NIS2 in Croatia: ZSIS Registration, the Cybersecurity Act, and Compliance Deadlines Your Organisation Must Meet

Croatia processed 29.25 million tourist arrivals in 2024. The digital systems behind those visits — booking platforms, property management software, marina reservations, point-of-sale networks — now fall under binding cybersecurity law. For Croatian organisations and EU entities with Croatian operations, the Cybersecurity Act (Zakon o kibernetičkoj sigurnosti) entered into force on 15 February 2024, transposing the NIS2 Directive (EU) 2022/2555 into national law and expanding the regulated entity count from roughly 1,000 to an estimated 8,000–10,000 organisations.

The Act is not a formality. Competent authorities published the official list of essential and important entities on 31 January 2025. Supervisory audits begin in the second half of 2025. Organisations that have not yet assessed their status are already behind.

This guide covers who is affected, how Croatia’s three-body oversight structure works, what the Cybersecurity Act requires, and the compliance timeline you need to meet.

Does This Apply to Your Organisation?

Croatia’s Cybersecurity Act classifies regulated entities as either essential or important, using sector membership and size thresholds derived from the NIS2 Directive. The Act adds three sector categories beyond the EU baseline: educational institutions assessed as critical to societal activities, local government bodies assessed as crucial for economic function, and ICT service management providers.

Classification	Employee threshold	Annual turnover
Essential entity	≥ 250 employees	≥ €50 million
Important entity	≥ 50 employees	≥ €10 million
Automatic essential (size irrelevant)	Telcos, DNS providers, cloud services, trust service providers, top-level domain registries

A simple applicability check: Is your organisation active in one of the 19 sectors and 15 subsectors listed in Annex III of the Croatian Cybersecurity Act? If yes, does it meet the employee or turnover threshold above? If both answers are yes, you are almost certainly subject to the Act. Organisations that provide critical services — managed security, port logistics, energy grid management — may be classified regardless of size based on service criticality.

Critically, Croatia does not rely on self-registration. The National Cyber Security Centre (NCSC-HR) identifies and notifies entities directly. If you received a formal notification, you are in scope. If you have not yet received one but believe you meet the criteria, contact the relevant sectoral authority proactively — waiting for notification does not pause the compliance clock.

Croatia’s NIS2 Oversight Structure: NCSC-HR, ZSIS, and CERT.hr

One of the most common sources of confusion in Croatian NIS2 compliance is the multi-body oversight structure. Three distinct organisations share cybersecurity responsibilities, each with a defined lane.

NCSC-HR (National Cyber Security Centre) operates within the Croatian Security and Intelligence Agency (SOA). It is the central coordination authority for NIS2 implementation, maintains the official registry of essential and important entities, and functions as the national CSIRT for 15 of Croatia’s covered sectors. NCSC-HR is also responsible for issuing the formal entity classification notifications. The Office of the National Security Council (UVNS) serves as Croatia’s single point of contact for EU-level coordination — reachable at spoc@uvns.hr.

ZSIS (Zavod za sigurnost informacijskih sustava — Information Systems Security Bureau) is Croatia’s long-established technical information security authority for state bodies. ZSIS is responsible for information security standards, security accreditation of state information systems, and managing cryptographic materials used in classified exchange between Croatian state bodies and foreign governments and organisations. Under Croatia’s NIS2 structure, ZSIS is the designated CSIRT for the energy, transport, health, water, and public administration sectors — the heaviest-regulated critical infrastructure segments. Incident reports from entities in these sectors route to ZSIS.

CERT.hr, embedded within CARNET (the Croatian Academic and Research Network), is the CSIRT for banking, financial market infrastructure, digital infrastructure, education, and research sectors. CERT.hr also operates PiXi, the mandatory incident reporting platform used across all covered entities.

Sectoral competent authorities exercise direct oversight over regulated entities in their domains. The most relevant for Croatian industry:

Sector	Competent authority
Energy and water	Ministry of Economy and Sustainable Development
Transport (including maritime)	Ministry of the Sea, Transport and Infrastructure
Banking	Croatian National Bank (CNB)
Financial market infrastructure	Croatian Financial Services Supervisory Agency (HANFA)
Civil aviation	Croatian Civil Aviation Agency (HACZ)
Electronic communications	Croatian Regulatory Authority for Network Industries (HAKOM)
Trust services	Central State Office for the Development of Digital Society (SDURDD)
Education and research	Ministry of Science and Education (MZO)
Health	Ministry of Health

The National Cyber-security Council (NVKS) sits above this structure and sets the strategic policy framework. Organisations receiving a supervisory inquiry will deal with their sectoral authority on compliance matters — not NCSC-HR directly, unless no dedicated sectoral authority has been assigned.

The Croatian Cybersecurity Act and Regulation: What Changed

Croatia’s transposition replaced the 2018 NIS1 legislation entirely. The Cybersecurity Act (Official Gazette No. 14/24), in force from 15 February 2024, sets out the legal framework: entity categories, competent authorities, supervisory powers, incident reporting obligations, and sanctions. It is the primary law your legal team needs to reference.

The implementing Regulation on Cybersecurity (Official Gazette No. 135/24), effective 22 November 2024, runs to more than 40,000 words across eight parts and four annexes. The Regulation is where the operational detail lives: risk classification criteria, specific security measures per risk tier, incident reporting procedures, self-assessment methodology, and audit requirements. Any Croatian compliance programme that only references the Act without the Regulation is missing the substance of what authorities will check.

Key changes from the prior NIS1 regime:

• Entity count expanded from approximately 1,000 to an estimated 8,000–10,000 organisations
• Three new sectors added beyond the EU NIS2 baseline: education, local government, and ICT service management
• Mandatory biennial audits for essential entities (3–5 year supervision cycle) — NIS1 had no comparable audit obligation
• Self-assessment requirement for important entities every two years — a Croatian addition with no direct NIS2 equivalent
• Management personal liability provisions: competent authorities can now withdraw business licences and ban top management from performing managerial duties for compliance failures

Why Croatia’s Economy Creates Broader NIS2 Exposure

Croatia’s economic structure places three sectors at disproportionately high NIS2 risk, and all three are under-discussed in most compliance assessments of the Croatian market.

Tourism and hospitality. Tourism contributes roughly 26% of Croatia’s GDP when direct and indirect contributions are measured — one of the highest ratios in the EU. In 2024, the country recorded 29.25 million arrivals generating over $16 billion in visitor spending. The digital infrastructure serving this volume is substantial: property management systems, hotel booking platforms, point-of-sale networks, marina reservation systems, and the payment processing chains connecting them. Many of these operators qualify as important entities under the Cybersecurity Act through size thresholds. Their IT vendors — the managed service providers and cloud hosting companies serving the sector — may qualify regardless of size. A cyber incident during the Adriatic summer peak season carries serious business continuity implications, and ZSIS specifically lists business continuity as one of its 13 mandatory security domains.

Adriatic maritime operations. Croatia’s extensive Adriatic coastline and port network place port authorities, terminal operators, and shipping companies squarely within NIS2’s transport classification under Article 3 of the Directive. Under Croatian law, the Ministry of the Sea, Transport and Infrastructure is the designated competent authority for this sector. ENISA’s cyber risk management guidelines for ports — aligned with NIS2 requirements — identify port authorities and terminal operators as the primary entities requiring structured cybersecurity risk programmes. The CRESPORT project, a cross-border EU cooperation initiative between Italian and Croatian Adriatic port authorities, is currently developing a comparative best-practice framework and conducting resilience testing specifically targeting NIS2 compliance. Croatian port operators active on this project are already building the compliance infrastructure; those who are not may face audit findings when supervision begins.

Energy and the Krško cross-border link. Croatia co-owns the Krško Nuclear Power Plant with Slovenia through a 50/50 arrangement between Croatia’s HEP Group and Slovenia’s GEN Energija. The plant operates a single 696 MWe Westinghouse pressurised water reactor and supplies Croatia with half its output under an agreement that runs until the licence expiry in 2043. Because NIS2 explicitly covers energy sector critical infrastructure, and because Krško operates across two EU member states, cybersecurity incidents at any point in the shared operational chain have bilateral implications. Both countries must implement NIS2 — Slovenia also transposed the Directive — but the cross-border operational dependency means that supply chain security under Article 21(2)(d) is not a theoretical obligation for Croatian energy entities: it directly applies to the nuclear plant’s IT/OT integration with both national grid operators.

Security Obligations: Croatia’s 13 Domains and What Goes Beyond NIS2

The Croatian Cybersecurity Regulation organises security obligations into 13 domains in Annex II. Each entity receives a risk classification — low, medium, or high — which determines which measures are mandatory (A), conditional (B), or voluntary (C). Higher-risk entities face a larger mandatory obligation set.

The 13 security domains are:

1. Leadership responsibility — governance, accountability, and management sign-off on cybersecurity strategy
2. Asset management — inventory of hardware, software, and data assets; classification by criticality
3. Risk management — documented risk assessment methodology, reviewed at defined intervals
4. Human resources security — onboarding, offboarding, awareness training, and background verification
5. Cyber hygiene — patch management, software lifecycle, secure configuration baselines
6. Network security — network segmentation, monitoring, perimeter controls
7. Access controls — identity and access management, privileged access, authentication standards
8. Supply chain security — third-party risk, contractual cybersecurity obligations, vendor assurance
9. Systems development security — secure development lifecycle, testing, vulnerability management
10. Cryptography — encryption standards, key management, TLS configuration
11. Incident handling — detection, response, reporting, and post-incident review
12. Business continuity — backup, recovery, disaster recovery testing, resilience planning
13. Physical security — facility access controls, environmental protection, hardware security

Croatia’s Regulation exceeds the baseline CIR 2024/2690 implementing regulation in five technical areas that organisations frequently underestimate:

• Password minimums: 14 characters for standard accounts; 16 for privileged accounts; 24 for service accounts
• Phishing simulations: mandatory — not merely recommended
• Log retention: minimum 90 days
• Endpoint security: advanced endpoint protection tools required (not just antivirus)
• Self-assessment cadence: important entities must formally self-assess every two years — a Croatian addition with no direct NIS2 equivalent

Organisations that have already benchmarked against the EU NIS2 baseline may still fall short of Croatian requirements on these five points. A gap assessment against the CCR Annex II specifically — not just against the Directive — is necessary.

Incident Reporting: PiXi, Timelines, and What Counts as Significant

When a significant cyber incident occurs, Croatian law mandates reporting through PiXi — an incident reporting platform operated by CARNET, accessible via NIAS authentication. All covered entities must use PiXi; alternative reporting channels do not satisfy the obligation.

The reporting timeline follows the NIS2 Directive structure:

Report type	Deadline	Contents
Early warning	Within 24 hours	Notification that a significant incident has occurred; whether it is suspected to be malicious
Initial notification	Within 72 hours	Updated assessment, initial severity, impact scope, any indicators of compromise if available
Final report	Within 30 days	Full incident description, root cause analysis, impact assessment, remediation measures taken, lessons learned

Reports route to your CSIRT based on sector: ZSIS receives reports from energy, transport, health, water, and public administration entities; CERT.hr receives reports from banking, financial, digital infrastructure, and education entities. The Regulation on Cybersecurity defines what constitutes a "significant incident" — the determining factors include number of users affected, duration of disruption, geographic scope, and degree of service disruption. If in doubt, report early: a 24-hour early warning is non-committal and protects you from a reporting failure finding.

Supply chain incidents trigger the same obligations. If a third-party vendor or managed service provider experiences a breach that affects your organisation’s services or data, the reporting obligation falls on the covered entity — not the vendor.

Registration, Timeline, and Key Compliance Milestones

Unlike most EU member states where entities self-register, Croatia uses a top-down categorisation model. NCSC-HR compiles the entity list and issues formal notifications. You do not register yourself — you receive notification.

Milestone	Date
Cybersecurity Act in force	15 February 2024
Regulation on Cybersecurity effective	22 November 2024
Official entity list published	31 January 2025
Authority list finalised	15 February 2025
Post-notification response window	15–45 days (submit org details)
Full compliance deadline	Within 12 months of notification
Supervisory audits commence	H2 2025 (ongoing)

Once you receive a formal notification, you have 15 to 45 days to submit your organisation’s details: registered name and service overview, establishment address and contact information, the EU member states where your services operate, and your IP address ranges. This information feeds directly into the national entity registry maintained by NCSC-HR.

The 12-month implementation window is the time to complete your risk assessment, implement required security measures, and document everything to audit-ready standard. This window does not exist for organisations that received notifications in early 2025 — for them, the compliance clock is already running.

Audits, Self-Assessments, and Management Accountability

Croatia’s supervisory model uses different mechanisms for essential and important entities.

Essential entities face mandatory audits at least every two years, with the competent authority conducting supervision reviews every three to five years. ZSIS and sectoral authorities can conduct both scheduled audits and unannounced inspections. Audit findings trigger a 30-day remediation window; failure to remediate within that window can result in fines and further escalation.

Important entities perform a formal cybersecurity self-assessment at least every two years. The self-assessment is not a checkbox exercise — it follows the framework set out in the Regulation and must be documented in a way that would satisfy competent authority review. The authority may require an audit in place of a self-assessment if prior compliance concerns exist or if an incident has occurred.

Croatian management accountability goes further than most EU member states. Where an essential entity fails to take corrective action after an audit finding, the competent authority may:

• Withdraw the organisation’s business licence temporarily or permanently
• Prohibit members of top management from performing managerial duties

This means cybersecurity compliance in Croatia is not solely a CTO or CISO problem. Board members and C-suite executives carry personal exposure. Personal fines for management personnel range from €500 to €6,000 for essential entities — separate from the entity-level administrative fine. Boards that have not formally assigned cybersecurity accountability and documented governance decisions are more exposed than those that have.

Penalties and Enforcement

Croatia implements the NIS2 Directive’s maximum fine tiers in full, with specific minimum thresholds added in the national Regulation.

Infringement type	Essential entities	Important entities
Primary compliance failure (Articles 21 / 23)	€10,000 – €10,000,000 or 0.5%–2% of global annual turnover (whichever is higher)	€5,000 – €7,000,000 or 0.2%–1.4% of global annual turnover (whichever is higher)
Withholding information from competent authority	€2,000 – €20,000
Management personal liability	€500 – €3,000	€1,000 – €6,000
Public sector bodies	Corrective orders only — no monetary fines applicable

The enforcement mechanism differs by entity type. Essential entities face proactive supervision: the competent authority actively monitors and audits regardless of whether an incident has occurred. Important entities face primarily reactive supervision — audits are typically triggered by an incident, a complaint, or non-compliance indicators. However, the self-assessment obligation means important entities cannot simply rely on not being audited; a non-compliant self-assessment is itself an audit trigger.

The percentages in the fine structure apply to worldwide annual turnover of the undertaking the entity belongs to — not just the Croatian subsidiary. A Croatian subsidiary of a large multinational carries the global revenue base into the penalty calculation, which can produce fines significantly larger than the nominal €10 million cap.

Frequently Asked Questions

When exactly did Croatia’s NIS2 law enter into force?
The Croatian Cybersecurity Act (Official Gazette No. 14/24) entered into force on 15 February 2024. The implementing Regulation on Cybersecurity (Official Gazette No. 135/24), which specifies the detailed technical and procedural requirements, became effective on 22 November 2024. Both documents together constitute the operative compliance framework.

Is ZSIS the competent authority or the CSIRT?
ZSIS (Zavod za sigurnost informacijskih sustava — Information Systems Security Bureau) functions as the designated CSIRT for energy, transport, health, water, and public administration sectors under the Croatian NIS2 structure. It is Croatia’s long-established technical information security authority for state bodies, responsible for security accreditation and cryptographic standards for government systems. Separate sectoral ministries are the competent authorities for their respective sectors; NCSC-HR within SOA is the central coordination body and CSIRT for the remaining 15 covered sectors.

Does my Croatian subsidiary need to comply separately?
Yes. Croatian law holds each legal entity separately accountable, including subsidiaries. If your Croatian subsidiary meets the sector and size criteria, it must comply as an independent entity — it cannot rely on a parent company’s compliance programme in another member state. This also means the Croatian entity must submit its own details to NCSC-HR and maintain its own documentation trail.

Does the law cover tourism and hospitality operators?
The Croatian Cybersecurity Act does not include hospitality as a standalone sector. However, large hotel groups, marina operators, and online travel platforms may qualify as important entities through the digital infrastructure provisions or through their size thresholds. IT vendors serving the tourism sector — managed service providers, property management software companies, payment processor integrations — may qualify as important entities regardless of size depending on the criticality of their services. The key question is whether your services are critical to other regulated entities, not whether tourism itself is named in the law.

Key Takeaways

• Croatia’s Cybersecurity Act is in force since February 2024. The entity list was published January 2025. Audits begin H2 2025.
• You do not self-register — NCSC-HR notifies you. If you meet the criteria and have not been notified, contact your sectoral authority.
• Three bodies share CSIRT responsibility: ZSIS (critical infrastructure sectors), CERT.hr/CARNET (banking/finance/digital), and NCSC-HR (remaining sectors). Incident reports route to the correct body based on your sector.
• Croatia adds five requirements beyond the EU NIS2 baseline: stricter password minimums, mandatory phishing simulations, 90-day log retention, advanced endpoint security, and biennial self-assessment for important entities.
• Incident reports go to PiXi (CARNET platform). The 24h/72h/30-day timeline applies from the moment you detect a significant incident.
• Management personal liability is real. Boards that have not formalised cybersecurity governance carry personal exposure, separate from entity-level fines.

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.

Looking for ready-to-use compliance documentation? Our NIS2 Directive compliance templates and NIS2 scope assessment resources cover the Article 21 security measures and incident reporting obligations discussed in this guide.

Sources

1. Directive (EU) 2022/2555 (NIS2 Directive) — EUR-Lex. Articles 21, 23, 34. https://eur-lex.europa.eu/eli/dir/2022/2555/oj
2. NIS2 Directive Implementation in Croatia — European Commission, Digital Strategy.
3. NIS2 Transposition — National Cyber Security Centre Croatia (NCSC-HR).
4. EU NIS2 in Croatia — OpenKRITIS.
5. NIS2 Compliance in Croatia — ISMS.online.
6. NIS2 in Croatia: Overview of the Cybersecurity Regulation — Advisera.
7. How Croatia’s Cybersecurity Act Aligns with NIS2 — Advisera.
8. NIS2 Croatia Requirements and Certification — NIS2Certification.eu.
9. NIS2 Regulations in Croatia — Copla.
10. ZSIS — Information Systems Security Bureau — UNIDIR Cyber Policy Portal.
11. Nuclear Power in Slovenia — World Nuclear Association.
12. Guidelines — Cyber Risk Management for Ports — ENISA. https://www.enisa.europa.eu/publications/guidelines-cyber-risk-management-for-ports