NIS2, DORA, and the Cybersecurity Act – What Awaits Us?

In a world increasingly reliant on digital technologies, cybersecurity is becoming essential for stable business operations. In 2025, Croatian companies face new rules coming from the European Union and domestic legislation. These rules, known as the NIS2 Directive, the DORA Regulation, and the Cybersecurity Act, aim to raise the level of security in the digital space.

Patrik Vuger, a Cloud and Network Engineer who joined us through the acquisition of IDE3, has briefly summarized these regulations for us.

What are the NIS2 Directive, the DORA Regulation, and the Cybersecurity Act?

NIS2 Directive: A European regulation that expands cybersecurity obligations to more sectors, including energy, transport, healthcare, and digital services. Its goal is to ensure a high level of security for network and information systems across the EU.
DORA Regulation: Specific to the financial sector, this regulation requires banks, insurance companies, and other financial institutions to strengthen their digital resilience and ability to respond to cyber threats.
Cybersecurity Act (ZKS): The Croatian law implementing the NIS2 directive into national legislation. It came into force on February 15, 2024, and lays the foundation for cybersecurity management in the country.

Who Does This Regulation Concern?

These regulations cover a wide range of organizations, including:

Public bodies and institutions
Private companies in sectors such as energy, transport, healthcare, and digital services
Financial institutions like banks and insurance companies
Cities with more than 35,000 inhabitants

If your organization falls into one of these categories, it is important to prepare for the new obligations that come with these regulations.

What Are the Key Deadlines for Compliance?

By October 17, 2024: EU member states, including Croatia, must transpose the NIS2 directive into national legislation.
By February 15, 2025: Croatian authorities must notify organizations of their categorization as key or important entities. After that, organizations have one year to comply with the new requirements.

What Is Expected from Organizations?

Organizations will need to implement a range of measures to ensure their cybersecurity, including:

Establishing clear responsibility for cybersecurity within the organization
Managing risks and assets
Ensuring the security of networks and information systems
Training employees on the basics of cybersecurity hygiene
Planning business continuity and incident response

These measures are detailed in the Cybersecurity Regulation, which came into force on October 22, 2024.

What Are the Possible Consequences of Non-Compliance?

Non-compliance with these regulations can lead to significant consequences, including:

Fines up to 10 million euros or 2% of annual turnover
Loss of trust from clients and partners
Increased risk of cyberattacks and data loss

Kako se pripremiti?

Preparing to comply with these regulations can be challenging but is crucial for the security and stability of your business. It is recommended to:

Engage cybersecurity experts
Conduct an assessment of your current security status
Develop and implement a compliance plan
Train employees on new security policies and procedures

Cybersecurity is no longer an option but a necessity in today’s digital world. Compliance with the NIS2 directive, the DORA regulation, and the Cybersecurity Act is crucial to protect your business and data. Start preparing today to avoid potential risks and ensure a secure future for your organization.

Request a free compliance assessment!

Find out today if you are ready for the DORA and NIS2 regulations—and don’t worry, even if you’re not, we will help you get there.