Croatia (HR) | CYBERWISER.eu

Croatia adopted its national strategy on cybersecurity in October 2015.

Principles:

Comprehensive nature of the approach to cyber security by covering cyberspace, infrastructure and users under the Croatian jurisdiction (citizenship, registration, domain, address).
Integration of activities and measures arising from different cyber security areas and their interconnection and supplementation in order to create a safer cyberspace.
Proactive approach through constant adjustment of activities and measures, and adequate periodic adaptation of the strategic framework they stem from.
Strengthening resilience, reliability and adjustability by applying universal criteria of confidentiality, integrity and availability of certain groups of information and recognised social values, in addition to complying with the appropriate obligations related to the protection of privacy, as well as confidentiality, integrity and availability for certain groups of information, including the implementation of appropriate certification and accreditation of different kinds of devices and systems, and also business processes in which such information is used.

Main goals:

Systematic approach in the application and enhancement of the national legal framework
Pursuing activities and measures to increase the security, resilience and reliability of cyberspace
Establishing a more efficient mechanism of information sharing
Raising security awareness
Stimulating the development of harmonised education programmes
Stimulating the development of e-services
Stimulating research and development
Systematic approach to international cooperation

NATIONAL CYBERSECURITY STRATEGY - NIS Capacities

Year of adoption	2015 NATIONAL CYBER SECURITY STRATEGY OF THE REPUBLIC OF CROATIA (ENGLISH VERSION), http://www.uvns.hr/UserDocsImages/en/dokumenti/Croatian%20National%20Cyb...(2015).pdf.
Updates and revisions	No updates have emerged from WISER desk research.
Operational capacities building	The Information Systems Security Bureau (ZSIS) (Croatian, https://www.zsis.hr/; English, https://www.zsis.hr/default.aspx?id=30) is the national competent authority for network and information security for Croatia, as stated in the Act on Information Security 2007. It operates under the Office for National Security. Croatia has two established computer emergency response teams (CERTs). CARNet, the National CERT (Croatian, http://www.cert.hr/ and English, http://www.cert.hr/en/start). ZSIS CERT, (English, https://www.zsis.hr/default.aspx?id=114) established in 2009 is responsible for coordinating security and incident response measures for parties that use a Croatian IP address or .hr domain. The Information Systems Security Bureau’s ZSIS CSI (English, https://www.zsis.hr/default.aspx?id=113) has jurisdiction over Croatian government institutions. Since 12 July 2009 CERT ZSIS is a full member of Trusted Introducer (https://www.trusted-introducer.org/), which gathers mostly European CERT/CSIRT teams and represents a platform for exchange of knowledge and experience in handling computer security incidents. Service Trusted Introducer is held by TF-CSIRT working group within a scope of the European academic and research network GÉANT. Since 27 June 2012 CERT ZSIS is a full member of FIRST organisation, a world's association of CERT/CSIRT teams which, as Trusted Introducer, represents a platform for promotion of knowledge on computer security incidents management in a wider international environment.
Legal conditions	National legislation: http://www.uvns.hr/UserDocsImages/en/dokumenti/info-security/Information.... Specific legislation on cybercrime has been enacted through the following instruments: Croatian Criminal Law (January 2013). Specific legislation and regulation related to cybersecurity has been enacted through the following instruments: Law on Information Security 2007. Law on Protection of Personal Data 2003. Law on Ratification of conventions on cybercrime 2002. Law on Electronic Document. Law on the Security and Intelligence System 2006. Ordinance on the manner and deadlines for the implementation of measures for protection safety and integrity of networks and services 2012. Regulation on Information Security Measures 2008.
Business and Public-private partnerships	While Croatia has no formal public-private partnerships, several initiatives aim to strengthen links between different sectors of society or can serve as multipliers in reaching companies and other organisations on the importance of cybersecurity. CARNet, the National CERT, has jurisdiction over all parties that use a Croatian IP address and will liaise with private organisations for the purpose of cybersecurity incident prevention and incident response. The Croatian Regulatory Authority for Network Industries (HAKOM) (https://www.hakom.hr/default.aspx?id=7; English), itself an independently-run public authority, liaises with the private sector in its support role of the communication industry. RACVIAC — Centre for Security Cooperation (http://www.racviac.org/; English) is a representative body for the defence and security sectors in south-eastern Europe, based in Croatia. The Croatian Defense Industry Competitiveness Cluster (HKKOI; https://www.endr.eu/organisation/croatian-defense-industry-competitivene... English) brings together the country’s relevant SMEs in cooperation with Croatia’s Ministry of Defence to spin out commercial applications from military technologies. HKKOI’s members are active mainly in the fields of advanced materials, cyber security, electronics, energy, ICT, robotics and the land, maritime and naval sectors. HKKOI is focused on boosting the capacities of its SMEs by linking them to the value chains of larger enterprises to develop new products and services. The cluster is also expanding its international cooperation, and currently has contacts with the European Defence Agency and the region of Andalusia. Association of Croatian ICT clusters, cro.ict hppt://www.cro-ict.net. The Croatian Regulatory Authority for Network Industries (HAKOM; Croatian: https://www.hakom.hr/default.aspx; English: https://www.hakom.hr/default.aspx?id=7) is a public authority that supports the communication industry. HAKOM liaises with the private sector in the course of its duties.
Other capacity-building measures: research and education	Awareness and training is foreseen mostly for the public sector: Connect institutions such as the State School for Public Administration, Police Academy and Judicial Academy with the universities, especially the units with established and high-quality programmes in the area of information security, personal data protection, cybercrime, etc. Raise the level of knowledge about information security in all the segments of the society with campaigns including public media. Implement content related to cybersecurity awareness raising in other school subjects as interdisciplinary content. Call pupils’ and parents’ attention to the threats in the information society in homeroom classes, PTA meetings, thematic lectures and other extracurricular activities. Include cybersecurity topics in professional development programmes for teachers. Include segment-specific cybersecurity topics in training programmes for civil servants.
Implementation & Monitoring	For the purpose of reviewing and improving the implementation of the Strategy and Action plan for its implementation, the Government of the Republic of Croatia will establish the National Cyber Security Council, which, among other actions will monitor and coordinate the implementation; propose measures to improve it; propose the organisation of national exercieses, provide recommendations, reports and guidelines. It will also address issues for cyber crisis management based on the state of security. It will also issue programmes and action plans for the Operational and Technical Cyber Security Coordination Group and direct its work.
Overall assessment/best practices:	The Croatian Defense Industry Competitiveness Cluster (HKKOI) brings together the country’s relevant SMEs in co-operation with Croatia’s Ministry of Defence to spin out commercial applications from military technologies. HKKOI’s members are active mainly in the fields of advanced materials, cyber security, electronics, energy, ICT, robotics and the land, maritime and naval sectors. HKKOI is focused on boosting the capacities of its SMEs by linking them to the value chains of larger enterprises to develop new products and services. The cluster is also expanding its international co-operation, and currently has contacts with the European Defence Agency and the region of Andalusia.
Date of last WISER analysis	October 2017

GDPR and NIS Directive: Compliance and Notification

National Computer Security Information Response Team (CSIRT) Computer Emergency Response Team (CERT)	Notification obligations in the event of a cyber-attack/data breach NIS Directive (operators of essential services and digital service providers): actual, adverse and significant impact on the continuity of essential services. Actual, adverse and substantial impact on the provision of enumerated digital services. GDPR (any organisation dealing with the data of EU citizens): accidental or unlawful destruction, loss, altercation, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
National contact	CARNet Incidents can be submitted by e-mail at the address ncert@cert.hr. The report must contain: Original log files (from server or network devices) where can be seen unwanted network activities and what is the type of incident. Your description of an incident. Date, exact time (possibly by minute and second) and time zone. IP address and/or computer name of attack target. IP address and/or computer name of attack source. Additional files connected to the incident like e-mail with its header, malicious web URL and other. Acknowledging report is sent informing that incident report has been received.
Languages	Croatian and English
Date of last WISER analysis	October 2017