We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
18 December 2020
As all segments of society are becoming increasingly dependent on technology and various information is becoming more exposed on the Internet, the significance of cyberspace is growing in importance. As a result, cybersecurity initiatives are growing in number and scope. They are no longer directed only towards the government or the public sector but are starting to encompass social and economic sectors of modern society.
The Croatian cybersecurity system is a cross-sectorial complex network of institutions and regulations in constant development but aligned with the requirements acquired through the country's membership of the European Union and the North Atlantic Treaty Organisation. From a legal perspective, various cybersecurity matters are covered by several relevant acts, each addressing different issues within its scope. This article explores this legislation.
The National Cybersecurity Strategy is the key document for cybersecurity in Croatia. Adopted in 2015, and following the adoption of the EU Cybersecurity Strategy in 2013, the National Cybersecurity Strategy is the first strategic document in the field and aims to create an organisational basis for introducing a permanent and systematic approach for protecting the national cybersphere. The document promotes and encourages initiatives on the widest possible national level, coordinating relevant institutions from different sectors.
The strategy identifies eight goals in different cybersecurity areas and defines specific measures for reaching each goal. The measures (a total of 77) are individually elaborated in the strategy's accompanying document, the Action Plan for the Implementation of the Croatian National Cybersecurity Strategy (the action plan).
The eight goals set by the strategy are:
Further, the strategy identifies five cybersecurity areas in which specifically defined actions and measures are needed. They represent the parts of society which are of the highest national importance from a security perspective – namely:
The strategy also defines interrelations covering cybersecurity segments common to all or most of the stated areas. The interrelations have their own specific objectives to be completed through the strategic framework – namely:
The first legal act to regulate cybersecurity matters in Croatia was the Information Security Act (Official Gazette 79/2007), which is still in force. Passed in 2007 and not amended since, the act primarily addresses the issue of information security in the government sector and sets out the foundation for cybersecurity in the public cybersphere.
The act served as basis for the establishment of two important institutions:
At present, these two institutions are the competent Computer Security Incident Response Team bodies in accordance with the Act on Cybersecurity of Operators of Essential Services and Digital Service Providers.
The Information Security Act is also relevant for appointing the Office of the National Security Council as the National Security Authority, tasked with coordinating the national, EU and NATO measures and standards for the protection of classified and non-classified information in the government sector.
However, the central point in the Croatian cybersecurity legal framework is the Act on Cybersecurity of Operators of Essential Services and Digital Service Providers (Official Gazette 64/2018), transposed from the EU Network and Information Security Directive (2016/1148/EU). The EU directive's main goals are to ensure a high common level of security of network and information systems in all EU member states.
The Croatian Act on Cybersecurity of Operators of Essential Services and Digital Service Providers expands the roles of state institutions in preventing and protecting information systems security by directing protective measures to key services and digital services sectors, as identified by the European Union (eg, energy, transport, banking, health sector, online marketplaces, online search engines and cloud computing services) with the addition of key services of national importance.
The act is supplemented by the Regulation on Cybersecurity of Operators of Essential Services and Digital Service Providers (Official Gazette 68/2018). Along with the strategy and the action plan, the Act on Cybersecurity of Operators of Essential Services and Digital Service Providers and the accompanying regulation represent the backbone of cybersecurity regulation in Croatia.
Other acts relevant to cybersecurity include:
Croatia's cybersecurity legislation is aligned with EU initiatives. However, new developments in the cybersphere require an adequate response and adaptations to the existing framework. This is supported by the National Cybersecurity Strategy's aim "to continually improve the national legislative framework, taking into account international obligations".
Cybersecurity regulation is a work in progress. However, the National Cybersecurity Strategy and the action plan are a solid basis for creating a stable cybersecurity system to face the future challenges in the national cybersphere.
For further information on this topic please contact Ivana Manovelo at Maćešić & Partners by telephone (+385 51 215 010) or email (email@example.com). The Maćešić & Partners website can be accessed at www.macesic.hr.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.