Cybersecurity regulation - the Croatia example
In EU member states, all talk is about the upcoming EU NIS2 directive (full name "Directive on measures for a high common level of cybersecurity across the Union"), expected to be enforced no later than October 2024 in national legislations.
The directive aims to provide legal measures to boost the overall level of cybersecurity in the EU. However, due to the Brussels effect, the directive is being effectively mirrored outside the EU as well, especially in neighboring countries in the Adriatics region, such as Serbia and Bosnia and Herzegovina.
But returning to EU level, let's take a look at the anticipated cybersecurity management framework at a state level in one EU country: Republic of Croatia.
NIS2 in Croatia appears to be a centralized model granting key responsibilities to the
Security and Intelligence Agency (SOA), with existing institutions still retaining
supervisory and/or supporting roles.
National Cybersecurity Center (NCSC) - the default
Under NIS2, SOA will expand its capabilities and boost a National Cybersecurity Center (NCSC). The NCSC will become the default supervisor for most NIS2 sectors, except so-called autonomous and semi-autonomous sectors.
NCSC thus becomes the main competent authority defining and managing the list of NIS2 essential and important entities, with the following roles:
Supervisor and CSIRT for NIS2 regulated entities (barring the autonomous and semi-autonomous sectors)
CERT/CSIRT for public administration
Operates a national SOC provider (SK@UT)
Autonomous and semi-autonomous sectors
Although NCSC will cover most regulated entities, many more will be affected by sectorial authorities.
First, the so-called 3 autonomous sectors will keep being supervised by current regulatory authorities:
In these sectors the regulatory oversight and audits are deemed to already exceed NIS2 requirements. They are regulated respectively by Croatian National Bank (HNB), the Financial Services Supervisory Agency (HANFA) and Croatian Civil Aviation Agency (HACZ).
Another group of exception are the semi-autonomous sectors, where there is some existing cybersecurity regulation, which needs to be "upgraded" to NIS2:
Scientific research and education
Qualified trust service providers
Here the supervising competent authorities are:
National Security Council (UVNS), for public administration
Ministry of Science and Education (MZO)
Regulatory Authority for Network Industries (HAKOM), for telcos
Central State Office for Digital Society Development (SDURDD) for trust service providers
The Croatian Academic and Research Network – CARNET, a provider of IT services for educational and research institutions, will retain the role of national CERT, primarily addressing the needs from the private sector and citizens. However, they will also operate centralized incident reporting, based on the current application called PiXi. It's not clear if this will overlap or duplicate the NCSC requirements in terms of incident reporting requirements.
Several ministries have supporting role in NIS2: for ex. Ministry of health for pharma and other healthcare providers, the Ministry of economy for the energy sector, and the Ministry of transport for transportation services. It's not yet clear if these will demand further requirements on the regulated entities or how their supporting role will look like in NIS2 context.
Another stakeholder is the Information Systems Security Bureau (ZSIS), which is in charge of the cyber security certification process, in accordance with European cybersecurity certification schemes (Regulation EU 2019/881). The certifications are currently voluntary and may be implemented according to NIS2, but are not a must. However, the EU Commission is empowered to adopt delegated acts specifying which entities are to be required to use certain certified products or services in the future. So the role of ZSIS is bound to increase with time.
Finally, private companies are envisioned to seize the opportunity and provide compliance audits as well as various security services supporting NIS2 (penetration testing, vulnerability scans, etc.).
NIS2 in Croatia is mostly based on the Security and Intelligence Agency (SOA) National Cybersecurity Center (NCSC). However, many responsibilities and roles of existing authorities and supporting institutions are kept intact.
That risks introducing duplication and coordination issues, and may hamper effective implementation and even response in case of serious cybersecurity incidents.
Also, duplication of roles (especially around reporting) may complicate compliance for affected entities.
More on the NIS2 novelties - see here.