Croatia

HomeCroatia

Croatia: Act on CyberSecurity of Opertors of Essential Services and Digital Service Providers

Croatia’s Act on Cybersecurity of Operators of Essential Services and Digital Service Providers, passed in 2018, requires operators of essential services and digital service providers to take appropriate and proportionate measures to manage risks and ensure the continuity of their services. The act defines essential services in various sectors, including energy, transport, finance, healthcare, and digital infrastructure. These services are considered critical for the functioning of society, and their disruption or failure could significantly impact public health, safety, or economic well-being.

The act also requires operators of essential services and digital service providers to notify the national cybersecurity authority of any significant incidents affecting the security of their networks and information systems. The authority is responsible for monitoring and assessing the safety of these systems, coordinating responses to incidents, and providing guidance and support to operators of essential services and digital service providers. The act also imposes penalties for non-compliance with its provisions, ranging from warnings and fines to suspension or revocation of licenses.

Croatia’s Act on Cybersecurity aims to improve the resilience of essential services and digital infrastructure to cyber threats, enhance collaboration between public and private stakeholders, and promote a culture of cybersecurity in society. It aligns with the European Union’s Directive on Security of Network and Information Systems (NIS Directive), which sets out similar requirements for operators of essential services and digital service providers across the EU. The act reflects the growing recognition of the importance of cybersecurity as a national security and public safety issue, and the need for coordinated and proactive measures to address it.

Download Law

PART I: BASIC PROVISIONS
Article 1 – Subject and Scope
Article 2 – Harmonization with the EU legislation
Article 3 – Application
Article 4 – Relationship with other legislation
Article 5 – Definitions

PART II: OPERATORS OF ESSENTIAL SERVICES AND DIGITAL SERVICES
Article 6 – Identification of operators of essential services
Article 7 – Identification procedure
Article 8 – Determining the significance of incident’s disruptive effect
Article 9 – Determining the dependency on network and information system
Article 10 – Identification notification
Article 11 – Submitting information necessary for identification of operators of essential services
Article 12 – List of operators of essential services
Article 13 – Digital services

PART III: MEASURES FOR ACHIEVING A HIGH LEVEL OF CYBERSECURITY OF OPERATORS OF ESSENTIAL SERVICES AND DIGITAL SERVICE PROVIDERS
Article 14 – Obligation to implement measures
Article 15 – Risk management measures for operators of essential services
Article 16 – Risk management measures for digital service providers
Article 17 – Scope of measures’ implementation
Article 18 – Measures’ implementation according to risk assessment
Article 19 – Responsibility for measures’ implementation
Article 20 – Stipulating the measures

PART IV: INCIDENT NOTIFICATION
Article 21 – Responsibility for notification
Article 22 – Criteria to identify the impact of incidents
Article 23 – Notification of incidents
Article 24 – Informing the public about the incident

PART V: COMPETENT AUTHORITIES
Article 25 – Competent sectoral authorities
Article 26 – Oversight
Article 27 – Obligations of operators of essential services and digital service providers within the oversight framework
Article 28 – Subject of oversight
Article 29 – Oversight implementation
Article 30 – Single national point of contact
Article 31 – Office of the National Security Council
Article 32 – Competences of the competent CSIRT
Article 33 – Ensuring the conditions for performance of competent CSIRT’s tasks
Article 34 – Technical compliance evaluation authority
Article 35 – Request for compliance evaluation
Article 36 – Provision of information during compliance evaluation
Article 37 – Report on compliance evaluation
Article 38 – Final report on compliance evaluation
Article 39 – Notification on disabling or hindering the implementation of compliance evaluation

PART VI: PROTECTION OF INFORMATION
Article 40 – The lists of operator of essential services
Article 41 – Competent authorities referred to in this Act shall handle the information of operators of essential services and digital service providers

PART VII: PENALTIES
Articles 42 – 45: Fines

PART VIII: TRANSITIONAL AND FINAL PROVISIONS
Article 46 – The Regulation referred to in Article 20 paragraph 1
Article 47 – Competent sectoral authorities
Article 48 – Operators of essential services
Article 49 – Digital service providers
Article 50 – This Act shall enter into force

Download Law

Comments are closed.

Close
About Decybr

Decybr is a technology platform offering an extensive database of international legal resources including laws, case laws and legal literature on cybercrimes. Branded as Decybrary, this database aggregation will be classified and searched by professionals using AI technology.

In addition to providing access to a comprehensive database of legal resources to professionals, Decybr will also offer online training to professionals on the legal and IT aspects of the laws, case laws and legal literature within cybercrime.

Archives