What Distinguishes Growing Companies from Those That Decline

Written by: Marko Gulan

The management of Croatian companies today stands at a clear turning point. Cybersecurity is no longer a topic for the IT department, nor a matter of goodwill. It is becoming a regulatory obligation, but more importantly, a foundation for survival and development. The NIS2 directive, the Cybersecurity Act, and security certification for audits are forever changing the rules of the game.

Security certification has brought what has long been missing: clarity. Since its implementation, there has been a dilemma among the subjects of the Cybersecurity Act regarding who will conduct the audits: individuals, consultants, or specialized companies. It is now clear that audits can be conducted by organizations that have a sufficient number of competent individuals and have undergone a rigorous competency check. And not just technical, but also auditing competencies.

An auditor today must understand network architecture as well as risk assessment or business continuity planning equally well. This raises the bar of seriousness, but it also creates a very narrow framework in which only a small number of companies in Croatia will be able to meet high criteria. This sends a clear message: this is no longer an ‘additional service’, but a regulated, highly specialized job that requires proven expertise.

More and more companies recognize the importance of security

It is positive that today we can talk about resilience. Because resilience will be the key point of sustainable business and the ability of a company to respond to tomorrow’s threats. Until now, security in most activities has been reduced to goodwill and occasional business needs. Today, it is becoming a legal obligation for an increasing number of entities.

Of course, there is always the danger that some companies will choose a minimalist approach, meet the legal minimum, and create a false sense of security. However, it is encouraging to see that more and more companies view this obligation as an opportunity to systematically build security into their business.

The NIS2 and the Act act as a mind shifter, encouraging the creation of a security culture and a more serious approach to risk management. And a security culture is what long-term distinguishes companies that survive from those that build trust and grow.

The biggest challenge, however, remains with the management. Although the law is clear, in practice, security is still too often shifted to IT. This is a dangerous misconception. When everything is reduced to an ‘IT project’, the company ends up with generic solutions and superficial compliance that meets the form but does not build resilience.

Small and medium-sized enterprises are additionally burdened by a lack of people and departments that could take responsibility. But therein lies their chance: by using as-a-service models and external experts, they can achieve a level of protection and knowledge that was previously unattainable.

We are missing at least a thousand people

It should also be emphasized that there is a third challenge: the lack of competencies in recognizing threats and incidents. If an organization does not know how to recognize when it has been compromised, then even the best plans are worth little. This is an area where external security centers and specialized monitoring services will play a key role, as they enable companies to receive real-time signals and respond before damage escalates.

Regarding experts, the problem is complex. We are missing at least a thousand people, perhaps even more. Not only engineers but also information security experts, industrial security specialists, and cyber-legal competencies. Croatia does not have a deficit only in technology but in interdisciplinary knowledge.

However, this does not mean that the market lacks capacity. Most companies realistically cannot afford a top expert full-time, but the solution is here: external experts, vCISO models, and specialized companies that already offer the services needed for the implementation of the Act and the building of resilience.

Inaction can result in penalties

What truly holds us back is not the lack of experts but the delay in decision-making. If management waits until the last moment, congestion will occur, and resources will be overloaded. April 2026 is already at the door, and that is when the first deadline for implementing measures expires, followed by a two-year deadline for audits and self-assessments. The regulator will not ask for justifications. It will seek reasons for inaction that can also result in prescribed penalties.

The solution is clear: decisions need to be made now. The market has the capacity and expertise to help, but time is not on our side. Companies that start immediately will have enough room to systematically align, build resilience, and leverage security as a new market advantage. Those that wait will pay dearly and late.

This is where leaders differ from those who lag behind: leaders recognize risk in time, make decisions, and take action. Digital resilience is not a new obligation but a new currency of trust. And trust is what future markets will be built upon.