Cybersecurity is no longer only an IT problem - for thousands of Croatian companies it is now a legal duty with personal liability attached. The NIS2 directive, transposed as the Zakon o kibernetičkoj sigurnosti, sets out who must comply and what they must do. Here is the regime in plain terms.
Are you in scope?
Croatia was one of only four EU states to transpose NIS2 on time (Zakon o kibernetičkoj sigurnosti, NN 14/2024, in force since February 2024). It sorts in-scope organisations into two tiers:
- Essential (ključni) - larger operators in critical sectors: 250+ employees or 50M+ EUR turnover.
- Important (važni) - medium operators: 50+ employees or 10M+ EUR turnover.
- Some sectors - telecoms, DNS, trust services, cloud - are in scope regardless of size.
Sectors span energy, transport, banking, health, water, digital infrastructure, public administration, manufacturing, and food. Supply to any of them and you should expect supply-chain security questions too.
What Article 21 requires
The law sets out roughly ten baseline risk-management measures every in-scope entity must put in place:
- risk analysis and information-security policies;
- incident handling and business continuity with backups;
- supply-chain security;
- encryption and access control;
- multi-factor authentication and staff cyber-hygiene training.
This overlaps heavily with the groundwork in our cybersecurity guide and your GDPR duties - do it once, satisfy both.
Reporting and personal liability
Incidents follow a strict clock: a 24-hour early warning, a 72-hour notification, and a final report within one month, filed through the national CSIRT and the JISKB portal. The clock starts when you become aware, not when you finish investigating.
Crucially, management bodies are personally accountable. They must approve the measures, oversee them, and complete training. Fines reach 10M EUR or 2% of turnover for essential entities and 7M EUR or 1.4% for important ones, and regulators can suspend executives for persistent non-compliance.
What is changing
A January 2026 European Commission proposal would ease duties for smaller firms and add a single EU reporting portal - but it is a proposal, not law, with adoption expected around 2027. Build for today’s rules; the direction of travel only softens them, and the same controls protect regulated-industry software anyway.
This article is general information, not legal advice. NIS2 implementation is still evolving; confirm your exact obligations and scope with qualified counsel.
Frequently Asked Questions
Is my company in scope for NIS2? If you have 50+ employees or 10M+ EUR turnover and operate in a listed sector, likely yes. Some sectors, like telecoms and cloud, are in scope at any size.
What is the difference between essential and important entities? Both must meet the same security measures. Essential entities face stricter supervision and higher fines; the split is based on size and sector criticality.
How fast must I report an incident? A 24-hour early warning, a 72-hour notification, and a final report within one month, all via the national CSIRT and JISKB portal.
Can management be fined personally? Yes. Management bodies must approve and oversee the measures and can be held personally liable, with executive suspension possible for persistent non-compliance.
Related Articles
- Cybersecurity for SMBs: threats, costs, and how to prepare
- GDPR and custom software
- Software for regulated industries
Need help meeting NIS2?
We map your systems to the Article 21 measures, build the access control, logging, and backup you need, and stand up incident-reporting workflows - so compliance becomes part of your software, not a binder on a shelf.
Reach out at [email protected] or via the form on our homepage.