NIS2 Implementation in the EU |
|
Croatia |
|
|
(Europe)
Firm
Divjak Topic Bahtijarevic & Krka Law Firm
Contributors
Anella Bukovic |
|
| Status | Enacted |
| Status of the NIS2 Implementation Act | The NIS2 Implementation Act was implemented through the adoption of the Cybersecurity Act (Official Gazette No. 14/2024). |
| If available, foreseeable significant deviations of the National Implementation Act from the NIS2 Directive | The Croatian Cybersecurity Act deviates from the NIS2 Directive registering requirements for subjects in its scope – according to its provisions, the competent authorities will notify subjects of their categorization as essential or important entities by February 2025 at the latest. The competent authorities can also request information (if needed for the purposes of categorization) from subjects and the subjects need to provide the requested information within 15 days of the receipt of the request. Other requirements are closely modeled after the NIS2 Directive, but there are several bylaws that would further specify the requirements that need to be adopted (some are currently in the public consultation phase). Another deviation is that the Cybersecurity Act introduced a self-assessment requirement for important entities that must be performed at least once every 2 years. |
| Expected date of entry into force of the Implementation Act | The Act has been in force since 15 February 2024. |
NIS2 Implementation in the EU
Croatia
(Europe) Firm Divjak Topic Bahtijarevic & Krka Law FirmContributors Anella Bukovic Tena Pavelic
Updated 07 Feb 2025Enacted
The NIS2 Implementation Act was implemented through the adoption of the Cybersecurity Act (Official Gazette No. 14/2024).
The Croatian Cybersecurity Act deviates from the NIS2 Directive registering requirements for subjects in its scope – according to its provisions, the competent authorities will notify subjects of their categorization as essential or important entities by February 2025 at the latest. The competent authorities can also request information (if needed for the purposes of categorization) from subjects and the subjects need to provide the requested information within 15 days of the receipt of the request.
Other requirements are closely modeled after the NIS2 Directive, but there are several bylaws that would further specify the requirements that need to be adopted (some are currently in the public consultation phase).
Another deviation is that the Cybersecurity Act introduced a self-assessment requirement for important entities that must be performed at least once every 2 years.
The Act has been in force since 15 February 2024.