  2. MFA on critical systems (measure 10): quick win, high impact
  3. Incident response plan (measure 2): reporting deadlines start on day one
  4. Backup and recovery (measure 3): ransomware doesn't wait

4. Implementation and documentation

NIS2 requires not only that you implement the measures, but that you document them. Policies, procedures, implementation records. Everything has to be on paper (or in a system). It is not enough for regulators that "you do this in practice"; you have to be able to prove it.

5. Testing and continuous monitoring

Once you've implemented the measures, test them. Incident tabletop exercise. Phishing simulation. Backup restore. Then keep monitoring. NIS2 compliance has no finish line. See how our team approaches continuous monitoring.

Conclusion

Determine whether you are in scope. Run a gap analysis. Implement by priority. You do not have to do all of it at once, but you do have to start.

Companies that started early are quietly turning compliance documentation into a sales asset. When a Croatian essential entity has to audit its supply chain, the supplier who can answer the questionnaire on day one wins the contract. The supplier who needs three months to retrofit policies does not.

If you want to know where you stand, get in touch. Have a look at our IT security and compliance services or book a free initial assessment. No obligations, no sales pressure.

Send an enquiry
Ante Projić is the founder of Ctrl Alt Grow, an IT security consultant with 15+ years of experience in security, DevOps, and cloud infrastructure.