Cybersecurity: overview of relevant legislation

Introduction
National Cybersecurity Strategy
Key legislation
Comment

Introduction

As all segments of society are becoming increasingly dependent on technology and various information is becoming more exposed on the Internet, the significance of cyberspace is growing in importance. As a result, cybersecurity initiatives are growing in number and scope. They are no longer directed only towards the government or the public sector but are starting to encompass social and economic sectors of modern society.

The Croatian cybersecurity system is a cross-sectorial complex network of institutions and regulations in constant development but aligned with the requirements acquired through the country's membership of the European Union and the North Atlantic Treaty Organisation. From a legal perspective, various cybersecurity matters are covered by several relevant acts, each addressing different issues within its scope. This article explores this legislation.

National Cybersecurity Strategy

The National Cybersecurity Strategy is the key document for cybersecurity in Croatia. Adopted in 2015, and following the adoption of the EU Cybersecurity Strategy in 2013, the National Cybersecurity Strategy is the first strategic document in the field and aims to create an organisational basis for introducing a permanent and systematic approach for protecting the national cybersphere. The document promotes and encourages initiatives on the widest possible national level, coordinating relevant institutions from different sectors.

The strategy identifies eight goals in different cybersecurity areas and defines specific measures for reaching each goal. The measures (a total of 77) are individually elaborated in the strategy's accompanying document, the Action Plan for the Implementation of the Croatian National Cybersecurity Strategy (the action plan).

The eight goals set by the strategy are:

a systematic approach in the application and enhancement of the national legal framework;
pursuing activities and measures to increase cyberspace's security, resilience and reliability;
establishing a more efficient mechanism for information sharing;
raising security awareness;
stimulating the development of harmonised education programmes;
stimulating the development of e-services;
stimulating research and development; and
a systematic approach to international cooperation.

Further, the strategy identifies five cybersecurity areas in which specifically defined actions and measures are needed. They represent the parts of society which are of the highest national importance from a security perspective – namely:

public e-communications;
e-government;
e-financial services;
critical communication and information infrastructure and cyber crisis management; and
cybercrime.

The strategy also defines interrelations covering cybersecurity segments common to all or most of the stated areas. The interrelations have their own specific objectives to be completed through the strategic framework – namely:

the protection of information;
technical coordination in the treatment of cyber security incidents;
international cooperation; and
education, research and development and raising security awareness with regard to cyberspace.

Key legislation

The first legal act to regulate cybersecurity matters in Croatia was the Information Security Act (Official Gazette 79/2007), which is still in force. Passed in 2007 and not amended since, the act primarily addresses the issue of information security in the government sector and sets out the foundation for cybersecurity in the public cybersphere.

The act served as basis for the establishment of two important institutions:

the Information Systems Security Bureau in 2006; and
the National Computer Emergency Response Team in 2008, a department within the Croatian Academic and Research Network.

At present, these two institutions are the competent Computer Security Incident Response Team bodies in accordance with the Act on Cybersecurity of Operators of Essential Services and Digital Service Providers.

The Information Security Act is also relevant for appointing the Office of the National Security Council as the National Security Authority, tasked with coordinating the national, EU and NATO measures and standards for the protection of classified and non-classified information in the government sector.

However, the central point in the Croatian cybersecurity legal framework is the Act on Cybersecurity of Operators of Essential Services and Digital Service Providers (Official Gazette 64/2018), transposed from the EU Network and Information Security Directive (2016/1148/EU). The EU directive's main goals are to ensure a high common level of security of network and information systems in all EU member states.

The Croatian Act on Cybersecurity of Operators of Essential Services and Digital Service Providers expands the roles of state institutions in preventing and protecting information systems security by directing protective measures to key services and digital services sectors, as identified by the European Union (eg, energy, transport, banking, health sector, online marketplaces, online search engines and cloud computing services) with the addition of key services of national importance.

The act is supplemented by the Regulation on Cybersecurity of Operators of Essential Services and Digital Service Providers (Official Gazette 68/2018). Along with the strategy and the action plan, the Act on Cybersecurity of Operators of Essential Services and Digital Service Providers and the accompanying regulation represent the backbone of cybersecurity regulation in Croatia.

Other acts relevant to cybersecurity include:

the Criminal Act, which was amended in 2004 to implement the provisions of the Convention on Cybercrime 2001;
the Security and Intelligence System Act, which established the Security and Intelligence Agency and the Military Security and Intelligence Agency;
the Data Secrecy Act, which defines the degrees of secrecy, classified and non-classified information, access to information, protection and supervision of information;
the Act on the Implementation of the EU General Data Protection Regulation;
the Electronic Commerce Act, which implemented the EU E-Commerce Directive (2000/31/EC); and
the Electronic Communications Act, which implemented several EU directives.

Comment

Croatia's cybersecurity legislation is aligned with EU initiatives. However, new developments in the cybersphere require an adequate response and adaptations to the existing framework. This is supported by the National Cybersecurity Strategy's aim "to continually improve the national legislative framework, taking into account international obligations".

Cybersecurity regulation is a work in progress. However, the National Cybersecurity Strategy and the action plan are a solid basis for creating a stable cybersecurity system to face the future challenges in the national cybersphere.

For further information on this topic please contact Ivana Manovelo at Macešic & Partners by telephone (+385 51 215 010) or email ([email protected]). The Macešic & Partners website can be accessed at www.macesic.hr.

Register now for your free, tailored, daily legal newsfeed service.

Cybersecurity: overview of relevant legislation

Filed under

Popular articles from this firm

First-step analysis: gas regulation in Croatia *

In brief: natural gas production in Croatia *

Navigating VASP regulations: Croatian perspective *

Development of sustainable financing in Croatia *

Electricity Regulation in Croatia *

Related practical resources PRO

Related research hubs