Skip to content
TsunamiDigital

DORA in Croatia: digital resilience for financial firms

DORA has applied since January 2025. Who is in scope in Croatia, the five pillars, ICT third-party risk, and what it means if you build financial software.

For Croatian banks, insurers, payment institutions, and fintechs, cyber resilience is now its own regulation. The Digital Operational Resilience Act (DORA) has applied across the EU since 17 January 2025, and 2026 is the year supervisors move from reviewing paperwork to demanding proof. Here is the regime in plain terms - and why it reaches your software vendors too.

Are you in scope?

DORA has one of the broadest scopes in EU financial law - Article 2 lists 21 categories of entity:

  • banks, credit and payment institutions, e-money firms;
  • investment firms, fund and asset managers, insurers and intermediaries;
  • crypto-asset service providers and pension funds;
  • and the critical ICT third-party providers that serve them.

In Croatia your supervisor is the HNB or Hanfa, depending on your licence. Microenterprises (under 10 staff, under 2M EUR) get a simplified framework - but they are not exempt: they still report major incidents and manage ICT contracts.

The five pillars

DORA organises everything into five areas. The first four are mandatory:

  • ICT risk management - governance, controls, board ownership;
  • Incident reporting - classify and report major ICT incidents to your supervisor;
  • Resilience testing - annual testing for all; threat-led penetration testing (TLPT) every three years for significant entities;
  • ICT third-party risk - oversight of every provider your critical functions depend on;
  • Information sharing - voluntary threat-intelligence exchange.

Much of pillar one overlaps with the groundwork in our cybersecurity guide and the controls behind software for regulated industries.

Why it reaches your software vendors

This is DORA’s sharpest edge. Your contracts with ICT providers must carry specific clauses - audit rights, incident cooperation, exit plans, sub-outsourcing limits - and you keep a Register of Information listing every arrangement. If you build or host software used in a critical function, those duties flow down to you by contract. DORA is the financial sector’s lex specialis, so it takes precedence over the general NIS2 regime for these entities.

What 2026 looks like

The first list of critical ICT third-party providers arrived in November 2025 - 19 names including AWS, Microsoft, Google Cloud, and IBM - and Registers of Information were consolidated by supervisors through spring 2026. Expect a new cadence of supervisory engagement built on live evidence, not annual binders.

This article is general information, not legal advice. DORA is supported by evolving technical standards; confirm your exact obligations and scope with qualified counsel and your supervisor.

Frequently Asked Questions

Does DORA apply to small fintechs? Yes. Scope is by activity, not size. Microenterprises follow a simplified framework but still report major incidents and manage ICT contracts.

How is DORA different from NIS2? DORA is financial-sector specific and takes precedence over NIS2 for entities it covers. NIS2 stays the baseline for other critical sectors.

What is a Register of Information? A structured record of every ICT third-party arrangement supporting your functions, submitted to your supervisor on request.

What is threat-led penetration testing? An intelligence-driven, covert attack simulation across the whole organisation, required of significant entities roughly every three years.

Need help meeting DORA?

We map your systems and vendor contracts to the DORA pillars, build the logging, access control, and incident workflows supervisors expect, and help you keep the Register of Information current - so resilience is built into your software, not bolted on.

Reach out at [email protected] or via the form on our homepage.

All articles