NIS2 Croatia: a compliance guide for international companies
The NIS2 Directive requires every essential and important entity operating in Croatia to implement the 10 security measures from Article 21. If you run a company in a covered sector, or if you sell into one, NIS2 compliance in Croatia is a legal obligation, not a recommendation.
The thing that catches most non-EU companies off guard: NIS2 reaches into supply chains. A US SaaS vendor selling to a Croatian energy operator can land in scope through Article 21(d). So can a German fintech with a Zagreb subsidiary, or an Italian logistics provider serving a Croatian hospital. None of them needs to have ever heard of the Croatian Cybersecurity Act.
It is manageable. Even without an in-house security team, with the right expert support.
This guide is the short version: who is in scope, what you have to do, what it costs, what the deadlines look like. No theory you do not need.
Contents
Key takeaways
- Croatia's Cybersecurity Act (ZKS) has been in force since February 2024, and the supplementing Regulation since November 2024. NIS2 is not coming. It is already here.
- NIS2 covers a far broader set of companies than the original NIS Directive, including suppliers of essential entities, even small ones.
- The 10 measures from Article 21 are the backbone of everything, but you don't have to implement them all at once. Prioritise based on a gap analysis.
- Management bodies are personally liable for non-compliance: €250 to €6,000 per person per violation under Croatian law.
- If you already have ISO 27001, you cover a significant share of NIS2 requirements (60–80% of the technical controls, depending on the mapping). A real head start.
Quick glossary of Croatian terms used in this guide
- ZKS — Zakon o kibernetičkoj sigurnosti, the Cybersecurity Act; Croatia's NIS2 transposition (NN 14/2024, in force 15 February 2024).
- Uredba o KS — the Cybersecurity Regulation (NN 135/2024, in force 30 November 2024) fleshing out the Act's technical detail.
- NN — Narodne novine, the Croatian Official Gazette.
- Nacionalni CERT — Croatia's National CERT, operated within CARNET; the competent CSIRT for the private sector and citizens.
- NCSC-HR — the National Cybersecurity Centre, within SOA; the competent CSIRT for state bodies and public-authority entities.
- SOA — Sigurnosno-obavještajna agencija, the Croatian Security and Intelligence Agency.
- CARNET — the Croatian Academic and Research Network, host of Nacionalni CERT.
What is NIS2, and why does it matter for Croatia?
NIS2 (Network and Information Security Directive 2) is EU Directive 2022/2555. It sets common cybersecurity standards across critical sectors in the EU. The scope is broader than its predecessor, the penalties are higher, and for the first time the directive makes management personally liable. For the directive landing page, see the European Commission's NIS2 policy page; ENISA publishes additional implementation guidance.
What changed from NIS to NIS2?
The original NIS Directive from 2016 covered a relatively narrow set of operators of essential services. In Croatia, that meant about fifty companies. NIS2 changes the picture in three ways. First, the number of covered sectors went from 7 to 18, split into 11 essential and 7 important sectors, so companies that never thought of themselves as "critical infrastructure" are now in scope. Second, fines jumped from symbolic amounts to up to €10 million or 2% of global turnover, whichever is higher, and that reach runs down the supply chain, so even a small company can be pulled in through a single client. Third, the part directors really care about: personal liability. A CEO can no longer point at the IT department and walk away.
How did Croatia transpose NIS2 (the ZKS)?
Croatia transposed NIS2 through the Cybersecurity Act (Zakon o kibernetičkoj sigurnosti, abbreviated ZKS), published in the Official Gazette (Narodne novine) 14/2024. It came into force on 15 February 2024, so the obligations are live now, not pending; the full Croatian text is at zakon.hr. ZKS follows the structure of the NIS2 Directive but adds Croatia-specific detail: it defines entity categories, obligations, incident reporting deadlines, and penalties. Supervision is split across sector competent authorities, while incidents go to your competent CSIRT. There are two: the National CERT, at CARNET, for the private sector and citizens, and NCSC-HR (the National Cybersecurity Centre), at SOA, for state bodies, public-authority legal persons, and local and regional self-government. So when an incident hits, you already know who you report to, and which regime you fall under is usually the first thing a director asks me.
The Cybersecurity Regulation
The implementation of ZKS is fleshed out in the Cybersecurity Regulation (Uredba o kibernetičkoj sigurnosti, NN 135/2024), which entered into force on 30 November 2024. The Regulation prescribes concrete technical and organisational measures, the methodology for self-assessment, and the details of incident reporting. The Act sets the obligation to have measures; the Regulation drops it to the level where the work actually happens. It operationalises the 10 Article 21 measures, starting with the risk assessment, the one everything else flows from, then exactly what to document and what the minimum technical standards are. In practice it is the document you will live in. So when you sit down to write your first policy or prepare a self-assessment, you open the Regulation, not the Act.
NIS2 obligations in Croatia: are you in scope?
The question I get asked most often. The answer depends on three things: your sector, your size, and (the one many companies miss) the supply chain you are part of.
Which sectors are NIS2 essential entities?
Essential entities are the companies in sectors that keep the state and the economy running. Strictest requirements, highest fines.
| Sector | Examples |
|---|---|
| Energy | Electricity, gas distribution, oil, district heating |
| Transport | Air, rail, water, road transport |
| Banking | Credit institutions |
| Financial market infrastructure | Trading venues, central counterparties |
| Health | Hospitals, laboratories, medical device manufacturers |
| Drinking water | Distribution and supply |
| Waste water | Collection and treatment systems |
| Digital infrastructure | DNS, TLD, cloud, data centres, CDN, trust services |
| Managed ICT services (B2B) | Managed service providers, managed security service providers |
| Public administration | Central and regional government bodies |
| Space | Ground infrastructure operators |
Thresholds: large enterprises (250+ employees or €50M+ revenue / €43M+ balance sheet). Some entities are in scope regardless of size: DNS service providers, TLD registries, and qualified trust service providers.
Which sectors are NIS2 important entities?
Important entities cover a broader set of sectors. The requirements are the same, but penalties are somewhat lower.
| Sector | Examples |
|---|---|
| Postal and courier services | Postal operators |
| Waste management | Collection, treatment, recycling |
| Chemical industry | Production and distribution of chemicals |
| Food production and distribution | Food industry, wholesale |
| Manufacturing | Medical devices, computers, electronics, machinery, motor vehicles |
| Digital service providers | Online marketplaces, search engines, social media platforms |
| Research | Research organisations |
Thresholds: medium-sized enterprises (50+ employees or €10M+ revenue / €10M+ balance sheet).
Self-check: 5 questions
If you're not sure whether you're in scope for NIS2, run through these five questions:
- Is your primary sector on one of the lists above?
- Do you have 50 or more employees?
- Does your annual revenue exceed €10 million?
- Do you supply services to any essential entity as part of their supply chain?
- Does your company provide digital services (cloud, SaaS, managed IT) to other businesses?
If you answered "yes" to any one of these, you are likely in scope.
A typical scenario: the supplier who doesn't know they're in scope
Picture a 60-person manufacturer making components for the energy sector. Firewall, antivirus, and that is roughly it on security. Then their essential-entity customer in energy says: "We need proof you meet NIS2 requirements because you are in our supply chain." Suddenly all 10 Article 21 measures are on the table, and there is no starting point. Here is why: NIS2 obliges essential entities to secure their own supply chain (measure 4 of Article 21), so they push that obligation down through security clauses in the contract. A company below the size threshold and outside the 18 regulated sectors still lands under NIS2 this way. I see it regularly. Companies discover they are in scope through a customer's requirement, not their own sector classification, and international suppliers are the most surprised: the assumption that "we are not an EU regulated entity" turns out to be irrelevant. If you sell to a regulated entity, that requirement is coming in your next contract; the only question is when.
NIS2 and ISO 27001: allies, not competitors
"If I have ISO 27001, do I still need to worry about NIS2?" I get this question at least once a week. ISO 27001 gives you a big head start, but it is not enough on its own.
| Area | ISO 27001 | NIS2 / ZKS |
|---|---|---|
| Risk assessment | Yes (Annex A) | Yes (Art. 21, measure 1) |
| Incident management | Yes (A.5.24–A.5.28) | Yes, with stricter deadlines (24h/72h/30d) |
| Business continuity | Yes (A.5.29–A.5.30) | Yes (Art. 21, measure 3) |
| Supply chain | Yes (A.5.19–A.5.23) | Yes, with explicit requirements (Art. 21, measure 4) |
| Access management | Yes (A.5.15–A.5.18, A.8) | Yes (Art. 21, measures 9–10) |
| Employee training | Yes (A.6.3) | Yes (Art. 21, measure 7) |
| Cryptography | Yes (A.8.24) | Yes (Art. 21, measure 8) |
| Regulator reporting | No (not mandatory) | Yes (24h/72h/30d deadlines) |
| Personal management liability | No | Yes (fines on natural persons) |
| Legal sanction | No (voluntary standard) | Yes (up to €10M) |
Depending on the mapping, ISO 27001 covers 60–80% of the technical NIS2 requirements. The table above shows where the two overlap and where NIS2 goes further. The main differences are the incident reporting deadlines (ISO has none), personal liability of management (ISO does not address it), and regulatory penalties (ISO is voluntary).
If you have ISO 27001, your path to NIS2 is shorter and cheaper. If you do not, a parallel implementation is worth considering because the investment overlaps significantly. For the full ISO 27001 picture in Croatia (2013 vs. 2022, the 93 Annex A controls, a 6-month roadmap, the internal audit), see our ISO 27001 guide.
What are the 10 NIS2 Article 21 measures?
Article 21 of the NIS2 Directive (transposed in ZKS) defines 10 mandatory security measures. Legal requirements, not recommendations. Here's what each one means once you sit down to do the work.
| Measure | What it means in practice | Effort |
|---|---|---|
| 1. Risk analysis and policies | Documented risk assessment methodology, formal policies | Medium |
| 2. Incident handling | Incident response plan, defined escalation, contact list | Medium |
| 3. Business continuity | Backup, disaster recovery, BCP, recovery testing | High |
| 4. Supply chain | Vendor assessment, security clauses in contracts | Medium |
| 5. Acquisition, development, and maintenance security | Patch management, security testing, SDLC | Medium to high |
| 6. Effectiveness assessment | Internal audits, pen tests, policy reviews | Medium |
| 7. Cyber hygiene and training | Security awareness training, phishing simulations, regular security education | Low |
| 8. Cryptography | Data encryption, key management, standards | Medium |
| 9. Access management, HR security, and asset management | RBAC, principle of least privilege, access reviews, background checks, NDAs, asset inventory and classification | Medium |
| 10. MFA and secure communications | Multi-factor authentication on critical systems, encrypted voice/video channels, secured emergency communication systems | Low |
What are the first three NIS2 measures to implement?
You don't have to do everything at once. From client work, this is the order that tends to make the most sense:
- Risk assessment (measure 1). Everything else flows from it. Without a risk assessment you don't know what you're protecting or against what.
- MFA on critical systems (measure 10). The fastest win with the best effort-to-impact ratio.
- Incident response plan (measure 2). Reporting deadlines start on day one. Improvising in the middle of a crisis is not an option.
What are the NIS2 incident reporting deadlines?
The directive sets a three-stage timeline in Article 23 of NIS2 (transposed into Croatian law via Article 16 of ZKS).
Reporting deadlines:
- 24 hours: early warning. From the moment you become aware of an incident, you have 24 hours to send an early warning to the CSIRT. It doesn't have to be a detailed analysis, but it must include basic information on what happened.
- 72 hours: incident notification. A detailed report with severity assessment, impact, indicators of compromise, and the mitigations already taken.
- 1 month: final report. Complete incident analysis, root cause, corrective measures taken, and lessons learned.
Where to report (per Art. 16 ZKS):
- National CERT (within CARNET): for the private sector and citizens, plus sectors such as banking, financial-market infrastructure, digital infrastructure, research, and education.
- NCSC-HR (the National Cybersecurity Centre, within SOA): for state bodies, public-authority legal persons, and local and regional self-government.
What happens without an incident response plan?
Imagine you get a call from the National CERT: suspicious network flows detected from your network. You have 72 hours for a full report. You have no incident response plan, no log management, no forensic capability. Your only option: engage external help at premium rates, because you didn't have a retainer.
Reactive is always more expensive than proactive.
What are the penalties for NIS2 non-compliance?
The penalty schedule comes from Article 34 of NIS2. They are designed to hurt.
| Category | Maximum fine | Alternative |
|---|---|---|
| Essential entities | €10,000,000 | or 2% of total annual global turnover |
| Important entities | €7,000,000 | or 1.4% of total annual global turnover |
| Personal management liability | €250 – €6,000 per person per violation | Repeat offences: €2,000 – €6,000 |
The higher amount applies: the fine or the percentage of turnover, whichever is greater.
Personal management liability deserves a closer look. The €250 to €6,000 range per violation does not sound alarming until you do the math: repeat violations start at €2,000, and they add up across breaches and across management members. Honestly, the money is not even the worst part. The regulatory record and the reputational fallout for a named individual is what hurts long term.
How to prepare for NIS2 — practical steps for SMBs
NIS2 compliance doesn't have to be an endless project. Five steps.
1. Determine whether you're in scope
Use the five-question self-check from this article. If you're unsure, get a consultation. Knowing beats assuming. The National CERT maintains a registry of entities, but even without formal registration you can assess your status.
2. Gap analysis: where you are today vs. where you need to be
Walk systematically through all 10 measures from Article 21 and score where you stand. What's documented? What do you do but haven't formalised? What aren't you doing at all? The gap analysis gives you a clear picture of priorities.
3. Prioritise the measures: you don't have to do everything at once
Based on the gap analysis, decide what you tackle first. My recommendation for most companies:
- Risk assessment (measure 1): everything else flows from it
- MFA on critical systems (measure 10): quick win, high impact
- Incident response plan (measure 2): reporting deadlines start on day one
- Backup and recovery (measure 3): ransomware doesn't wait
4. Implementation and documentation
NIS2 requires not only that you implement the measures, but that you document them. Policies, procedures, implementation records. Everything has to be on paper (or in a system). It is not enough for regulators that "you do this in practice"; you have to be able to prove it.
5. Testing and continuous monitoring
Once you've implemented the measures, test them. Incident tabletop exercise. Phishing simulation. Backup restore. Then keep monitoring. NIS2 compliance has no finish line. See how our team approaches continuous monitoring.
Conclusion
Determine whether you are in scope. Run a gap analysis. Implement by priority. You do not have to do all of it at once, but you do have to start.
Companies that started early are quietly turning compliance documentation into a sales asset. When a Croatian essential entity has to audit its supply chain, the supplier who can answer the questionnaire on day one wins the contract. The supplier who needs three months to retrofit policies does not.
If you want to know where you stand, get in touch. Have a look at our IT security and compliance services or book a free initial assessment. No obligations, no sales pressure.
Frequently asked questions
Does NIS2 apply to my company in Croatia?
If you operate in one of 18 covered sectors and have 50+ employees or €10M+ revenue, you are likely in scope. If you are part of the supply chain of an essential entity, you can also be covered regardless of size; this is a common surprise for non-EU suppliers selling to Croatian critical infrastructure.
What is the NIS2 compliance deadline in Croatia?
Croatia transposed NIS2 via the Cybersecurity Act (Zakon o kibernetičkoj sigurnosti, ZKS), in force since 15 February 2024. The supplementing Cybersecurity Regulation (Uredba) followed on 30 November 2024. Obligations are active now. There is no additional transition period.
How does ISO 27001 relate to NIS2?
Depending on the mapping, ISO 27001 covers 60–80% of NIS2 technical requirements. Key differences are incident reporting deadlines (24h/72h/30d), personal liability of management, and regulatory fines up to €10M. ISO 27001 is a voluntary standard; NIS2 is a legal obligation.
What are the penalties for non-compliance with NIS2 in Croatia?
Essential entities: up to €10,000,000 or 2% of global annual turnover (whichever is higher). Important entities: up to €7,000,000 or 1.4% of turnover. Croatia adds personal management liability of €250 – €6,000 per violation per person, accumulating across breaches.
Need help with NIS2 compliance? Get in touch — we reply within 24 hours.
Send an enquiry