Croatia NIS2 Fines Reach €10M: ZSIS Powers, Personal Liability Up to €6,000, and How to Stay Compliant

Croatia passed its Cybersecurity Act (Zakon o kibernetičkoj sigurnosti, NN 14/24) on 15 February 2024 — one of four EU member states, alongside Belgium, Italy, and Lithuania, to fully transpose the NIS2 Directive before the October 2024 deadline. The Regulation on Cybersecurity (NN 135/2024) followed in November 2024, and by mid-2025 ZSIS had commenced active supervisory audits. For organisations operating in Croatia, the NIS2 penalty framework is not a future risk — it is a present enforcement reality.

This guide covers the exact fine structure under Croatian law, the two-band management personal liability structure most analyses overlook, ZSIS’s full inspection toolkit, the enforcement timeline already active, sector-specific priorities across tourism, maritime, and energy, and the administrative law pathway for challenging a ZSIS decision.

Who Is Covered — Scope and Entity Classification

Croatia’s Cybersecurity Act covers entities across all sectors listed in Annexes I and II of the NIS2 Directive. The Croatian framework is estimated to apply to approximately 8,000–10,000 entities — a substantial expansion from the NIS1 regime that previously regulated only a few hundred.

Classification	Typical sectors	Size threshold	Oversight frequency
Essential entity	Energy, banking, healthcare, water supply, digital infrastructure, maritime transport, public administration	Large enterprise (250+ employees or €50M+ turnover) or designated regardless of size for systemic risk	Biennial audits mandatory
Important entity	Postal services, waste management, chemicals, food, manufacturing, digital platforms, transport sub-sectors	Medium enterprise (50+ employees or €10M+ turnover)	3–5 year inspection cycle
Public authority	State and local government bodies within scope	All public bodies in scope	Binding corrective directives only — no monetary fines

Competent authorities were required to notify entities of their essential or important classification by April 2025. That notification starts a 12-month compliance clock — for most notified entities, this means a hard compliance deadline of April 2026. Organisations that have not received a notification but believe they qualify should contact ZSIS or their relevant sector ministry proactively. Waiting to be found carries higher regulatory risk than self-identifying early.

Sector-specific enforcement authority is distributed across several bodies: HANFA oversees financial services entities, HERA supervises energy operators, and the Ministry of Transport holds responsibility for maritime and transport operators. Each coordinates with ZSIS for enforcement actions that cross sector lines. For most non-financial, non-energy organisations, ZSIS is the primary point of contact for compliance obligations and audit scheduling.

Croatia’s NIS2 Fine Structure — Essential vs Important Entities

The Croatian Cybersecurity Act does not simply copy the NIS2 Directive’s maximum thresholds. It adds minimum fine floors — a deliberate design choice that prevents symbolic enforcement against large organisations capable of absorbing small flat penalties without operational consequence.

Entity type	Minimum fine	Maximum fine	Turnover alternative	Triggered by violations of
Essential	€10,000	€10,000,000	0.5–2% of global annual turnover	Articles 21 or 23, Directive 2022/2555
Important	€5,000	€7,000,000	0.2–1.4% of global annual turnover	Articles 21 or 23, Directive 2022/2555
Public authority	—	—	—	Binding corrective directives only; no financial penalty

The “whichever is higher” rule between the fixed cap and the turnover percentage operates progressively. An essential entity with €80 million in global turnover that fails an Article 21 security measure audit faces a potential maximum fine of €1.6 million under the 2% cap — not the nominal €10 million ceiling. At €600 million in global turnover, the 2% cap returns the full €10 million maximum. The structure scales enforcement exposure proportionally to economic size, eliminating the perverse incentive where a larger organisation pays less in relative terms.

Article 34 of the NIS2 Directive requires that fines be “effective, proportionate and dissuasive.” Croatia’s minimum floors — €10,000 for essential entities, €5,000 for important entities — are its legislative answer to that standard. Even a procedurally minor violation carries a floor with real financial consequence.

The public sector carve-out is frequently overlooked. State and local government bodies classified as essential or important are not subject to monetary penalties. They receive binding corrective instructions instead. This exemption does not extend to publicly-owned commercial enterprises operating as separate legal entities — those follow the same fine structure as private operators in their entity class. A state-owned port authority operating as a commercial entity is subject to the full essential-entity fine range.

For a comparative perspective on how Croatia’s approach differs from other transposing states, see the Germany NIS2 penalties guide — the management liability figures diverge significantly between the two implementations.

Management Personal Liability — Croatia’s Two-Band Structure

Article 32(6) of the NIS2 Directive requires member states to ensure that natural persons responsible for essential entities — or acting as their legal representatives — can be held personally liable for failing to ensure the organisation’s compliance. Croatia implements this through a two-band structure that distinguishes personal exposure by entity classification, a detail most country-level commentaries treat as a single undifferentiated liability.

Liability type	Essential entity	Important entity
Individual financial fine	€1,000 – €6,000 per person	€500 – €3,000 per person
Board sign-off obligation	Mandatory: cybersecurity strategy requires board approval before implementation	Oversight obligation applies
Disqualification exposure	Temporary ban on management functions for repeated negligence	Subject to competent authority instruction
Organisational fine independence	Individual fine applies simultaneously with organisational fine — both can appear in one enforcement decision	Same

The €6,000 individual cap for essential entity managers is, in financial terms, one of the more constrained personal liability ceilings among EU member states that have transposed NIS2 with explicit individual fine bands. Some peer implementations set notably higher manager-facing maximums. Croatia’s figure represents a moderate approach to personal financial accountability — but the financial fine is not where personal exposure actually concentrates.

The board approval requirement carries greater operational weight. Management must personally approve the organisation’s cybersecurity strategy before it takes effect. That approval creates a signed accountability record that ZSIS inspectors look for directly in any supervisory audit. If the record is missing, the deficiency registers as a governance failure — not a technical gap — and it elevates the severity assessment in any associated fine calculation. Repeated governance negligence findings trigger temporary management disqualification from office, an outcome that is independent of, and not bounded by, any financial penalty limit.

The dual-fine structure matters practically: an essential entity can simultaneously receive an organisational penalty up to €10 million while its responsible managers each face individual fines between €1,000 and €6,000. Both apply in the same enforcement decision. The personal fine is modest; the career exposure from a disqualification finding is not.

ZSIS Enforcement Powers — What the Inspector Can Actually Do

ZSIS (Zavod za sigurnost informacijskih sustava, Information Systems Security Bureau) is Croatia’s primary NIS2 competent authority for most regulated sectors, coordinating with NCSC-HR (hosted by the Security and Intelligence Agency, SOA) and CERT.hr for incident response. The enforcement toolkit is materially different for essential and important entities.

For essential entities — Article 32 supervisory powers:

• On-site inspections and random checks: ZSIS can conduct unannounced visits by trained inspectors. These assess real operational security posture, not just documentation completeness.
• Mandatory biennial security audits: Essential entities face scheduled audits every two years regardless of incident history. Targeted audits can additionally follow a significant incident or a third-party report of non-compliance.
• Information demands: Competent authorities can require documentation of risk-management policies, incident logs, third-party security contracts, and evidence of Article 21 measure implementation. The statutory information response window is 15 days.
• Binding instructions: ZSIS can issue directives requiring organisations to remediate specific deficiencies, implement audit recommendations, or notify affected parties of a significant cyber threat. Non-compliance with a binding instruction is itself an enforceable violation — not a starting point for negotiation.
• Public disclosure orders: For serious violations, ZSIS can order the entity to publicly disclose the infringement. This reputational sanction operates independently of financial penalties and is not delayed by any appeals process unless a court grants interim relief.
• Temporary management suspension: If binding instructions fail to achieve remediation, the competent authority can prohibit individuals from exercising management functions on a temporary basis under Article 32(5).

For important entities — Article 33 supervisory powers:

Important entities face a proportionate but still substantial framework: ex post supervision (reactive rather than systematically scheduled), targeted audits following incidents, information requests, and binding instructions. The key structural difference is that routine inspections are not automatic — ZSIS acts on signals. This makes incident reporting timeliness critical: a failure to send an initial notification within 24 hours to CERT.hr can itself trigger an ex post investigation that escalates into a full enforcement action. The Article 23 incident notification requirements are among the most common early enforcement triggers across all EU member states.

The enforcement escalation sequence: Audit finding → 30-day remediation window → if not resolved, active enforcement case. At that point, fines, public disclosure, and management restrictions become simultaneous options. Croatian law does not prescribe a sequential warning-only tier before financial penalties apply. An unresolved audit finding at day 31 is an enforcement case.

Enforcement Timeline — Active Milestones

Croatia’s enforcement timeline is already materially underway. Understanding which obligations are active versus where transition periods still apply is critical for compliance prioritisation.

Date	Milestone	Status
15 February 2024	Cybersecurity Act (NN 14/24) enters into force	Complete
30 November 2024	Regulation on Cybersecurity (NN 135/2024) in force — sets 13 technical measure areas	Complete
April 2025	Entities notified of essential / important classification by competent authorities	Complete
H2 2025	First ZSIS supervisory audits commence	Active
April 2026	Full compliance required — 12 months after notification (most entities)	Approaching
April 2028	First mandatory biennial audit cycle completes for essential entities	Future

The practical implication: entities that received classification notification in April 2025 are already more than halfway through their compliance window. ZSIS supervisory audits commenced in H2 2025, meaning organisations in priority sectors face inspection before their full compliance deadline. Receipt of a classification notification is the start of the compliance clock — not a signal that enforcement is still distant.

Croatia’s Regulation (NN 135/2024) goes beyond the NIS2 Directive’s minimum requirements in several technically specific areas. It mandates passwords of at least 14 characters for standard user accounts, 16 characters for privileged accounts, and 24 characters for service accounts. It requires mandatory phishing simulations. It sets a minimum 90-day log retention period. Organisations benchmarking compliance solely against the NIS2 Directive baseline will underestimate Croatia’s actual technical requirements and face findings on provisions that have no equivalent in the directive text.

Sector Enforcement Priorities — Tourism, Maritime, and Energy

ZSIS’s enforcement attention is not distributed evenly across Croatia’s 8,000–10,000 regulated entities. Three sectors face heightened scrutiny based on economic significance, cross-border incident risk, and systemic exposure in Croatia’s national infrastructure profile.

Maritime transport: Croatia’s Adriatic coastline supports major ferry routes, commercial port operations, and international shipping companies. Maritime transport operators fall under essential entity classification in NIS2 Annex I. The Ministry of Transport holds sector-specific supervisory responsibility in coordination with ZSIS. Croatian port operators and maritime transport companies meeting the large-enterprise size threshold should assume placement in the first wave of essential entity audits. The sector’s cross-border incident potential — a cybersecurity failure affecting Adriatic ferry routes has implications beyond Croatian national borders — makes it a natural early-enforcement priority under NIS2’s systemic risk framework.

Energy: Croatia’s energy sector — electricity, gas, and district heating operators, as well as LNG and hydrogen infrastructure added under the expanded NIS2 scope — falls under essential entity classification with HERA acting as sectoral competent authority in coordination with ZSIS. The inclusion of LNG and hydrogen infrastructure is an expansion beyond the NIS1 baseline. Energy operators in these sub-sectors that were not previously regulated face a particularly compressed timeline relative to their compliance gap: newer to regulation, yet subject to the same April 2026 deadline and biennial audit cycle as long-regulated incumbents.

Tourism-adjacent digital services: Tourism contributes approximately 19% of Croatia’s GDP. Tourism as a named sector is not a separate Annex I or II category under NIS2 — but digital platform operators and online marketplace providers in the hospitality ecosystem that meet the medium-enterprise size threshold do fall within scope as important entities under the digital services classification. The compliance question for a Croatian accommodation platform or travel reservation system is not “do the tourism rules apply?” but “does this operator qualify as a digital platform provider under the medium-enterprise threshold?” If yes, the full important-entity obligation set applies regardless of the operator’s self-identification as a tourism business.

Challenging a ZSIS Decision — The Administrative Appeals Pathway

Croatian administrative law governs how entities can challenge ZSIS enforcement decisions, including inspection findings, binding instructions, and fine assessments. The General Administrative Procedure Act (Zakon o općem upravnom postupku, ZUP) provides the procedural baseline, with the specific rights of challenge depending on the nature and form of the decision issued.

Step 1 — Internal review within the competent authority: A formal ZSIS enforcement decision can first be challenged by filing a written objection or complaint with the issuing authority. This triggers a formal review within ZSIS or the relevant sectoral competent authority. Response timelines follow ZUP’s general procedural provisions; information request responses carry a statutory 15-day window.

Step 2 — Administrative appeal to the Ministry: If internal review does not resolve the challenge, the entity can appeal to the relevant Ministry with supervisory oversight for the sector (Ministry of Digital Transformation for most entities; sector-specific ministry for energy, transport, finance). In Croatian administrative law, exhaustion of this administrative remedy is generally required before a court challenge becomes available.

Step 3 — Administrative court challenge: Following exhaustion of administrative remedies, the entity can file an action with the Administrative Court (Upravni sud). Appeals against Administrative Court decisions proceed to the High Administrative Court (Visoki upravni sud). These proceedings typically take months to resolve.

A critical operational point: filing a challenge does not automatically suspend enforcement of the ZSIS decision. Under Croatian administrative law, enforcement continues during the appeals process unless the Administrative Court grants an interim suspension order. Organisations that believe a decision is legally flawed should simultaneously comply with the binding instruction — to avoid accruing additional violations during the challenge period — while pursuing the legal remedy in parallel. Treating an appeal as an automatic pause on compliance obligations is a mistake that compounds the original finding.

No published ZSIS enforcement decisions under the 2024 Cybersecurity Act are yet publicly available, as the enforcement programme is in its early operational phase. The procedural pathway described above reflects Croatia’s ZUP framework as applied to administrative enforcement decisions generally. Specific procedural nuances may emerge as ZSIS’s enforcement practice develops under the new regime.

Key Takeaways and Compliance Priorities

Croatia’s NIS2 enforcement framework is active. The essential facts for planning:

• Essential entity fines: €10,000 floor to €10M or 2% of global turnover — the turnover cap is the binding ceiling for large organisations
• Important entity fines: €5,000 floor to €7M or 1.4% of global turnover
• Management personal liability: €1,000–€6,000 (essential) or €500–€3,000 (important) — plus disqualification risk for repeated negligence
• ZSIS can conduct unannounced on-site inspections of essential entities; important entities face ex post supervision triggered by incidents
• The 30-day remediation window after an audit finding is the last off-ramp before an active enforcement case opens
• Croatia’s NN 135/2024 regulation exceeds EU minimums on password policy, phishing simulation requirements, and log retention
• Appeals against ZSIS decisions follow ZUP procedure but do not automatically suspend enforcement

Three priority actions before April 2026:

1. Confirm your entity classification — essential or important — and verify receipt of formal notification from the competent authority. If no notification has arrived, contact ZSIS proactively.
2. Document board-level cybersecurity strategy approval. This is the single audit evidence item most likely to be checked first in a ZSIS inspection. The absence of a signed board record is a governance failure, not a technicality.
3. Assess your Article 21(2) compliance gap across all ten security measure domains, beginning with risk assessment and working through the full compliance checklist. Incident handling and business continuity are the areas where ZSIS findings are most likely to generate rapid escalation.

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.

Frequently Asked Questions

Who is ZSIS and what is its enforcement role under Croatian NIS2 law?

ZSIS (Information Systems Security Bureau, Zavod za sigurnost informacijskih sustava) is Croatia’s primary NIS2 competent authority for most regulated sectors. It conducts supervisory audits of essential entities, issues binding instructions, coordinates incident response with CERT.hr, and initiates enforcement proceedings leading to fines. ZSIS coordinates with NCSC-HR, HANFA (financial services), HERA (energy), and the Ministry of Transport for sector-specific enforcement. Its supervisory powers mirror Articles 32 and 33 of the NIS2 Directive as transposed into Croatian law.

What is the compliance deadline for organisations classified under Croatian NIS2?

Most entities that received their classification notification in April 2025 face a 12-month compliance window, placing their full compliance deadline at April 2026. The first mandatory biennial audit cycle for essential entities begins in April 2028. However, ZSIS supervisory audits began in H2 2025 — before the compliance deadline — meaning organisations in priority sectors face inspection while they are still in their compliance transition period.

Can a manager be personally fined even if the organisation also pays a penalty?

Yes. Croatian law allows simultaneous fines against the organisation and the responsible natural person. An essential entity facing an organisational fine can also have its responsible managers individually fined between €1,000 and €6,000 in the same enforcement decision. The two sanctions are legally independent and additive, not alternative.

What typically triggers a ZSIS on-site inspection?

For essential entities, mandatory biennial audits are scheduled regardless of compliance status or incident history. Unannounced on-site inspections can additionally be triggered by a significant reported incident, intelligence from CERT.hr indicating a security failure, a third-party complaint, or a routine supervisory calendar action. For important entities, inspections are typically triggered reactively — by a reported incident, a failure to provide information within the 15-day response window, or an identified non-compliance signal. A failure to submit an initial incident notification within 24 hours is one of the most common ex post investigation triggers for important entities.

Sources

• Cybersecurity in the Republic of Croatia: Implementation Challenges — WAHL Law Firm
• EU NIS2 in Croatia — OpenKRITIS
• NIS2 Directive Article 32 (Supervisory measures, essential entities) — cited inline above
• NIS2 Directive Article 33 (Supervisory measures, important entities) — nis2resources.eu
• NIS2 Directive Article 34 (Administrative fines) — cited inline above
• CMS Expert Guide to Data Protection and Cybersecurity Laws — Croatia — CMS Law
• NIS2 Croatia Requirements and Certification — nis2certification.eu
• Croatia NIS2 Cybersecurity Regulation — Advisera