CRA Compliance in Croatia
National competent authority, Article 14 CSIRT contacts, and enforcement guidance for Croatia manufacturers.
Croatia's national regulatory authority for electronic communications and cybersecurity, HAKOM (Hrvatska regulatorna agencija za mrežne djelatnosti), serves as the national competent authority for the CRA, with CERT.hr operating as the national CSIRT. Croatia joined the EU in 2013 and has progressively aligned its regulatory frameworks with EU requirements. Croatian manufacturers — particularly in the growing technology, maritime equipment, and defence sectors — face increasing CRA obligations as their products incorporate digital elements.
National Competent Authority (CRA)
HAKOM
Hrvatska regulatorna agencija za mrežne djelatnosti
HAKOM is Croatia's regulatory agency for network activities (electronic communications, postal services). It serves as Croatia's designated CRA national competent authority and oversees cybersecurity regulatory functions in coordination with the OCD (Office of the National Security Council) for classified information systems.
https://www.hakom.hr →CRA Enforcement in Croatia
HAKOM serves as Croatia's national competent authority for the CRA, with market surveillance coordinated with the State Inspectorate (Državni inspektorat) for consumer and industrial products. CERT.hr, operated by CARNET (Croatian Academic and Research Network), provides national CSIRT functions. Croatia's national cybersecurity framework, developed under the Zakon o kibernetičkoj sigurnosti (Cybersecurity Act), which transposes NIS2, provides the legislative foundation for CRA implementation. HAKOM has cybersecurity oversight responsibilities under both the Electronic Communications Act and the Cybersecurity Act, creating a consolidated regulatory authority for CRA enforcement.
Article 14 Incident Reporting for Croatian Manufacturers
Croatian manufacturers submit Article 14 notifications to CERT.hr through its contact portal. CERT.hr participates in the EU CSIRTs network and coordinates with ENISA on cross-border incidents. The Article 14 obligation requires an early warning within 24 hours of detecting active exploitation and a full notification within 72 hours. Croatia's NIS2 framework designates CERT.hr as the CSIRT for essential and important entity incident coordination, and CRA Article 14 notifications will follow established CERT.hr reporting procedures. Manufacturers should register with CERT.hr and establish a designated security contact for incident reporting purposes.
Market Surveillance & Penalties
Market surveillance for CRA products in Croatia is coordinated between HAKOM and the State Inspectorate (Državni inspektorat), which conducts product safety market surveillance across multiple regulatory frameworks. The full CRA penalty regime applies: up to €15 million or 2.5% of global annual turnover for violations of essential cybersecurity requirements. Croatia's market surveillance capacity has been developing under EU product safety regulations, and the State Inspectorate has enforcement experience under the General Product Safety Regulation. Croatian manufacturers should maintain CRA technical documentation in Croatian and English to facilitate surveillance inspections.
Support for Croatian Manufacturers
CERT.hr and HAKOM publish cybersecurity guidance for Croatian businesses in Croatian and English. The Croatian Chamber of Economy (HGK) provides regulatory compliance guidance for manufacturing members. CARNET, which operates CERT.hr, provides cybersecurity awareness and training programmes for organisations across Croatia. The Innovation Centre Nikola Tesla (ICENT) supports technology manufacturers with R&D and commercialisation services including cybersecurity. EU Cohesion Funds and the Croatian Recovery and Resilience Plan provide investment support for manufacturer digitalisation and cybersecurity, creating grant opportunities for CRA compliance investments.
CVD Portal automates your Article 14 notification obligations.
Pre-built notification workflows for CERT.hr, deadline tracking, CSAF advisory generation, and a public CVD submission portal. Free forever.
Start your free portalFrequently asked
How do I contact HAKOM or CERT.hr as a manufacturer with a CRA compliance question?+
HAKOM can be contacted through hakom.hr, where cybersecurity regulatory enquiries can be submitted. CERT.hr is contacted through cert.hr/kontakt for incident reporting and general cybersecurity queries. The Croatian Chamber of Economy (HGK) at hgk.hr also provides an industry liaison function for EU regulatory compliance questions. For Article 14 notifications, use CERT.hr's secure reporting channel.
Does Croatia have national-level CRA implementing legislation?+
Croatia has transposed NIS2 through the Zakon o kibernetičkoj sigurnosti (Cybersecurity Act), which establishes HAKOM's cybersecurity regulatory mandate. CRA implementing measures are expected through amendments to the Cybersecurity Act and through product safety regulations under the Zakon o općoj sigurnosti proizvoda (General Product Safety Act). National implementing regulations are expected ahead of the CRA's December 2027 application date, and HAKOM is expected to publish guidance for affected manufacturers.
How does the CRA interact with Croatia's NIS2 implementation and existing cybersecurity obligations?+
Croatia's Zakon o kibernetičkoj sigurnosti creates incident reporting obligations for essential and important entities that overlap with CRA Article 14. Manufacturers that are also NIS2-designated entities should expect HAKOM and CERT.hr to develop consolidated notification guidance. Croatian manufacturers in the energy, transport, and maritime sectors — where NIS2 obligations are particularly broad given Croatia's significant maritime industry — should conduct a combined NIS2 and CRA compliance gap analysis.
CRA guides for neighbouring countries
Need a CRA compliance checklist for your product?
Browse free niche-specific checklists covering classification, Annex I obligations, and CVD requirements.