3 Croatian NIS2 Authorities, 1 Reporting Platform: How to Navigate ZSIS, NCSC-HR, and PiXi Without Compliance Gaps
Croatia was among the first EU member states to transpose the NIS2 Directive, passing its Cybersecurity Act (Zakon o kibernetičkoj sigurnosti, NN 14/2024) in January 2024, with the law entering force on 15 February 2024 [1]. But speed of transposition is only part of the story. Croatia’s implementation introduces a three-body CSIRT structure that routes incident handling to different national authorities depending on your sector — and a national reporting portal, PiXi, that is specific to Croatia and entirely separate from any EU-standard tooling.
Understanding which of the three bodies supervises your organisation, how to register on PiXi before an incident occurs, and what five requirements Croatia added beyond the EU baseline: these are the practical starting points for covered entities operating under Croatia’s NIS2 framework.
How Croatia’s NIS2 Authority Framework Is Organised
NIS2 Article 8 requires each member state to designate one or more competent authorities and one single point of contact [5]. Croatia designated multiple sector-specific authorities coordinated by a central government body. Three organisations handle the bulk of day-to-day NIS2 operations [2][3][4].
National Cyber Security Centre (NCSC-HR) operates within Croatia’s Security and Intelligence Agency (SOA) and functions as the central government authority for cybersecurity. NCSC-HR acts as the competent authority and competent CSIRT for the majority of NIS2 sectors — 14 sectors within its supervisory remit and 15 sectors within its incident response remit. It runs the national SK@UT threat detection sensor network, coordinates all Croatian CSIRTs, and chairs the Cyber Crisis Management Coordination body.
Get the NIS2 Article 21 Compliance Checklist
90+ assessment items mapped to CIR 2024/2690 — instant PDF, no payment.
CERT.hr, operated by CARNET (the Croatian Academic and Research Network), serves as the competent CSIRT for banking, financial market infrastructure, research institutions, the education sector, and the national ccTLD registry. CERT.hr also operates the PiXi incident reporting platform — the national portal all covered entities must use to file significant incident notifications.
ZSIS (the Information Systems Security Bureau, Zavod za sigurnost informacijskih sustava) is Croatia’s central government body for technical information security. ZSIS issues the national security certificates required for cybersecurity auditing, conducts audits for state administration bodies, and acts as the sector CSIRT for energy, transport, health, water, and government services.
The single point of contact under NIS2 Article 8 is the Office of the National Security Council (UVNS), reachable at spoc@uvns.hr or +385 1 4681 222 [4]. The SPOC role is distinct from supervisory authority: UVNS handles cross-border liaison with other EU member states and ENISA, while day-to-day supervision remains with the sector-competent authorities.
Entity Routing by Sector: Which Body Handles Your Organisation
Croatia’s competent authority structure delegates supervisory status to sector ministries and regulators, with NCSC-HR holding residual authority where no dedicated sectoral body applies. The table below maps each major sector to its designated authority and its CSIRT for incident reporting purposes, based on the European Commission’s official NIS2 registry updated 7 July 2025 [4][3].
| Sector | Competent Authority (NCA) | CSIRT (incident routing) |
|---|---|---|
| Energy (electricity, oil, gas, hydrogen, district heating) | Ministry of Economy and Sustainable Development | ZSIS |
| Transport (road, rail, air, maritime, urban transit) | Ministry of the Sea, Transport and Infrastructure | ZSIS |
| Health | Ministry of Health | ZSIS |
| Water supply and wastewater | Ministry of Economy and Sustainable Development | ZSIS |
| Public administration | Ministry of Justice, Public Administration and Digital Transformation | ZSIS |
| Banking | Croatian National Bank (HNB) | CERT.hr (CARNET) |
| Financial market infrastructure | HANFA (Croatian Financial Services Supervisory Agency) | CERT.hr (CARNET) |
| Digital infrastructure / electronic communications | HAKOM + Central State Office for Digital Society | CERT.hr (CARNET) |
| Digital service providers (cloud, online marketplaces, search engines) | Central State Office for Digital Society | CERT.hr (CARNET) |
| Research institutions, education | Ministry of Science and Education | CERT.hr (CARNET) |
| Other sectors not listed above | NCSC-HR | NCSC-HR |
A note on entity identification. Unlike some EU member states where organisations self-identify as essential or important, Croatia uses a proactive model: competent authorities categorise entities and notify them formally [7]. The initial deadline for authorities to compile and publish the entity list was 15 February 2025 [8]. After receiving formal notification, an organisation has up to one year to achieve full compliance. Entities that have not yet been notified may still be in scope — checking your sector against the table above is the correct starting point.
Croatia also applies a three-tier risk rating (low, medium, high) to each covered entity, which determines the mandatory security measure subset: a full set for high-risk essential entities, and conditional or basic subsets for lower-rated organisations. This grading mechanism goes beyond what NIS2 Article 21 prescribes at EU level and is administered by the competent authority through the formal notification process [7].
For a full overview of which organisations are covered under NIS2, including size thresholds and sector-independent inclusions, see the NIS2 scope guide.
PiXi — Croatia’s National Incident Reporting Portal
PiXi is Croatia’s national platform for mandatory cybersecurity incident notifications. Operated by CARNET/CERT.hr, it is available at pixi.carnet.hr [8]. PiXi is not a shared EU tool — it is specific to Croatia’s framework and is required for all covered entities regardless of which CSIRT handles their sector.
Registration. Access to PiXi requires prior authentication through the NIAS system (National Identification and Authentication System), Croatia’s national digital identity infrastructure. Set up NIAS credentials before an incident occurs. Attempting to create credentials during an active breach adds avoidable time pressure against a 24-hour early warning deadline.
Reporting timeline. Once a significant incident is identified, Croatia’s framework follows the NIS2 Article 23 incident notification structure [6]:
| Phase | Deadline | What to Submit |
|---|---|---|
| Early warning | Within 24 hours of awareness | Initial alert: probable cause, whether unlawful activity or cross-border impact is suspected |
| Incident notification | Within 72 hours | Severity assessment, initial impact scope, compromise indicators where available |
| Progress updates | Every 30 days if ongoing | Current remediation status and scope updates |
| Final report | Within 30 days of resolution | Detailed description, root cause, mitigation measures applied, cross-border impact assessment |
What qualifies as a significant incident. Under NIS2 Article 23, an incident is significant if it “caused or is capable of causing severe operational disruption of the services or financial loss” or if it “affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage” [6]. Croatia’s implementing regulation translates this into specific triggers including service downtime beyond defined thresholds, data compromise affecting third parties, financial loss, and reputational harm.
Email fallbacks. If PiXi is inaccessible during an active incident, use incident@ncsc.hr for most sectors, or zks-incident@cert.hr for sectors under CERT.hr’s CSIRT remit (banking, financial, digital infrastructure, education, research) [8].
Voluntary reporting of non-significant incidents, near misses, and emerging threats is also encouraged within 30 days of detection and can be submitted through the same PiXi portal. For detailed guidance on what to include in incident reports and how to structure the documentation, see the incident reporting guide.
Five Croatian Requirements That Go Beyond the EU NIS2 Baseline
The NIS2 Directive sets minimum requirements; member states may go further. Croatia’s Cybersecurity Regulation (Narodne novine 135/2024) exercised that flexibility across several areas that differ materially from the EU baseline [9][10].
1. Prescriptive password minimums. The EU baseline addresses authentication without specifying character counts. Croatia’s Cybersecurity Regulation sets explicit minimums: 14 characters for standard user accounts, 16 characters for privileged accounts, and 24 characters for service accounts [9]. Shorter passwords are permitted only when multi-factor authentication is implemented — but MFA does not waive the character floor entirely. This is a specific, auditable threshold that must be documented in your credential management policy. For context on how MFA requirements interact with password policies under NIS2, see the MFA requirements guide.
2. Mandatory phishing simulations. Croatia’s regulation requires periodic phishing simulation exercises rather than leaving anti-phishing training to general awareness programmes [9]. The simulation programme creates an evidence trail that auditors can request: run dates, employee response rates, remediation steps for those who failed. Ad hoc awareness training without simulation records will not satisfy this requirement.
3. Minimum log retention of 90 days. NIS2 Article 21 requires security monitoring and logging but does not prescribe a retention floor at EU level. Croatia’s regulation sets the minimum at 90 days [9]. Organisations operating across multiple EU jurisdictions should check whether other transpositions impose different retention periods — the Croatian 90-day floor applies only to entities covered under Croatian law.
4. Mandatory self-assessment for important entities. NIS2’s text does not require important entities to conduct formal self-assessments — audit requirements at EU level target mainly essential entities. Croatia’s Cybersecurity Act adds a biennial self-assessment requirement for important entities, backed by a formal Declaration of Conformity submitted to the competent authority [10]. This declaration functions as an auditable record and can trigger a full external audit if non-compliance is suspected or if an incident occurs. Important entities should treat this as a standing obligation, not a one-off exercise.
5. Physical security requirements for data centres. Croatia’s Cybersecurity Regulation includes a dedicated annex specifying physical security measures for entities in the Digital Infrastructure sector: perimeter controls, physical access logging, and environmental monitoring standards [9]. These requirements go beyond the general physical security reference in NIS2 Article 21’s security measures list and require documented implementation evidence rather than a policy statement alone.
Beyond the five core extras, Croatia also explicitly requires formal RTO, RPO, and SDO targets (Recovery Time Objective, Recovery Point Objective, Service Delivery Objective) in business continuity plans, names advanced penetration testing methodologies including red teaming and purple teaming among permissible validation methods, and extended the scope of the law to include local public administration bodies and educational institutions where assessed as critical — two categories absent from the EU Directive’s own annexes [10].
Audit Schedule, Supervision Cycle, and Compliance Timeline
Croatia’s Cybersecurity Act sets a clearer audit cadence than the EU Directive itself [3].
Essential entities must undergo a cybersecurity audit conducted by a licensed auditor at least once every two years. The audit must cover implementation of all applicable security measures from Annex II of the Cybersecurity Act. Separately, competent authorities may conduct expert supervision proactively on a three-to-five-year cycle — meaning an essential entity may face both its own periodic audit and a regulatory supervision visit in the same compliance year.
Important entities must complete a cybersecurity self-assessment at least once every two years and submit a Declaration of Conformity to the competent authority. A full external audit is triggered only when the authority requests one — typically following an incident, a failed self-assessment declaration, or a complaint. Supervisory attention to important entities is complaint-driven rather than proactive.
Compliance timelines run from the date of formal notification. Entities notified in early 2025 under the initial categorisation round face a compliance horizon in early 2026 for security measures. The audit obligation begins from the same notification date.
For guidance on assembling the documentation package that a Croatian cybersecurity audit will examine, see the audit preparation guide.
Penalties and Enforcement Powers
Croatia mirrors the NIS2 penalty structure and adds two enforcement levers not found in the directive itself [4][10].
| Entity type | Maximum fine | Individual liability |
|---|---|---|
| Essential entities | €10,000,000 or 2% of global annual turnover, whichever is higher | €1,000–€6,000 per responsible person |
| Important entities | €7,000,000 or 1.4% of global annual turnover, whichever is higher | €500–€3,000 per responsible person |
| Public administration bodies | Subject to corrective directives; exempt from financial penalties | — |
Croatia’s Cybersecurity Act grants competent authorities two enforcement powers that exceed the EU baseline. First, the authority may withdraw a business licence from a persistently non-compliant entity. Second, it may prohibit senior management from exercising managerial duties. Both measures are positioned as last-resort escalations following a failed escalation path, but their availability gives Croatian authorities a deterrent that is absent from the directive’s own text.
Triggering events for financial penalties include failure to implement required security measures, failure to conduct the biennial self-assessment or audit, and failure to report significant incidents within the mandatory deadlines. For the full EU-level penalty framework and how individual member states have calibrated it, see the NIS2 penalties overview.
Frequently Asked Questions
Who is Croatia’s single point of contact for cross-border NIS2 matters?
The SPOC is the Office of the National Security Council (UVNS) at spoc@uvns.hr, +385 1 4681 222. UVNS handles coordination with other EU member states’ authorities and ENISA — it does not receive incident reports from covered entities. Incident reports go to NCSC-HR or CERT.hr via PiXi.
Do I need to register on PiXi before an incident occurs?
Yes. PiXi requires NIAS authentication, which takes time to set up. Organisations that wait until they have an active incident to create their credentials risk missing the 24-hour early warning deadline. NIAS registration should be completed as part of initial NIS2 compliance onboarding.
Does Croatia’s NIS2 framework apply to domain name registration service providers?
No. Domain name registration service providers are included in EU NIS2 Annex I but were explicitly excluded from Croatia’s Cybersecurity Act scope [10]. Croatian domain registrars do not fall under the national NIS2 framework.
This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.
Sources
- “NIS2 Transposition” — NCSC-HR (official)
- “About Us” — NCSC-HR (official)
- “Cybersecurity Act” — NCSC-HR (official)
- “NIS2 Directive — Croatia” — European Commission (official, updated 7 July 2025)
- “Article 8: Competent Authorities and Single Points of Contact” — NIS2 Directive 2022/2555
- “Article 23: Incident Notification Obligations” — NIS2 Directive 2022/2555
- “EU NIS2 in Croatia” — OpenKRITIS
- “Croatia NIS2 Requirements” — NIS2Certification.eu
- “Croatia NIS2 Cybersecurity Regulation” — Advisera
- “Croatia Cybersecurity Act vs NIS 2” — Advisera
Get the NIS2 Article 21 Compliance Checklist
90+ assessment items mapped to CIR 2024/2690 — instant PDF, no payment.
