Croatia Among the First in the EU to Incorporate NIS2 into Legislation

Within the European Union, Croatia is rarely regarded as a leader in certain areas, but it can currently boast the fact that it is among the first member states to roll up its sleeves and transpose the strict requirements of the European NIS2 directive into national legislation in record time by adopting the Cybersecurity Act. Namely, the National Cybersecurity Centre of the Security and Intelligence Agency (NCSC-HR) states that most EU member states have not yet adopted national laws, and thus have not begun implementing that directive.

In Croatia, with the commencement of this law coming into effect in February 2024, the categorization of key and important entities and their obligations for cybersecurity has been prescribed. Year by year, the circle of entities obligated by this law will expand, and recently, the certification rules for cybersecurity audits have also been published. This is a document that stipulates who and under what conditions can conduct cybersecurity audits, what exactly must be included in the audit report, and what the entire process of obtaining a national security certificate looks like.

Security Certification

In other words, security certification has introduced what has been lacking so far – clarity, says Marko Gulan, a cybersecurity consultant and director of Astera Advisory.

– For a long time, there has been a dilemma among the obligated parties of the Cybersecurity Act regarding who will actually conduct the audits: individuals, consultants, or specialized companies. The new certification provides a clear answer to that – audits can be conducted by companies that have individuals with certain competencies and have undergone a rigorous process of expertise validation – emphasizes Gulan.

Additionally, auditors must align their own operations with the law and possess a high level of technical knowledge, as well as be able to assess risks and understand what it means to ensure business continuity.

– Such requirements raise the bar of seriousness, but at the same time create an impression of uniformity as if a very narrow framework is being set in which only a small number of companies in Croatia can meet the criteria. This is a message to the market: this is no longer an ‘additional service’ that someone can offer on the side. This is a regulated, highly specialized job that requires proven expertise – explains Gulan.

Key Independence

The certification process is initiated by a company that wants to become an authorized auditor, and after meeting all conditions and passing the verification, it is registered in a publicly accessible register. The certificate is valid for three years, and during that period, auditors are subject to oversight by the Information Systems Security Agency.

– The goal of certification is to ensure clear and uniform standards for cybersecurity auditors and to increase trust in their work – state NCSC-HR, the central state body for cybersecurity.

However, independence is key in certification, notes Krunoslav Čolak, Management Advisor at the Križ Data Center and founder of the cybersecurity company Melius Solutions.

– A company that provides you with operational security services cannot simultaneously conduct audits for you or have done so in the past two audit cycles. Audits are conducted exclusively by employees of certified managed security service providers, according to a predefined plan and standardized report that separately evaluates documentation and the actual implementation of measures, from multi-factor authentication to backups and vulnerability management – explains Čolak.

Neven Matas, director of cybersecurity at Infinum, emphasizes that certification does not only ensure formal compliance, but that regular oversight and evaluations continuously improve security.

– Certification also brings direct business advantages as it strengthens trust among clients and partners, opens doors to new markets, and increases competitiveness – adds Matas.

Antonija Vojnović, head of the Management, Risk, and Compliance Department at Span, believes that expectations across the entire business ecosystem will consequently increase. She states that due to certification, ‘both partners and suppliers will be under pressure to raise the level of cybersecurity’.

– Therefore, even though not all organizations will be certified, the impact of this process on the security culture and strengthening digital resilience in Croatia will be greater than the scope itself – adds Vojnović.

27974

Good and Bad News

Both Matas and Vojnović note that generally larger companies in Croatia, especially those in the financial sector, are more willing to adapt to changes and new requirements related to cybersecurity. However, smaller and medium-sized companies still face a lack of knowledge, resources, and skilled personnel necessary for systematic risk management.

– In smaller and medium-sized enterprises and parts of the public sector, awareness and the level of applied security measures are still not at the level required by the legislative framework. NIS2 brings stricter requirements, from risk management and incident reporting to establishing clear procedures and responsibilities at the management level – warns Matas.

However, both agree that these current difficulties will prompt companies to take concrete steps, and consequently better secure their operations.

– In practice, this means that many organizations will have to invest intensively in processes, education, and technical solutions to achieve compliance with the Cybersecurity Act. The transition is expected to be challenging but also stimulating, as it will contribute to strengthening the overall level of cybersecurity resilience in the country – believes Vojnović.

Čolak, on the other hand, points out that for smaller companies, challenges include maintaining an up-to-date inventory of assets, managing risks in the supply chain, and limited capacities for simultaneously implementing new processes, tools, and documentation. He adds that in the short term, organizations will work more on asset inventory, orderly records, and basic technical measures, but that this will pay off in the medium term due to fewer incidents and faster recovery.

Gulan emphasizes that the biggest challenge remains involving management in the compliance process, as in practice, security is still too often pushed into IT departments. The good news is that these entrenched patterns of thinking are changing in Croatian companies.

Thousands of Experts Needed

Nevertheless, all experts agree that the shortage of personnel in the field of cybersecurity is currently the biggest problem for digital resilience, not only in Croatia but also in Europe and the world. Mihaela Trbojević, a member of the Management Board at Span, cites research from the global organization for cybersecurity professionals ISC2, which shows that around 4.8 million such experts will be needed worldwide in 2024. For Croatia, she notes, there is no specific research that would provide exact numbers, but it is undeniable that Croatia is also facing a serious shortage of experts.

– Although there are positive developments in addressing this issue, such as undergraduate studies and micro-qualifications in the field of cybersecurity, the gap between market needs and available personnel is still large – emphasizes Trbojević.

Matas points out that there is a shortage of experts in operational security and incident management, as well as specialists in testing, forensics, and security architecture.

– Given the European Commission’s estimate that there is a shortage of between 260,000 and 500,000 cybersecurity experts in the EU, proportionate to the size of our market, this means that Croatia also records a shortage of several hundred to several thousand specialized personnel. This is a consequence of accelerated digital development, increased regulatory requirements such as NIS2, and the global trend of rising demand for these profiles – explains Matas.

Matas considers the competition for these talents particularly challenging, as it does not occur only at the local level, since Croatian experts easily find opportunities abroad, and domestic companies struggle to offer the same conditions as global competitors. All of this, he says, can significantly slow down the implementation of the Cybersecurity Act, which depends on the availability of qualified people who can design, implement, and oversee security measures.

– If there are not enough of these people, there is a real danger that organizations will fall behind in compliance or that security policies will remain only ‘on paper’, without actual implementation. Therefore, investing in education, certification, and personnel development is crucial to ensure there are enough experts who can implement and maintain cybersecurity standards – notes Matas.

27975

Do Not Delay

Gulan confirms that there is a shortage of experts in the labor market, but he also notes that there are enough individuals employed in specialized companies and/or working as external consultants who can assist other companies in cybersecurity; it is just a matter of how willing the companies themselves are to engage them. Ultimately, not every company needs an internal CISO (chief information security officer), or an employed security director.

– The implementation of the Act itself should not be slowed down due to a lack of experts; the market has enough capacity to meet the needs. What really slows down is the slowness of decision-making at the management level. If compliance and resilience are not discussed today, then tomorrow there will certainly be discussions about crisis situations, losses, and emergency budget reallocations to remedy the consequences. In other words, we will either plan in time or we will pay dearly later – believes Gulan.

In his experience, the excuse of a lack of personnel simply does not hold, as there are enough external experts in the market.

– The problem is not resources; the problem is procrastination. The deadline of April 2026 for implementing the measures from the Act is very close, and after that, a two-year period for audits and self-assessments begins. The regulator will not ask for justifications but for reasons for inaction – warns Gulan, who sees the solution in timely decision-making.

– If compliance is put on the management’s table today, there is enough time and resources to carry out the process effectively and systematically – he conveys.

Matas adds that the new requirements should be viewed as an opportunity for growth and increased competitiveness. On the other hand, the National Cybersecurity Centre states that auditing companies should certainly ‘view the audit as a business opportunity for their own profiling in the field of cybersecurity audits’ as this is recognized at the EU level.