Who Actually Governs NIS 2 in Croatia? Clear Authority, Contact, and Oversight
When your team is charting a path to NIS 2 compliance in Croatia, clarity about who truly governs and orchestrates your obligations is non-negotiable. The nerve centre is the Information Systems Security Bureau (ZSIS)-Croatia’s designated competent authority. ZSIS doesn’t simply dispatch policy memos; it sits squarely at the intersection of development, enforcement, and escalation. For regulated entities, this means that ZSIS remains your anchor for every point of regulatory certainty, dispute, or audit assurance.
Regulatory clarity is a shield-uncertainty leaves you exposed.
ZSIS stands at the core of Croatia’s cyber governance, orchestrating responses across sector ministries-energy, health, finance, telecom, and more. When an incident surfaces or clarification is needed, your organisation’s compliance lead first notifies the relevant sectoral ministry. From there, ZSIS steps in to coordinate, escalate, or intervene-especially for significant breaches or contested compliance interpretations. Once a situation turns technical or systemic, ZSIS immediately delegates operational command to CSIRT.hr.
- Flow: Internal Compliance Lead → Sector Ministry → ZSIS (Competent Authority)
- On escalation:
ZSIS either resolves regulatory queries or, for critical incidents, triggers CSIRT.hr for technical response and coordinates with EU authorities if necessary.
This disciplined architecture prevents duplicate notifications and ambiguous accountability. By proactively mapping this chain-including direct ZSIS and ministry contacts within your compliance management platform-you transform regulatory ambiguity into operational confidence.
ISO 27001 Bridge Table: Competent Authority Mapping
| Expectation | Operationalisation | ISO 27001 / Annex A |
|---|---|---|
| Recognise Authority Chain | Store ZSIS contacts, escalation chart | A.5.2, A.5.5 |
| Track Regulatory Updates | Subscribe to Official Gazette, ZSIS notices | A.5.31, A.5.36 |
| Centralise Guidance | Sync FAQs into compliance records | 7.5.1, A.5.37 |
Subscribing to the Official Gazette and integrating ZSIS/HAKOM alerts into your ISMS platform isn’t busywork. It’s active defence-living insurance against regulatory drift and audit surprises.
How Is CSIRT.hr Structured-and What Has Changed for Incident Response?
In NIS 2’s new world, CSIRT.hr is no longer background process-it’s the critical node in your incident response chain. Housed within CARNET, CSIRT.hr now commands all aspects of NIS 2 incident management for “essential” and “important” Croatian entities.
The speed of your first call defines the outcome of every cyber incident.
What exactly has changed under NIS 2?
- 24/7 notification intake:
All “material” breaches require initial notification to CSIRT.hr within 24 hours, with a full report due within 72 hours.
- Pan-EU coordination:
High-impact or cross-border incidents escalate to the EU CSIRT Network, enabling multilateral technical support and intelligence sharing.
- Operational upgrades:
Expanded remit, new automation for threat detection, faster intelligence portals, and iterative stress-testing of procedures.
- Detect incident ─> Notify CSIRT.hr within 24h
- Full technical/business report submitted within 72h
- Feedback and audit closure: CSIRT.hr provides a lessons-learned loop; results feed into future audit and compliance cycles
Call to Action: Pre-map your CSIRT contacts (insert their incident reporting info into every critical asset’s response plan using security.croatia.hr).
Incident Response Steps Table
| Phase | Deadline | Required Actions |
|---|---|---|
| Detection | Immediate | Escalate to CSIRT.hr |
| Initial Notice | 24 hours | Email/call CSIRT, share summary |
| Full Report | 72 hours | Technical, business, and recovery info |
| Remediation | On closure | Report lessons learned, close incident |
Running incident simulation drills to test this flow periodically isn’t just good hygiene-it’s now a measured KPI in continuous audits.
Master NIS 2 without spreadsheet chaos
Centralise risk, incidents, suppliers, and evidence in one clean platform.
Where Does Croatian Law Stand? NIS 2 Transposition, Timelines, and Overlaps
Croatia completed a full rewrite of its cyber regime to transpose NIS 2-retiring the 2018 Cyber-Security Act. As of September 2024, new sector coverage and fines are already actionable; noncompliance is now a live, enforceable risk (Official Gazette).
Every day’s delay risks both fines and business continuity.
Key legal implementation shifts:
- Comprehensive Act Rewrite:
A larger group of entities are covered, sector deadlines are sharper, and maximum fines are much higher.
- Privacy and Security Fusion:
Now, NIS 2 security reporting is harmonised with privacy (GDPR); ZSIS ensures regulatory actions don’t create contradictory requirements.
- Mandatory Registry:
ZSIS maintains a “living” registry of all regulated entities; your compliance status is updated and formally notifiable.
Legal Timeline Snap
2018 Act → NIS 2 (2022) → Sept 2024 Transposition → Live Audit Cycle
Actionable move: Subscribe to digitalizacija.gov.hr for direct notification dates and preparation windows. Failure to actively monitor now equals avoidable risk.
Who’s Covered? Entity Status, Cross-Border Rules, and Continuous Classification
Entity coverage under NIS 2 isn’t a “set and forget” exercise. ZSIS’s registry is the single source of truth on entity status, and self-assessment is a recurring obligation.
When scope is clear, compliance transitions from shadow risk to manageable project.
How the classification process works:
- Formal notification:
ZSIS confirms “essential” or “important” status; you are formally listed.
- Self-assessment requirement:
Use security.croatia.hr tools to file annual (or event-driven) status reports and attestations.
- Entity profile review:
Petition ZSIS for registry updates if your activity or structure changes.
Table: Classification Risk Update Examples
| Trigger | Risk/Status Update | SoA/Evidence |
|---|---|---|
| New critical service | Add to ZSIS registry, update SoA | A.5.9, ZSIS notice |
| Sector change | Petition for status review | Registry update |
| Supply change | Update supplier risk register | A.5.19, supplier file |
Each legal entity, including groups and subsidiaries, is independently accountable for compliance, eliminating proxy risk through group membership.
Be NIS 2-ready from day one
Launch with a proven workspace and templates – just tailor, assign, and go.
Incident Reporting and Feedback Loops: Deadlines, Detail, and Audit Traces
Incident response under NIS 2 is governed by unforgiving timelines and detail. Only “material” incidents require reporting, but omissions can trigger regulatory and financial jeopardy.
Obligatory steps:
- Notify CSIRT.hr within 24 hours of “significant” incident (attack, critical failure).
- Complete technical/business impact report within 72 hours.
- Closure report, comprising root-cause, remedy, and lessons learned.
Responsiveness turns incidents from compliance risks to resilience credit.
Details and Evidence Requirements:
- Encryption: All submissions must be encrypted and access-limited.
- Impact reporting: Affected systems, impact, privacy/data breach status, root cause, and recovery plan must be included.
- Annual audit: Regular audits now certify incident/logging routines and response discipline for regulated entities.
Traceability Table: Notification Examples
| Trigger | Notification | Evidence |
|---|---|---|
| Ransomware detected | CSIRT within 24h, 72h rpt | SoA A.5.25, Incident registry |
| Service restore | Feedback to CSIRT.hr | Post-incident review log |
| Audit | Encryption/logging proof | Annual ISMS audit docs |
Put simply: the audit trail is now continuous, not periodic. Feedback and lessons from each incident cycle into future audit and controls improvement-closing the resilience loop.
Reporting, Auditing, and Supervision: Essentials for Boards and Audit Teams
NIS 2 audits in Croatia are now data-led, live, and real-time. ZSIS has broad powers to conduct both scheduled and surprise audits, and expectations have leaped from annual checklist to perpetual compliance monitoring.
Non-remediation within 30 days of a finding can lead directly to fines, further audit scrutiny, and the risk of regulatory publicity.
A live audit dashboard demystifies NIS 2-a system of record equals a system of confidence.
Audit Innovations and Board Reporting
- Digital dashboards:
Boards are expected to monitor KPIs and findings in (almost) real time, well ahead of formal regulatory review.
- Registry integration:
ZSIS merges audit results directly into its entity registry-one seamless audit-to-regulator link.
- KPIs: Key required metrics now include detection speed, reporting completeness, and staff engagement.
Live board view of: current findings, outstanding remediation items, staff policy acknowledgment rates, and legal compliance timeline.
All your NIS 2, all in one place
From Articles 20–23 to audit plans – run and prove compliance, end-to-end.
Supply Chain, Third–Party Cyber Risk, and Procurement: What’s the Law Now?
Supply chain has gone from an audit afterthought to a legal foundation. Croatian NIS 2 law now requires regulated entities to:
- Map and document all key suppliers;
- Enforce contract-based cyber controls;
- Maintain an annual supply chain risk register;
- Self-assess and produce actual evidence, up to audit standard.
Every contract is a compliance control-neglect risk and you inherit the breach.
Vendor-initiated breaches are subject to the same notification protocols as internal ones. Regulators now expect granular KPIs on supply chain resilience: breach frequency, contracts updated, remediation timelines, and evidence logs.
Supply Chain Traceability Table
| Trigger | Risk/Status Update | SoA/Evidence |
|---|---|---|
| Vendor incident | Update risk registry & audit | SoA A.5.19, contract, log |
| Annual review | Supply chain revalidated | Risk register, record |
Every audit now expects to see this chain alive in your compliance platform-not retrofitted on demand.
Where Croatia Stands: EU Comparison, Best Practises, and What’s Next
Croatia’s NIS 2 response is among Europe’s most coordinated-clear authorities, a national CSIRT, and a rapidly upgrading regulatory playbook. Benchmarked against EU peers, Croatia excels in fast lawmaking and strong incident response. But there’s still room to deepen sector-level guidance, boardroom engagement, and integration with emerging domains like AI governance.
True cyber maturity is benchmarked against neighbours and EU best standards.
Board-Level Compliance Maturity Checklist
- Is annual board training mandated, and records kept?
- Is a digital compliance dashboard in place and reviewed at board level?
- Are AI governance and multinational risks mapped in the compliance plan?
Actionable next step: Download Croatia’s NIS 2 government roadmap and circulate it to your compliance board. Mapping your ambitions now to cyber-security (and AI) best practise puts you ahead of the competitive pack.
ISMS.online for NIS 2: Integrating Croatian Compliance, Evidence, and Audit
The fragmented complexity of Croatian NIS 2 compliance can be transformed-with a compliance platform designed to local law, regulatory cadence, and incident expectations. ISMS.online offers HeadStart onboarding, automated Policy Packs, living incident reporting, and real-time dashboards tuned to ZSIS and CSIRT.hr (isms.online).
- A unified dashboard keeps ZSIS, CSIRT.hr, procurement, supply chain, and board oversight in full view-tracking every requirement, deadline, and task, from real-time staff acknowledgements to audit status.
- User engagement and To-Do dashboards provide KPIs for staff policy acknowledgements, compliance status, and legal deadlines.
Beyond passing audits-you’re building continuous security resilience, tracked and visible every month.
Linked work, KPIs, evidence-ready exports, and automated supply chain reviews consolidate all requirements-removing last-minute audit chaos and ensuring every action is logged.
No more boardroom surprises. Every compliance radar now lives in one place-turning NIS 2 from risk into a reputation builder for your organisation.
Start a boardroom readiness review, launch audit scheduling, or explore live dashboards today with ISMS.online. Turn compliance into competitive advantage and make NIS 2 resilience your signature strength.
Frequently Asked Questions
Who is Croatia’s NIS 2 authority, and how does compliance escalation actually work?
Croatia’s official NIS 2 authority is the Information Systems Security Bureau (ZSIS), serving as the central hub for NIS 2 oversight, sectoral coordination, and legal interpretation across all regulated sectors. For any compliance inquiries-such as whether your organisation is covered, audit expectations, or sector classification-ZSIS is your first point of contact via their official web portal. ZSIS not only provides definitive answers but also manages escalation if sector ministries don’t respond or if classification is in doubt. Formal escalation involves submitting documented queries via the ZSIS portal, with the bureau issuing binding rulings and involving sector ministries where mediation is needed. In urgent or unresolved situations, ZSIS operates a legal hotline. These escalation steps-and records of all ZSIS contacts, advice, and news subscriptions-form compulsory audit evidence under Croatia’s NIS 2 regime.
ZSIS is the documented backbone for escalation-bridging gaps, driving clarity, and ensuring no compliance question goes unresolved.
Escalation Roadmap
| Escalation Scenario | Action | ZSIS Path | Audit Evidence Required |
|---|---|---|---|
| Ministry slow/no response | Formal request to ZSIS | Submit via ZSIS portal | Escalation log |
| Classification dispute | Document & submit proof | ZSIS ruling/mediation | Registry evidence, ruling |
| Urgent legal/compliance issue | Call ZSIS hotline | Direct board/sector hand-off | Hotline/email record |
Keep proof of every step-Croatia’s audits demand a clear trail of authority contacts and escalation records.
How does CSIRT.hr operate-and what are the real-world steps for incident notification in Croatia?
CSIRT.hr, managed by CARNET, is Croatia’s authoritative Computer Security Incident Response Team for managing all significant NIS 2-regulated cyber incidents. If your organisation encounters a cyber event with substantial business or data impact, you must notify CSIRT.hr within 24 hours via their secure reporting portal. The first submission should summarise the event’s impact, affected assets, and immediate actions. A compulsory progress update follows within 72 hours detailing ongoing containment and investigation work, then a closure report is submitted once the impact is fully remediated, explicitly covering lessons learned and prevention improvements. Notably, CSIRT.hr offers a pre-incident self-checker to help teams verify their notification process, which is strongly recommended to avoid communication breakdown in crisis moments.
Practising your notification workflow-before an incident-keeps your legal and business continuity muscle primed for real-world scrutiny.
Incident Notification Lifecycle Table
| Reporting Stage | Deadline | Core Content | Submission Route | Audit Evidence |
|---|---|---|---|---|
| Initial Report | 24 hours | Event summary, impact, actions | CSIRT.hr portal | Timestamped log |
| Progress Update | 72 hours | Containment, investigation | CSIRT.hr portal | Update log |
| Closure Report | Upon resolve | Outcome, fixes, learning | CSIRT.hr portal | Final report/log |
| Feedback Loop | Closure | Integration of CSIRT input | Internal, ZSIS | SoA/policy update |
Penalty and audit risk rise sharply for delays or incomplete documentation-tight feedback loop and record keeping are non-negotiable.
Has Croatia completed NIS 2 transposition-and what audit triggers or legal deadlines now apply?
As of September 2024, Croatia has fully enacted a new Cyber-Security Act mirroring NIS 2, extending binding requirements to all “essential” and “important” entities. Obligations include annual risk reviews, real-time incident reporting, documented third-party assurances, and year-round readiness for evidence-based audits. Sector ministries coordinate with ZSIS in maintaining the national entity registry and issue annual reminders for compliance deadlines. Legal deadlines for incident reporting (24h, 72h), self-assessment, and the renewal of evidence are locked into the national calendar and audited annually. Importantly, NIS 2’s legal structure is now cross-referenced with GDPR, critical infrastructure laws, and rapidly emerging AI governance statutes, so organisations must harmonise compliance evidence and reporting cycles or face amplified scrutiny (GDPR/critical infrastructure legal reference).
| Audit Trigger/Event | Entity Affected | Legal Citation | Deadline/Period |
|---|---|---|---|
| Annual audit window | All covered organisations | Cyber-Security Act, NIS 2 | Registry-defined |
| Significant incident | Essential/Important orgs | NIS 2, National Law | 24h + 72h |
| Supplier contract | Supply-chain facing orgs | NIS 2 Art. 21/22 | On contract signing |
Subscribe to ZSIS and ministry feeds for automatic compliance reminders-missing a deadline is now a statutory non-conformity.
How can you prove-or challenge-your organisation’s NIS 2 status in Croatia?
Your company’s status as ‘essential’ or ‘important’ (or exempt) is governed by regular inclusion in ZSIS’s official registry, updated in partnership with sector ministries. Every covered business must file an annual self-assessment using the government’s online tool, addressing sector, service, size, supply chain, and group structure. Each group entity or subsidiary is registered separately. If a classification appears incorrect, you dispute by submitting evidence-such as sector documentation, registry extract, or reference from the-via ZSIS’s dispute flow. Keeping a digital archive of all self-assessments, registry entries, contracts, and dispute logs is essential for audit readiness.
An annual self-assessment isn’t just policy-it’s legal armour for your board and audit cycle.
Entity Status Compliance Checklist
- Registry check (annually and after any key change)
- Self-assessment submission (covering supply chain, sector, size)
- File all relevant contract and registry evidence for SoA/audits
- Keep records of disputes, ZSIS correspondence, and rulings
Quick and thorough access to these proofs can mean the difference between a smooth audit and a finding that delays certification or exposes you to legal risk.
What operational steps and feedback cycles must organisations log for NIS 2 incident reporting in Croatia?
A NIS 2 incident is any cyber risk or event likely to cause significant business, service, or data impact. Incident handling sequence:
- 1. Initial report (≤24h): Describe the event, assets affected, immediate actions.
- 2. Progress update (≤72h): Give status of containment, investigation phase, updated risk.
- 3. Closure report: Detail fixes/remediation, outcome, and lessons learned.
- 4. Feedback integration: Map CSIRT.hr recommendations into your SoA/docs-auditors now check that these best practises and board response are visible in your update logs;;.
| Reporting Stage | Deadline | Content | Where to File | Audit Log Entry |
|---|---|---|---|---|
| Initial Report | 24 hours | Impact, affected assets, action | CSIRT.hr portal | Timestamped report |
| Progress Update | 72 hours | Containment, investigation | CSIRT.hr | Update log |
| Closure Report | At resolve | Outcome, lessons, mitigation | CSIRT.hr | Final report/log |
| Feedback Loop | Closure | Policy/SoA documented learning | Internal + ZSIS | Change/feedback log |
Feedback-loop evidence is now a core audit requirement-missed documentation equals findings and possible penalties.
How are NIS 2 supervision, audit, and penalty cycles run and what do boards need to know?
ZSIS coordinates annual audits for essential entities (with surprise audits possible) and event-triggered audits for important entities. Missed incident reporting, noncompliance, or evidence gaps lead to penalties and obligatory remediation plans, generally with 30 days’ notice. Every regulated business must maintain a live dashboard or documentation hub charting compliance KPIs, incident closure intervals, SoA/policy updates, and board-level engagement;. Croatian auditors routinely request all logs of board sign-off, scheduled reviews, and incident oversight as part of the compliance review process.
Audit & Board Oversight Table
| Trigger | Update Action | Policy/SoA Link | Evidence Required |
|---|---|---|---|
| Reporting lapse | Board notified, remedial | Audit SoA, KPIs | Notification, plan |
| Failed audit | Root cause & fix logged | SoA, control documentation | Regulator/audit log |
| Board/leadership change | Policy sign-off, review | Governance manual | Document/KPI dashboard |
Regular board engagement, tracked sign-offs, and SoA reviews are not optional-proactivity, not post-incident patching, is now the expectation in Croatia’s NIS 2 regime.
What new supply chain and third-party risk duties apply to Croatian NIS 2 organisations?
All regulated organisations must maintain a named, up-to-date register of major suppliers and third parties, catalogue NIS 2-aligned security clauses in each contract, and complete scheduled third-party risk reviews. Supply chain security lapses or incidents must be reported to CSIRT.hr within the same timelines as internal incidents. At audit, organisations must present a full log of supply chain risk mapping, contract evidence, third-party assessments, and mitigation actions taken. Your procurement function is now a compliance risk centre equal to IT or security.
Annual supplier reviews are no longer paperwork-they’re compliance currency for both auditors and business partners.
Supply Chain Compliance Table
| Duty | Audit Evidence/Artefact | Linked Policy |
|---|---|---|
| Supplier risk mapping | Named risk register, log | Supplier/SCM policies |
| Contractual clauses | File of clause evidence | Contract audit records |
| Third-party review | Documented annual assessments | Risk management plan |
| Supplier incident | CSIRT.hr report/registry | Incident log/policy |
Where does Croatia stand in EU NIS 2 deployment-and what are the distinguishing best practises?
Croatia is an established leader in NIS 2 alignment: ZSIS is a single centrally empowered authority, backed by a robust national CSIRT and transparent entity registry. Remaining challenges include sector-level resource disparities and the upcoming integration of digital/AI supply chain rules. Advanced best practises in the Croatian market now include regular board cyber-risk training, NIS 2 KPI dashboards reviewed in executive meetings, and active intelligence exchange with EU peers-these indicators distinguish forward-thinking compliance programmes. Organisations embedding these practises not only stay ahead of audits but also outperform peers in cross-border procurement and digital trust.
How does ISMS.online support end-to-end Croatian NIS 2 compliance and futureproof your audit readiness?
ISMS.online is purpose-built to translate Croatia’s NIS 2 law from stressful mandate to board-level confidence. Our HeadStart onboarding guides teams through compliance steps-registry mapping, localised policies, and NIS 2 entity status confirmation ((https://www.isms.online/nis-2-directive/)). Automated dashboards and Linked Work keep real-time evidence at your fingertips for auditors, boards, and procurement-eliminating chaotic, last-minute manual checks. Supply chain and contract mapping is simplified; KPI updates and incident logging meet audit demands with less admin. With role-specific Policy Packs, training modules, and built-in incident scheduling, every staff member is onboarded with clear evidence trails.
Start your NIS 2 compliance journey now with ISMS.online-integrating audits, board assurance, and supply chain trust into a single, resilient framework for Croatian and EU organisations.
