Enacted

The NIS2 Implementation Act was implemented through the adoption of the Cybersecurity Act (Official Gazette No. 14/2024).

• The Croatian Cybersecurity Act deviates from the NIS2 Directive, registering requirements for subjects in its scope – according to its provisions, the competent authorities will notify subjects of their categorization as essential or important entities by February 2025 at the latest. The competent authorities can also request information (if needed for the purposes of categorization) from subjects, and the subjects need to provide the requested information within 15 days of the receipt of the request.
• The first categorization process was concluded in 2025, but will be repeated by the competent authorities periodically. 
• Additionally, while voluntary categorization is not provided for under the Croatian Cybersecurity Act or its bylaws, the Security and Intelligence Agency ("SOA") published a call after completing the categorization process. The call invites legal entities operating in Croatia within the scope of the Act, who believe they meet the categorization criteria but have not received notification, to contact the competent authorities for voluntary categorization.
• Other requirements are closely modeled after the NIS2 Directive.
• Another deviation is that the Cybersecurity Act introduced a self-assessment requirement for important entities that must be performed at least once every 2 years - this obligation applies one year after an entity is categorized. Essential entities are required to perform cybersecurity audits.

The Act has been in force since 15 February 2024. In 2025, the main competent authority, the Security and Intelligence Agency, adopted several guidelines and instructions for subjects in scope.