- Nov 10, 2023

Cybersecurity regulation - the Croatia example

In EU member states, all talk is about the upcoming EU NIS2 directive (full name "Directive on measures for a high common level of cybersecurity across the Union"), expected to be enforced no later than October 2024 in national legislations.

The directive aims to provide legal measures to boost the overall level of cybersecurity in the EU. However, due to the Brussels effect, the directive is being effectively mirrored outside the EU as well, especially in neighboring countries in the Adriatics region, such as Serbia and Bosnia and Herzegovina.

But returning to EU level, let's take a look at the anticipated cybersecurity management framework at a state level in one EU country: Republic of Croatia.

NIS2 in Croatia appears to be a centralized model granting key responsibilities to the

Security and Intelligence Agency (SOA), with existing institutions still retaining

supervisory and/or supporting roles.

National Cybersecurity Center (NCSC) - the default

Under NIS2, SOA will expand its capabilities and boost a National Cybersecurity Center (NCSC). The NCSC will become the default supervisor for most NIS2 sectors, except so-called autonomous and semi-autonomous sectors.

NCSC thus becomes the main competent authority defining and managing the list of NIS2 essential and important entities, with the following roles:

Supervisor and CSIRT for NIS2 regulated entities (barring the autonomous and semi-autonomous sectors)
CERT/CSIRT for public administration
Operates a national SOC provider (SK@UT)

Autonomous and semi-autonomous sectors

Although NCSC will cover most regulated entities, many more will be affected by sectorial authorities.

First, the so-called 3 autonomous sectors will keep being supervised by current regulatory authorities:

Banking
Financial markets
Air transport

In these sectors the regulatory oversight and audits are deemed to already exceed NIS2 requirements. They are regulated respectively by Croatian National Bank (HNB), the Financial Services Supervisory Agency (HANFA) and Croatian Civil Aviation Agency (HACZ).

Another group of exception are the semi-autonomous sectors, where there is some existing cybersecurity regulation, which needs to be "upgraded" to NIS2:

Public Administration
Scientific research and education
Telecom providers
Qualified trust service providers

Here the supervising competent authorities are:

National Security Council (UVNS), for public administration
Ministry of Science and Education (MZO)
Regulatory Authority for Network Industries (HAKOM), for telcos
Central State Office for Digital Society Development (SDURDD) for trust service providers

Other stakeholders

The Croatian Academic and Research Network – CARNET, a provider of IT services for educational and research institutions, will retain the role of national CERT, primarily addressing the needs from the private sector and citizens. However, they will also operate centralized incident reporting, based on the current application called PiXi. It's not clear if this will overlap or duplicate the NCSC requirements in terms of incident reporting requirements.

Several ministries have supporting role in NIS2: for ex. Ministry of health for pharma and other healthcare providers, the Ministry of economy for the energy sector, and the Ministry of transport for transportation services. It's not yet clear if these will demand further requirements on the regulated entities or how their supporting role will look like in NIS2 context.

Another stakeholder is the Information Systems Security Bureau (ZSIS), which is in charge of the cyber security certification process, in accordance with European cybersecurity certification schemes (Regulation EU 2019/881). The certifications are currently voluntary and may be implemented according to NIS2, but are not a must. However, the EU Commission is empowered to adopt delegated acts specifying which entities are to be required to use certain certified products or services in the future. So the role of ZSIS is bound to increase with time.

Finally, private companies are envisioned to seize the opportunity and provide compliance audits as well as various security services supporting NIS2 (penetration testing, vulnerability scans, etc.).

Summary

NIS2 in Croatia is mostly based on the Security and Intelligence Agency (SOA) National Cybersecurity Center (NCSC). However, many responsibilities and roles of existing authorities and supporting institutions are kept intact.

That risks introducing duplication and coordination issues, and may hamper effective implementation and even response in case of serious cybersecurity incidents.

Also, duplication of roles (especially around reporting) may complicate compliance for affected entities.

More on the NIS2 novelties - see here.

NIS2 Croatia

.pdf

Download PDF • 298KB

Multifactor Authentication Bypass Phishing Kits on the Rise

New Report Outlines Regional Perspective on Incident Trends

Zero-Day Vulnerabilities Affecting VPNs: 2024 Does Not Look Good So Far

Moscow OT Infrastructure Breached: the Lessons

Here we go again: A Public-Facing Vulnerability in Palo Alto Networks Firewalls

Supply chain attack against open source?

Ransomware accelerates the move to cloud services? The British Library case

The latest SEC cybersecurity incident disclosures - what's the result so far?

UnitedHealth ransomware attack - what's behind it?

Business Email Compromise (BEC), more costly than ransomware?

Multifactor Authentication Bypass Phishing Kits on the Rise

[Webinar]: Cyber Resilience Act - What's Coming Our Way?

New Report Outlines Regional Perspective on Incident Trends

Cybersecurity regulation - the Croatia example

National Cybersecurity Center (NCSC) - the default

Autonomous and semi-autonomous sectors

Other stakeholders

Summary

Latest news

Subscribe to Our Newsletter