1. GOVERNING TEXTS

Even though general privacy and data protection legislation may sometimes be intertwined with cybersecurity, Croatia almost exclusively regulates cybersecurity through its two legislative acts, which are also the only acts which directly implement the Directive on Security Network and Information Systems (Directive (EU) 2016/1148) ('the NIS Directive').

In Croatia, the Law on Cybernetic Security of Key Service Operators and Digital Service Providers (only available in Croatian here) ('the Cybersecurity Law') and the Regulation on Cybersecurity of Operators of Essential Services and Digital Service Providers ('the Cybersecurity Regulation') implement the NIS Directive.

However, please note that the Directive on Measures for a High Common Level of Cybersecurity across the Union (Directive (EU) 2022/2555) ('NIS 2 Directive') was published in the Official Gazette of the European Union on 27 December 2022 and became effective as of 16 January 2023. Pursuant to Article 41 of the NIS 2 Directive, by 17 October 2024, Member States must transpose the NIS 2 Directive into their national legislation, and the transposition laws shall apply from 18 October 2024. On the same date, the NIS Directive will be repealed. For further information please see our Insight article on the NIS Directive here.

If, through the application of the aforementioned legislation classified and/or personal data is created or utilised, special regulations regarding the protection of such data will be applicable. In other words, the Data Secrecy Act (only available in Croatian here) and the Information Security Act (only available in Croatian here) (for classified data), as well as the General Data Protection Regulation (Regulation (EU) 2016/679), repealing Data Protection Directive (Directive 95/46/EC) and the General Data Protection Regulation Implementation Act 2018 (available only in Croatian here) ('the Act') take precedence over the Cybersecurity Act when protection of such data is concerned. Additionally, if sector-specific provisions demand stricter security measures or impose heavier obligations on its addresses, such sector-specific provisions take precedence over the general acts.

1.1. Legislation

The Cybersecurity Act regulates:

• the procedures and measures for achieving a high level of joint cybernetic protection ('Security Measures') of operators of essential services ('Operators') and digital service providers ('DSP');
• the jurisdiction and competencies of sectoral authorities, single points of contact, incident prevention and protection authorities, i.e. the Computer Security Incident Response Team ('CSIRT'), and the technical authority for compliance grading;
• the supervision over Operators and DSPs regarding their obligations stemming from the Cybersecurity Act; and
• misdemeanour liabilities in case of non-compliance.

The objective of the Cybersecurity Act is to ensure the implementation of measures necessary for achieving a high level of joint cybernetic protection of the rendering of services which are of great significance for regular operations of essential social and commercial activities, including the continuous functioning of the digital market.

The Cybersecurity Regulation determines and elaborates upon:

• the security measures necessary for achieving a high level of joint protection of Operators;
• the manner of their implementation;
• the criteria for determining the severity of incidents regarding the provision of essential services; and
• important elements regarding incident notifications.

1.2. Regulatory authority

Competent sectoral authorities tasked with supervising Operators and CSPs differ regarding the sector they operate in and are exhaustively listed in Annex III of the Cybersecurity Act. The following is a list of current sectoral authorities in relation to the sector they supervise:

• Energy - the Ministry of Commerce and Sustainable Development ('Ministry of Commerce');
• Transport - the Ministry of Maritime Affairs, Transport and Infrastructure;
• Banking - the Croatian National Bank ('CNB');
• Financial market infrastructure - the Croatian Financial Services Supervisory Agency;
• Health - the Ministry of Health;
• Supply of drinking water and its distribution - the Ministry of Commerce;
• Digital infrastructure - the Central State Office for the Development of the Digital Society ('Central State Office');
• Business services for government bodies - the Central State Office; and
• Digital service providers - the Ministry of Commerce, in addition to the sectoral authority depending on the sector of digital services provided.

Sectoral authorities have the following competences:

• conducting the process of identification of Operators;
• supervision over Operators and DSPs as regards the implementation of the Security Measures;
• cooperation and exchange of information as regards cybersecurity with other sectoral authorities, as well as with other competent authorities; and
• cooperation and exchange of information with the Personal Data Protection Agency ('AZOP') in cases where personal data is jeopardised because of an incident occurring on the network and information system of an Operator or DSP, as well as on the system of a judiciary authority, when such an incident is the result of criminal activity.

Other authorities include:

• the Single Point of Contact - the Office of the National Security Council, which:
  • delivers relevant data to the European Commission for the assessment of the efficiency of the implemented Security Measures;
  • participates in the work of the Cooperation Group;
  • submits an annual incident report to the Cooperation Group detailing the number and nature of occurred incidents;
  • submits incident reports to foreign Single Points of Contact at the request of the competent CSIRT in cases where incidents have an international impact;
  • issues guidelines on the form and content of reports which must be submitted to the Single Point of Contact;
  • works on development of the national cybersecurity strategy so as to remain compliant with EU cybersecurity requirements; and
  • cooperates with the AZOP and judicial bodies, as well as with other competent authorities;
• the National Council for Cybersecurity and its Operative-Technical Coordination for Cybersecurity have similar competencies as the Single Point of Contact, but are focused on national cybersecurity, i.e. they conduct systematic analysis of the National Cyber Security Strategy of the Republic of Croatia, suggest measures to improve national cybersecurity, conduct practice drills, issue emergency plans in case of a cybersecurity crisis, et simile;
• the CSIRTs - the Information Systems Security Bureau ('the Bureau') and the National Computer Emergency Response Team ('CERT'), which:
  • keeps records of incidents;
  • issues early warnings and inform on the dangers and likelihood of incidents;
  • conducts dynamic risk analysis and issues sector overviews;
  • conducts system safety checks;
  • receives incident reports;
  • analyses and provides solutions to incidents at the request of Operators and DSPs and further provides expert assistance for the effective resolution of incidents;
  • issues guidelines on incident notifications;
  • informs sectoral authorities of incidents;
  • provides analyses of cross-border incident impacts in cooperation with sectoral authorities;
  • informs and submits relevant incident reports to the Single Point of Contact;
  • informs foreign CSIRTS of incidents if an incident has international impact; and
  • cooperates with other CSIRTs on a national and international level; and
• the Technical Authority for Compliance Grading – the Bureau, the Croatian Academy and Research Network ('CARNET'), and the CERT, which conduct periodic supervision of the security measures implemented on network and information systems, if such periodic supervision is not conducted by a qualified auditor.

1.3. Regulatory authority guidance

The Bureau and the CARNET issued the Framework of good practices for the harmonisation of key service operators with the measures of the Cybersecurity Act for key service operators and digital service providers and conducting conformity assessment (only available in Croatian here) ('the Good Practice Framework').

The Good Practice Framework includes guidelines, recommendations, and good practices for achieving compliance with the Security Measures, and is intended to assist Operators and DSPs in implementing the necessary Security Measures, as prescribed by the Cybersecurity Regulation.

The Good Practice Framework is not obligatory, and its purpose is to serve as an implementation guide for Operators and DSPs on the one hand, and sectoral and other authorities on the other.

2. SCOPE OF APPLICATION

The Cybersecurity Act applies to Operators regardless of their private or public status, the country of their seat, their size, their organisation, or ownership structure.

Additionally, the Cybersecurity Act applies to DSPs if they have a registered seat or representative (as defined by the NIS Directive) in Croatia, under the condition that such a DSP is not considered a micro or small entrepreneur in accordance with relevant provisions.

2.1. Network and Information Systems

In relation to network and information systems, the Electronic Communications Act implementing the Directive on Privacy and Electronic Communications (Directive 2002/58/EC) (only available in Croatian here) ('ECA') provides that a network and information system is:

• (i) an electronic communications network, defined as transmission systems and, where applicable, switching or routing equipment and other resources which permit the conveyance of signals by wire, radio, optical, or other electromagnetic means, including satellite networks, fixed (circuit- and packet-switched, including the internet) and mobile terrestrial networks, and electricity cable systems, to the extent that they are used for the purpose of transmitting signals, networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed;
• (ii) any device, or a group of connected or related devices, of which one or more execute the automatic processing of digital data; or
• digital data which are stored, processed, created, or transferred via elements described under (i) or (ii) for the purposes of their use, protection, or maintenance.

System safety is the ability of network and information systems to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity, or confidentiality of stored, transmitted, or processed data or the related services offered by, or accessible via, those network and information systems.

2.2. Critical Information Infrastructure Operators

Critical Infrastructure Operators are defined by the Critical Infrastructures Act (only available in Croatian here) as legal entities responsible for the management of critical infrastructure.

While the aforementioned law lists potential critical infrastructures, Operators are ultimately identified by the competent Sectoral Authorities in accordance with Annex I of the Cybersecurity Act ('List of Essential Services'), which stipulate specific criteria for identification in such critical infrastructures. The identification process is detailed below, under section 3.3.

2.3. Operator of Essential Services

In line with the respective provisions of the NIS Directive, the Cybersecurity Act stipulates that a public or private entity shall be identified (by a competent sectoral authority) as an Operator if it meets the following criteria:

• an entity provides an essential service from the List of Essential Services with criteria and thresholds for determining the importance of disruptive effects of an incident envisaged in Annex I to the Cybersecurity Act;
• the provision of that service depends on network and information systems; and
• an incident would have significant disruptive effects on the provision of that service.

2.4. Cloud Computing Services

The Cybersecurity Act defines cloud computing services as digital services which allow access to an upgradeable and elastic set of computer resources, applications, and services.

2.5. Digital Service Providers

The Cybersecurity Act defines digital service providers as any private entities which provide any of the digital services listed in Annex 2 of the Regulation (EU) 2019/881 on ENISA (the European Union Agency for Cybersecurity) and on Information and Communications Technology Cybersecurity Certification and Repealing Regulation (EU) No. 526/2013 ('the Cybersecurity Act').

The services listed are as follows:

• internet marketplace;
• internet search engine; and
• cloud computing services.

2.6. Other

Not applicable.

3. REQUIREMENTS

3.1. Security measures

Operators and DSPs are obligated to implement the Security Measures in order to ensure the safe and continuous provision of their services. The Security Measures include, at the minimum, technical and organisational measures for risk management, considering the newest and modern technical solutions, as well as measures for prevention and mitigation of system incidents. The Security Measures are to be implemented in accordance with the conducted risk assessment, i.e. high risk systems will require more stringent measures.

Operators are required to implement organisational and technical risk management measures which must include:

• an incident risk assessment;
• the prevention, detection, and resolution of incidents; and
• incident mitigation.

More precisely, these Security Measures may include:

• the physical safety of system devices, i.e. safety from malfunction, abuse, human error, or natural phenomena;
• contract management, especially when the system safety has been outsourced to an external provider;
• the control of access to exposed devices;
• the physical separation of essential devices;
• a proper back-up of system data;
• keeping records of persons who come into contact with systems; and
• protection from malware.

In the implementation of the Security Measures, DSPs are obligated to pay special attention to:

• system and object safety;
• incident resolution;
• business continuity management;
• supervision, revision, and testing; and
• compliance with international system security standards.

DSPs are obligated to implement such measures to the network and information systems which support the digital services provided.

3.2. Notification of cybersecurity incidents

Operators and DSPs are obligated to notify the CSIRT, without any undue delay, of any incident which could have a significant impact on the provision of their services.

The criteria which determine the impact of an incident are as follows:

• the number of users impacted by the failure of providing relevant services;
• the duration of an incident;
• the geographical scope of the incident; and
• other sectoral criteria, for example economic impact, quality of services provided, and continuity of services.

Operators and DSPs are obligated to submit to the CSIRT the following notifications:

• an initial notification of an incident with significant impact, which must be submitted within four hours after the detection of the incident and must contain basic elements of the incident, probable consequences, and projected timeframe in which the following notification will be sent;
• an intermittent notification of an incident with significant impact, which must be submitted in three days since submitting the initial notification and contains the detailed analysis of the incident and its consequences (several intermittent notifications may be submitted); and
• a final notification of an incident with significant impact, which must be submitted within 15 days after it has been concluded that the regular provision of services has been re-established and contains real data on the impact of the incident and future measures to be taken as to prevent such an incident from occurring.

Additionally, entities which are not considered to be Operators, as well as DSPs may also inform the CSIRT of significant incidents on a voluntary basis.

3.3. Registration with a regulatory authority

While there is no registration process of Operators per se, sectoral authorities conduct the process of identification of operators of essential services within each sector from the List of Essential Services.

In the process of identification, sectoral authorities prepare a list of all the entities which provide essential services. Such entities are then extracted depending on the significance of a disruptive effect that an incident could have on the provision of a particular essential service within that entity. Namely, if the entity providing essential services meets the criteria for determining the significance of a disruptive effect of an incident envisaged in the List of Essential Services, and meets the thresholds, where they exist, the competent sectoral authority shall make the evaluation of the significance of a disruptive effect of an incident on the provision of the essential service for that particular entity. The entity shall then be further extracted for conducting the process of evaluation of dependence of the provision of the essential service on network and information systems. If the competent sectoral authority determines that the entity uses network and information systems for the support of the provision of the essential service and that the interruption or inaccurate functioning of such system may lead to the interruption of the provision of services or have another negative impact on the quality and/or volume of service, the competent authority will render a decision on the identification of such entity as an Operator of essential services. The competent authority shall inform the particular entity on the decision rendered within eight days.

While conducting the identification process, entities are required to provide any necessary information requested by the sectoral authorities, classified and personal data regulations notwithstanding.

The above process of identification is to be consulted at least every two years.

3.4. Appointment of a 'security' officer

Operators are obligated to appoint a person with the highest management powers who shall be responsible for the establishment and management of system security.

Additionally, Operators are obligated to form an organisational scheme, with a formal division of powers, tasks, and responsibilities through which a quality security management of essential systems will be achieved.

3.5. Other requirements

Not applicable.

4. SECTOR-SPECIFIC REQUIREMENTS

The List of Essential Services determines sector-specific criteria under which an entity shall be identified as an Operator and will subsequently be subject to cybersecurity provisions elaborated upon above.

For example, criteria regarding the health sector can be the amount of annual emergency interventions performed, number of employees, number of pharmaceutical products issued annually, etc.

In addition, there are certain sector-specific regulations which have been adopted; however, the same do not derogate from the Cybersecurity Act and Cybersecurity Regulation. For example, the CNB issued a Decision on Appropriate Information System Management (only available in Croatian here) ('the Decision'). The Decision does not derogate from the Cybersecurity Regulation, as it stipulates the necessity of proper control of access to vulnerable system elements, protection from malware, system back-up, etc., all in accordance with the assessed risks.

5. PENALTIES

Operators that do not comply with a mandatory instruction of the competent sectoral authority or fail to submit an incident notification shall be fined with a monetary misdemeanour fine ranging from HRK 150,000 to HRK 500,000 (approx. €19,960 to €66,530). Also, the responsible person within the entity shall be fined with a monetary misdemeanour fine ranging from HRK 15,000 to HRK 50,000 (approx. €2,000 to €6,650).

Providers that do not comply with a mandate issued by the competent sectoral authority or fail to submit an incident notification shall be fined with a monetary misdemeanour fine ranging from HRK 150,000 to HRK 500,000 (approx. €19,962 to €66,539). Also, the responsible person within the entity shall be fined with a monetary misdemeanour fine ranging from HRK 15,000 to HRK 50,000 (approx. €1,996 to €6,654).

Entities that do not comply with the request of the competent sectoral authority to submit data necessary for the assessment of their system security or fail to submit evidence of the implemented Security Measures shall be fined with a monetary misdemeanour fine ranging from HRK 50,000 to HRK 100,000 (approx. €6,650 to €13,300). Also, the responsible person within the entity shall be fined with a monetary misdemeanour fine ranging from HRK 10,000 to HRK 25,000 (approx. €1,331 to €3,327).

Entities providing an essential service that do not comply with the request of the competent sectoral authority for submitting data necessary for the identification process or fail to submit a notification on changes of such data shall be fined with a monetary misdemeanour fine ranging from HRK 15,000 to HRK 50,000 (€1,996 to €6,654). Also, the responsible person within the entity shall be fined with a monetary misdemeanour fine ranging from HRK 2,000 to HRK 20,000 (approx. €266 to €2,662).

6. OTHER AREAS OF INTEREST

Not applicable.

Tomislav Pedisic Attorney at law [email protected] Marko Knežević Associate marko.knežević@vukmir.net Vukmir & Associates Attornwys At Law, Ltd., Zagreb