The NIS2 Directive puttied into effect on January 16, 2023, and repeals the NIS1 Directive from 2016 with effect from 18 October 2024. and requires the reconciliation of all Member States, which must carry out the transposition of the NIS2 directive by 17 October 2024, i.e., within 21 months of the entry into force of the NIS2 directive.
The NIS2 Directive sets substantially expanded requirements in relation to the NIS1 Directive, why the existing Cybersecurity Act of Essential Service Operators and Digital Service Providers („Narodne novine “, number 64/18), which transposed the NIS1 directive in the Republic of Croatia, must be repealed and a new framework must be prepared to manage the much more complex requirements of the NIS2 directive.
The two most important changes to the NIS2 directive in relation to the NIS1 directive are:
- the number of sectors, sub-sectors, and types of entities liable for cyber security has increased several times (more than three times), which now includes all key segments of society (Annex I and Annex II of this Draft)
- changing the narrow approach to cybersecurity requirements of the NIS1 Directive, which applied only to the essential services of operators, and the introduction of a comprehensive approach to the NIS2 directive that sets cybersecurity requirements on the entire business of each of the entities that are NIS2 obliged.
The creation of cyber resilience is planned to be achieved both at EU and Member State level through legal prescribing, standardization and introduction of accreditation and certification processes. In this way, the necessary control of entities – obliged entities from the NIS2 directive measures are introduced, as well as systematic control of used software and hardware products and services in the network and information systems of entities obliged entities. This approach is being implemented for the first time at EU level in a holistic manner and for the purpose of systematic regulation of cybersecurity. Such an approach introduces appropriate cybersecurity obligations for all obliged entities, but at the same time opens economic potential at EU level for all Croatian companies with cybersecurity capabilities.
Binding areas for cybersecurity risk assessment cover several areas such as incident handling, business continuity, supply chain security, including security aspects regarding the relationship between each entity and its direct suppliers or service providers, as well as many other areas.
The law, to fully transpose the NIS2 directive into national legislation, provides for the adoption of bylaws, decrees of the Government of the Republic of Croatia, which regulates in more detail the areas from this Act, and the national plan for managing cyber crises, as well as the national plan for the development of cybersecurity, with an action plan for its implementation. In addition, for the purpose of full functionality of the transposition, it is necessary to ensure the functionality of all competent authorities, especially the National Cyber Security Centre, which is being established for the first time in the Republic of Croatia. The deadline for the full transposition of the NIS2 directive in the described sense is October 17, 2024.
The maximum fines are foreseen in the amount of EUR 10,000.00 to EUR 10,000,000.00 or in the amount of 0.5% to a maximum of 2% of the total annual turnover of the entity concerned at the global level achieved in the previous financial year, whichever is higher. There are also cases of minor penalties.
HIGH CRITICAL SECTORS:
- Energy
- electricity
- district heating and cooling
- gas
- hydrogen
- Traffic
- air traffic
- railway transport
- water traffic
- road traffic
- Banking
- Financial market infrastructure
- Health
- health care providers
- reference laboratories
- subjects carrying out research and development activities of medicinal products
- subjects producing basic pharmaceutical products and pharmaceutical preparations
- subjects producing medical devices considered essential during a public health emergency
- Water for human consumption
- suppliers and distributors of water intended for human consumption, excluding distributors for whom the distribution of water for human consumption is not an essential part of their general activity of distribution of other goods and products
- Wastewater
- companies that collect, dispose of or treat municipal wastewater, sanitary wastewater or industrial wastewater, excluding companies for which the collection, disposal or treatment of municipal wastewater, household wastewater or industrial wastewater is not a key part of their general activity
- Digital infrastructure
- providers of internet exchange hubs
- DNS service providers other than root name server operators
- cloud computing service providers
- data centre service providers
- content delivery network providers
- trust service providers
- providers of public electronic communications networks
- providers of publicly available electronic communications services
- Management of ICT services (B2B)
- managed service providers
- Public sector
- state administration bodies
- other state bodies and legal subjects with public authority
- private and public subjects that manage, develop or maintain state information infrastructure in accordance with the law governing state information infrastructure, regardless of their size
- bodies of local and regional self-government units
OTHER CRITICAL SECTORS:
- Postal and courier services
- postal service providers
- courier service providers
- Waste management
- Production and distribution of chemicals
- Production, processing, and distribution of food
- According to Article 3(2) of the Code of Civil Procedure, Regulation (EC) No 1095/2009 In accordance with Regulation (EC) No 178/2002, the term ‘food business enterprise’ means any undertaking, whether profitable or not and whether it is public or private, under which operations relating to any stage of production, processing and distribution of food are carried out.
- Production
- production of medical devices and in vitro diagnostic medical devices
- production manufacture of computers and electronic and optical products
- production of electrical equipment (activities in area C of Section 27 National Classification of Activities 2007 – NKD 2007)
- production of machinery and devicesproduction of motor vehicles, trailers, and semi-trailers
- production of other means of transport
- Digital service providers
- providers of online marketplaces
- providers of internet search engines
- social media platform providers
- Research
- research organizations
- Education system
- private and public subjects from the education system