EU mandates, cyber
security is a must have
NIS2 Directive - comply on time
Creating resilience and protection against cyberattacks at the EU level.
To help determine your organization's level of compliance with the NIS2 Directive, download the self-assessment tool.
Find out in which areas you are compliant and in which there is room for improvement.
What is the NIS2?
The NIS2 Directive is a legislative framework that prescribes measures to achieve a high common level of cyber security and resilience at the EU level.
What is CSA?
Cybersecurity Act in Croatia is a transposition of the NIS2 Directive, a local legislative framework that applies in the territory of the Republic of Croatia, published on February 7, 2024.

We have summarized all the key information you need to know about the NIS2 Directive for you in a simple document. Download it, get informed and find out what key measures are needed to comply with the NIS2 Directive.
Enhancing cybersecurity at the national and European level.
By implementing this law, Croatia and the European Union in general are strengthening their capacities for prevention, detection, response, and recovery from cyber incidents.
Expansion of application and scope.
Following experiences brought by the pandemic and the emerging geopolitical situations, the EU has recognized the need to extend the application of the Directive to:
- a larger number of sectors that are crucial for the functioning of the economy
- all information and cyber systems of obligated entities
Improving international cooperation.
The law enhances international cooperation and sharing of information about incidents, as well as best practices.

Requirements and obligations defined by NIS2
All entities subject to the NIS2 Directive are required to:
Implement a series of organizational and technical measures to secure networks and information systems
Report incidents
Conduct self-assessment and/or cybersecurity audit
The measures will be detailed further within the future Cybersecurity Regulation.
Does NIS2 apply to my company?
The NIS2 Directive applies to public and private entities that are:
- Members of sectors listed in Annexes I and II of the NIS2/CSA
- Medium or large enterprises/organizations.
Exceptionally, individual entities that the competent sectoral body determines to be of particular importance can be recognized as subjects of the regulation regardless of their size.
Also, given the measures that emphasize supply chain security, the scope consequently extends to suppliers or service providers of entities obligated under the NIS2/CSA.
Sectors in scope
NIS1 sectors
NIS2 sectors

NIS2 - a challenge for OT systems
The complexity and criticality of OT systems, their "traditional" separation from IT, and a strong reluctance to introduce risky technological changes pose challenges for their owners. Integrating such systems with IT systems places new risks before organizations, which they often cannot and do not know how to handle.
The NIS2 Directive emphasizes the organization's responsibility for the cybersecurity protection of OT systems. To achieve compliance, all the tasks that have been postponed for years will now need to be completed in a much shorter timeframe, regardless of the risks and challenges.
What if I do not comply with NIS2 – what are the penalties?
In the event of non-compliance with the law, the competent authority has the right to issue:
- Corrective measures,
- Temporary suspensions,
- Prohibitions on conducting business.
Prohibitions on conducting business can be directed towards the obligated entity, but also towards the responsible person. There are also financial penalties for the obligated entity, as well as for the responsible person within the obligated entity.
Fines to liable entity
up to EUR10mil
or up to 2% of annual total turnover
- essential entities
up to EUR7mil
or up to 1,4% of annual total turnover
- important entities
Fines to responsible person
up to €6000
essential entities
up to €3000
important entities

How to comply with NIS2?
In the focus of the NIS2 Directive, i.e. the Croatia's Cybersecurity Act, are:
Risk Management
Incident Management
Supply Chain Management
Business Continuity Management
Entities obligated under NIS2 are required to establish a framework for managing risks related to information and communication technologies (ICT) and information and cybersecurity (ICS), with the goal of achieving a common minimum level of security.
If you have implemented international standards such as ISO/IEC 27001, you already have an advantage in complying with the directive's requirements.
Additionally, in the case of OT, compliance will be simpler if you apply ISA/IEC 62443 standards, which deal with cybersecurity for industrial control systems.
Diverto’s approach to achieving compliance with NIS2
The beginning of your journey towards compliance with NIS2 depends on the current maturity level of your information and cybersecurity management system.
We implement measures to achieve compliance through three groups of activities:
- Governance
- Resilience testing
- Monitoring and continuous defense
Given that managing information and cybersecurity is an ongoing process, it is necessary to periodically verify the initial compliance assessment and determine further steps for enhancing the implemented controls.
Find out how each stage of this Diverto approach helps you align with NIS2 and, ultimately, establish a high level of security for your business.

Check if you are compliant with the NIS2 Directive.
Not 100% sure if the NIS2 Directive applies to your business?
You have already taken certain measures and are wondering how compliant you are with its regulations. To more easily assess your security maturity, download the self-assessment tool and begin your journey to compliance with the NIS2 Directive.