Croatia (HR)

Croatia implemented its national cybersecurity strategy in 2015: NATIONAL CYBER SECURITY STRATEGY OF THE REPUBLIC OF CROATIA (EN)

The strategy covers 7 of the 15 strategic goals in the ENISA self-assessment classification. These strategic goals are: Cybercrime; international cooperation; incident reporting mechanisms; R&D; incident response capability; balance security with privacy; baseline security requirements. 

It calls for a systematic approach in the application and enhancement of the national legal framework by pursuing activities and measures to increase security, resilience and reliability in cyberspace.

Other key measures are establishing more effiecient mechanisms of information sharing, increasing awareness, fostering the development of harmonised educational programmes and research and development. 



Role of education in the national strategy

Awareness and training is foreseen mostly for the public sector:

  • Connect institutions such as the State School for Public Administration, Police Academy and Judicial Academy with the universities, especially the units with established and high-quality programmes in the area of information security, personal data protection, cybercrime, etc.
  • Raise the level of knowledge about information security in all the segments of the society with campaigns including public media.
  • Implement content related to cybersecurity awareness raising in other school subjects as interdisciplinary content.
  • Call pupils’ and parents’ attention to the threats in the information society in homeroom classes, PTA meetings, thematic lectures and other extracurricular activities.
  • Include cybersecurity topics in professional development programmes for teachers.
  • Include segment-specific cybersecurity topics in training programmes for civil servants.
Public-private Partnerships

While Croatia has no formal public-private partnerships, several initiatives aim to strengthen links between different sectors of society or can serve as multipliers in reaching companies and other organisations on the importance of cybersecurity.

CARNet, the National CERT, has jurisdiction over all parties that use a Croatian IP address and will liaise with private organisations for the purpose of cybersecurity incident prevention and incident response.

The Croatian Regulatory Authority for Network Industries (HAKOM) is an independently-run public authority that liaises with the private sector in its support role of the communication industry.

RACVIAC — Centre for Security Cooperation is a representative body for the defence and security sectors in south-eastern Europe, based in Croatia.

The Croatian Defense Industry Competitiveness Cluster (HKKOI; English) brings together the country’s relevant SMEs in cooperation with Croatia’s Ministry of Defence to spin out commercial applications from military technologies. HKKOI’s members are active mainly in the fields of advanced materials, cyber security, electronics, energy, ICT, robotics and the land, maritime and naval sectors. HKKOI is focused on boosting the capacities of its SMEs by linking them to the value chains of larger enterprises to develop new products and services. The cluster is also expanding its international cooperation, and currently has contacts with the European Defence Agency and the region of Andalusia.

There is also the Association of Croatian ICT clusters.

The Croatian Regulatory Authority for Network Industries (HAKOM; English Version) is a public authority that supports the communication industry. HAKOM liaises with the private sector in the course of its duties.

Operational capacities building

The Information Systems Security Bureau (ZSIS; Croatian; English version is the national competent authority for network and information security as stated in the Act on Information Security 2007. It operates under the Office for National Security.

Croatia has two established computer emergency response teams (CERTs). CARNet, the National CERT (Croatian; English Version).

ZSIS CERT,  (English Version) was established in 2009 and is responsible for coordinating security and incident response measures for parties that use a Croatian IP address or .hr domain.

The Information Systems Security Bureau’s ZSIS CSI (English Version) has jurisdiction over Croatian government institutions.


EU Cyber Professional Register for national stakeholders

The CyPR is all about boosting opportunities in the cybersecurity marketplace. 

This European Cybersecurity Professional Register is the place where professionals of any age can promote their specific skill sets and experiences in cybersecurity, courses taken and qualifications.

Organisations of any size or sector (from SMEs to large companies and public institutions can find and contact the right skills and experiences they need to improve their IT security posture.

Latest Update & Disclaimer

January 2021

The information contained here is based on desk research carried out by, including the ENISA interactive maps on national strategies and educational courses. 



CYBERSECURITY RESPONSE TEAMS: GDPR and NIS Directive: Compliance and Notification

National Computer Security Information Response Team (CSIRT)
Computer Emergency Response Team (CERT)

Notification obligations in the event of a cyber-attack/data breach
NIS Directive (operators of essential services and digital service providers): actual, adverse and significant impact on the continuity of essential services. Actual, adverse and substantial impact on the provision of enumerated digital services.
GDPR (any organisation dealing with the data of EU citizens): accidental or unlawful destruction, loss, altercation, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

National contact

Incidents can be submitted by e-mail at the address The report must contain:

  • Original log files (from server or network devices) where can be seen unwanted network activities and what is the type of incident.
  • Your description of an incident.
  • Date, exact time (possibly by minute and second) and time zone.
  • IP address and/or computer name of attack target.
  • IP address and/or computer name of attack source.
  • Additional files connected to the incident like e-mail with its header, malicious web URL and other.
Acknowledging report is sent informing that incident report has been received.
Languages Croatian and English
Latest Update & Disclaimer

The information contained here is the result of desk research carried out by 


Contact us for more info


Croatia (HR) | Cyber Range & Capacity Building in Cybersecurity


The website encountered an unexpected error. Please try again later.