NIS 2 Status in Croatia
What the directive requires, how Croatia transposes it, and where SOA, NCSC-HR and CERT.hr sit in the picture.
Overview
The NIS 2 Directive is the EU layer. It binds every Member State, Croatia included, to a single minimum level for essential and important entities. Croatia has to bring that level into Croatian law and run supervision underneath it.
Croatia transposes NIS 2 through the Cybersecurity Act (Zakon o kibernetičkoj sigurnosti, NN 14/2024), adopted by the Croatian Parliament in January 2024 and in force since 15 February 2024. The detailed implementing regulation (Uredba o kibernetičkoj sigurnosti, NN 135/2024) followed in November 2024. Croatia was one of the few Member States that met the 17 October 2024 transposition deadline well in advance.
Supervision is split. The Security and Intelligence Agency (SOA, Sigurnosno-obavještajna agencija) hosts the National Cyber Security Center (NCSC-HR) and is the central competent authority for most sectors. The Office of the National Security Council (UVNS) acts as the single point of contact toward the EU. CERT.hr, operated within CARNet, is the operational national CSIRT and runs the incident reporting platform PiXi.
EU Directive
Directive (EU) 2022/2555 (NIS 2)
The EU-wide cybersecurity directive. It sets the obligations every Member State has to transpose, including the size and sector test for essential and important entities.
EU Implementing Act
Implementing Regulation (EU) 2024/2690
Technical and methodological measures for digital infrastructure providers. Directly applicable in Croatia, without national transposition.
Croatian transposition
Zakon o kibernetičkoj sigurnosti, NN 14/2024 (in force 15 February 2024)
The Croatian NIS 2 transposition. The implementing regulation Uredba o kibernetičkoj sigurnosti (NN 135/2024) adds operational detail, including supervision modalities and self-assessment duties for entities.
Cybersecurity Act NN 14/2024
Brings the NIS 2 obligations into Croatian law. Defines essential and important entities, supervisory powers, incident reporting duties, and sanctions. The accompanying regulation NN 135/2024 specifies cybersecurity measures and supervision in more operational detail than the directive itself.
SOA, NCSC-HR and UVNS
The Security and Intelligence Agency (SOA) hosts the National Cyber Security Center (NCSC-HR), which acts as the central competent authority for most sectors. The Office of the National Security Council (UVNS) is the EU single point of contact. Sector regulators retain their roles where lex specialis applies, for example in the financial sector under DORA.
Registration and reporting
Croatia met the 17 October 2024 transposition deadline well in advance. Essential and important entities self-identify and register through the channels set out in NN 14/2024 and NN 135/2024. Significant incidents follow the directive timing: early warning within 24 hours, notification within 72 hours, final report within one month. Reporting flows through the PiXi platform operated by CARNet, accessed via e-Ovlaštenja.
Croatian activity follows Croatian law
Activity on Croatian territory follows the Croatian transposition. A German managing director with a Croatian subsidiary reads NN 14/2024 for that subsidiary, not the BSIG. The directive obligations are identical. Procedure, portal and sanctions sit in Croatian law.
Croatia must not fall below the EU level
The directive is a minimum harmonisation. Croatia may go stricter, and on points like the self-assessment regime arguably has. Croatia may not fall below the directive, neither on obligations for essential and important entities, nor on reporting deadlines, nor on management body responsibility.
SOA / NCSC-HR
The Security and Intelligence Agency (SOA) hosts the National Cyber Security Center (NCSC-HR), the central competent authority for cybersecurity supervision under NN 14/2024. NCSC-HR coordinates supervisory action and publishes guidance. UVNS sits alongside as the EU single point of contact.
CERT.hr (CARNet)
The national CSIRT, operated within CARNet (Croatian Academic and Research Network). Runs the PiXi reporting platform that essential and important entities use for mandatory incident notification. Handles directly the banking, financial market infrastructure, digital infrastructure, research and education sectors. Other sectors flow through their respective supervisory authorities.
ENISA
The EU cybersecurity agency. Publishes guidance, operates the European vulnerability database and coordinates across borders. Not a regulator for Croatian entities. That role sits with SOA / NCSC-HR.
Croatia is just a translated copy of the German BSIG.
Both transpose the same directive, but procedure differs. Croatia routes supervision through SOA / NCSC-HR, not a civilian agency comparable to the BSI. Reporting flows through the PiXi platform and e-Ovlaštenja, not the BSI portal. The Croatian law also formalises a self-assessment regime that the German draft does not mirror. The directive level is identical, the operational layer is not.
Croatia missed the deadline and has no working registration channel.
Croatia adopted NN 14/2024 in January 2024 and brought it into force on 15 February 2024, well before the 17 October 2024 EU deadline. The implementing regulation NN 135/2024 followed in November 2024. Essential and important entities self-identify and register under the act, and report through the PiXi platform via e-Ovlaštenja. A foreign group blocking on a missing Croatian process is reading old information.
Only the sectors in Annex I are in scope.
The size and sector test from the directive applies, but the act and regulation also reach important entities in Annex II sectors and certain entities regardless of size, such as public administration and specific digital providers. Applicability has to be checked entity by entity, against the Croatian text and the directive, not against a single sector list.
Most Croatian operators we meet still read NIS 2 as a continuation of the older critical infrastructure framework. That is only partly true. Supervision now runs through SOA / NCSC-HR with UVNS as EU contact, the scope is broader than under the old regime, and the management body carries personal responsibility for approving risk management and completing its own training.
The practical step is the same as anywhere in the EU: check applicability against the directive, register through the channels under NN 14/2024 and NN 135/2024, set up the four continuous obligations (keep registration data current, incident reporting, supply chain risk, oversight by the management body) and document the minimum. The PiXi platform and e-Ovlaštenja are the operational interface, not the obligation itself.
We build the NIS 2 obligation register on the EU layer, not on a single national transposition. The same checklist fits a Croatian subsidiary under NN 14/2024, a German parent under BSIG and a French sister under Ordonnance n° 2024-1093. Article references shift per country, the underlying obligations do not.
For the Croatian scope you start with the applicability check, then incident reporting cadence, supply chain clauses and management body sign-off. Where SOA / NCSC-HR or CERT.hr publishes sector guidance, we link to it. We do not copy it.
- Directive (EU) 2022/2555 (NIS 2) — EUR-Lex
- Implementing Regulation (EU) 2024/2690
- Zakon o kibernetičkoj sigurnosti, NN 14/2024 — Narodne novine
- Uredba o kibernetičkoj sigurnosti, NN 135/2024 — Narodne novine
- SOA — Sigurnosno-obavještajna agencija, official site
- NCSC-HR — National Cyber Security Center, hosted by SOA
- UVNS — Office of the National Security Council, EU single point of contact
- CERT.hr — operated within CARNet, national CSIRT
- PiXi — Croatian NIS 2 incident reporting platform (CARNet)