As a cybersecurity professional who's been working with Croatian organizations for over a decade, I want to bring attention to an important change for many companies regarding NIS2 compliance that now requires strategic attention from organizational leadership.
Croatia's Cybersecurity Act is already in force. A lot of organizations will fall under these new rules, and the regulatory notifications came in early 2025. If you received that notification, you have around 18 months to achieve full compliance.
Let me put this in perspective: if you're a bank, telecom operator or any essential entity with over 250 employees, you're in scope. The regulatory framework is decided and enforcement is approaching rapidly.
Compliance Transition Preparation
From my experience helping organizations through compliance transitions, early preparation consistently leads to better outcomes and lower costs. Essential entities face fines up to €10 million or 2% of annual turnover. For most Croatian companies, this represents significant financial exposure that calls for proactive attention.
The penalties reflect the seriousness of cybersecurity resilience in critical sectors. European regulators have demonstrated consistent enforcement with GDPR, and NIS2 follows similar principles. The key difference is that cybersecurity failures have immediate operational impact as system disruptions affect business continuity directly.
What Organizations Should Consider
In my work, I see solid security measures: firewalls, endpoint protection, and monitoring systems. However, NIS2 requires additional capabilities that many organizations haven't yet addressed, particularly around key management strategies and incident reporting procedures that can meet 24-hour notification requirements.
NIS2 goes beyond traditional security measures. It mandates documented cryptographic policies, formal key management, and board-level cybersecurity governance. These represent operational requirements that will be subject to regulatory audit.
The 18-Month Implementation Window
From notification to full compliance, organizations typically have about 18 months to complete implementation. This timeline requires careful planning when you consider the necessary steps:
- Complete risk assessment and gap analysis (3-4 months)
- Procurement and vendor selection (2-3 months)
- Implementation and integration (8-10 months)
- Testing, documentation, and audit preparation (2-3 months)
These phases often require sequential execution, which is why organizations that begin strategic planning now position themselves more effectively for successful compliance.
How CipherTrust Manager Can Help You Achieve Compliance
I've been working with Thales CipherTrust Manager for NIS2 readiness assessments across several organizations. The platform addresses common compliance requirements: centralized key management, automated policy enforcement, and audit-ready documentation.
Thales provides a self-assessment tool specifically aligned with Article 21.2 requirements. This assessment helps organizations understand their current position relative to regulatory expectations. The results often reveal implementation priorities that weren't initially apparent.
The platform's strength lies in consolidation. Instead of managing cryptographic policies across multiple systems, organizations achieve unified control with comprehensive audit trails.
My Recommendation: Start With Assessment
Strategic compliance planning should begin with comprehensive assessment rather than immediate technology procurement. This involves mapping critical systems, identifying sensitive data, and documenting current security processes.
For Croatian organizations, this means:
- Understanding which specific NIS2 categories apply to your operations
- Mapping existing controls against the 10 mandatory security measures
- Identifying gaps in governance, incident response, and cryptographic controls
- Developing realistic implementation timelines with appropriate contingencies
How Alfatec Can Help You
Most organizations benefit from external expertise while dealing with NIS2 compliance. The regulatory requirements are detailed, the technology continues evolving, and the importance of getting implementation right is important.
Working with experienced partners ensures proper risk management.Organizations that combine internal ownership with external expertise typically achieve faster implementation and reduced compliance risk. Reach out to us for more information.
Final Thoughts
Organizations are already receiving preliminary guidance from sectoral authorities, and formal notifications are approaching.
Starting structured preparation now helps you avoid managing compliance under time pressure, with limited options and significantly higher implementation costs.
