Data protection and cybersecurity laws in Croatia

• Act on Implementation of General Data Protection Regulation (Official Gazette, No. 42/18), prescribing certain additional rules to the basic text of the GDPR, such as processing in the context of employment, processing of genetic and biometrical data and use of video surveillance.
• Electronic Communications Act (Official Gazette No. 76/22, 14/24), governing, among others, the use of cookies and similar tracing technologies, confidentiality of electronic communications, and conditions for direct marketing via email.
• Electronic Commerce Act (Official Gazette No. 173/03, 67/08, 36/09, 130/11, 30/14, 32/19, 67/25), containing rules on certain aspects of information society services. Amendment in 2025 (Official Gazette No. 67/25) refers to the adoption of the Act on the Implementation of Digital Services Act by which the provisions of the Electronic Commerce Act related to the liability of the provider of information society services – intermediary ceased to be applicable.
• Act on the Implementation of Digital Services Act (Official Gazette No. 67/25) containing rules on transmission, caching and hosting of data in the communication network when providing information society services.
• Consumers Protection Act (Official Gazette No. 19/22, 59/23), containing a general ban on disclosing consumer data to any third party contrary to the laws regulating data protection, as well as additional rules on direct marketing via phone or mail.
• Specific data protection provisions may also be found in other acts, such as Employment Act (Official Gazette No. 93/14, 127/17, 98/19, 151/22, 64/23), Credit Institutions Act (Official Gazette No. 159/13, 19/15, 102/15, 15/18, 70/19, 47/20, 146/20, 151/22, 145/24), the Bylaw on Remote Client Onboarding and Minimum Requirements for the Solution Used to Establish and Verify the Identity of the Client Remotely (Official Gazette No. 9/24), the Act on Implementation of the Data Governance Act (126/2025).

Croatian Personal Data Protection Agency (AZOP): Agencija za zaštitu osobnih podataka | AZOP

The competent national authority for electronic communications network is the Croatian Regulatory Authority for Network Industries (HAKOM): https://www.hakom.hr/default.aspx?id=7

According to the general notice of the Croatian Parliament about its legislation plans covering 2025,  new amendments to the Electronic Communications Act are planned (no details are available).

As part of the ongoing alignment with the EU regulatory framework, additional revisions to Consumer Protection Act and adoption of acts implementing the AI Act and the Data Act are planned.

• Croatian Personal Data Protection Agency is entitled to impose administrative fines in line with Article 83 of the GDPR; 
• In addition to administrative fines under the GDPR, the Act on Implementation of General Data Protection Regulation provides for fines of up to EUR 6,700 for violations related to video surveillance; 
• Electronic Communications Act provides for fines up to EUR 132,720 for breach of provisions concerning the use of cookies and similar tracing technologies, confidentiality of electronic communications, conditions for direct marketing, and other (as well as up to EUR 13,720for the responsible person); 
• Electronic Commerce Act provides for fines up to EUR 13,000 for breach of provisions concerning information obligations, data availability, handling of data, and other (as well as up to EUR 1,300 for the responsible person); 
• Consumer Protection Act provides for fines up to EUR 26,545 for breach of provisions concerning prohibited marketing activities, and other (as well as up to EUR 1,990 for the responsible person). 
• The Act on Implementation of the Digital Services Act provides for fines up to EUR 66,360 or up to 6% of the annual worldwide turnover of the legal entity in the previous financial year, whichever is the greater in cases of breaches of provisions of the Digital Services Act (as well as up to EUR 6,630 for the responsible person).

• Unauthorised collection, processing and use of personal data punishable up to one year of imprisonment;
• Punishable up to three years of imprisonment: unauthorised transfer of personal data from Croatia for the purpose of further processing; unauthorised publishing data or otherwise making data available; unauthorised collection, processing and use of personal data (i) whereby significant proceeds are obtained / significant damage caused, (ii) related to children, or (iii) related to racial or ethnic origin, political views, religious or other beliefs, trade union membership, health or sexual life, criminal or misdemeanour proceedings.
• If any of the above offences is committed by an official in the performance of a service or a responsible person in the exercise of public authority, such offence is punishable by imprisonment of six months to five years.

• Act on Implementation of General Data Protection Regulation provides for misdemeanor fines of up to EUR 6,640 for violations by the supervisory authority’s employee;
• Electronic Communications Act provides for the possibility to impose the measure of ban of performance of activity up to six months;
• Electronic Commerce Act provides for the possibility to impose the measure of ban of performance of activity up to six months.

There are no derogations from the GDPR.

Main obligations and processing requirements, other than those from the GDPR, are stipulated by the Act on Implementation of General Data Protection Regulation as follows:

• processing in the context of employment – biometrical data and video surveillance;
• processing of special categories of data – genetic and biometrical data;
• use of video surveillance of apartment buildings and public areas.

Derogations from the GDPR: Public bodies which process data for official statistical purposes are not obliged to ensure rights to access, rectification, right to restriction of processing and right to object to processing.

There are no derogations from the GDPR.

There are no derogations from the GDPR.

There are no derogations from the GDPR.

There are no derogations from the GDPR.

There are no derogations from the GDPR.

The Electronic Communications Act generally prohibits the use of automated calling and communication systems without human intervention, facsimile machines (fax) or electronic mail, including SMS and MMS, for the purposes of direct marketing unless with a prior consent of subscribers / service users. 

If by email: Although the Electronic Communications Act generally requires a prior consent of the recipient (a natural person) before sending marketing emails, an exception applies (cumulative requirements) when:

• the recipient’s email address has been acquired for the purpose of sale of goods or services;
• the marketer uses the address for direct advertising of their own similar goods or services;
• the recipient has not objected to this use;
• the recipient is given a clear and unequivocal opportunity when the address was collected, and
• each time it is used, to object to such marketing at any time, free of charge. 

If by regular mail: The Consumers Protection Act envisages an opt-out regime (you can freely leave marketing materials in the mailbox or at the front door of consumers unless they have placed a sign reading ‘no junk mail’ or similar).

If by telephone: The Consumers Protection Act prohibits calls and phone messages to consumers who subscribed to a do-not-call-me register.

The aforementioned general prohibition under the Electronic Communications Act to use automated calling and communication systems without human intervention should also be considered.

The Electronic Communications Act stipulates that cookies may only be used with prior informed consent by the consumer. This rule does not apply to cookies including technical storing or access to data solely for the purpose of enabling the electronic communication, or when necessary to provide information society services (online shopping) upon explicit request by users. Cookie notices must be presented in a clear, concise manner, in accordance with personal data protection regulations.

Severe

• Link to the website of the Croatian Personal Data Protection Agency (AZOP): Agencija za zaštitu osobnih podataka | AZOP;
• Link to the website of the Croatian Regulatory Authority for Network Industries (HAKOM): https://www.hakom.hr/default.aspx?id=7

• Cybersecurity Act (Official Gazette No. 14/24)
• Regulation on Cybersecurity (Official Gazette No. 135/24)
• Information Security Act (Official Gazette No. 79/07, 14/24);
• Regulation on information security measures (Official Gazette No. 46/08).

No anticipated changes are currently publicly available.

• The aim of Cybersecurity Act is to define the procedures and measures necessary to strengthen national cyber resilience, requirements of essential and important entities, the roles and powers of competent authorities, and the mechanisms for supervision, enforcement, and penalty provisions.  It applies to private or public entities that have been categorized as essential or important entities based on criteria set out by the Cybersecurity Act and Cybersecurity Regulation.  
• Information Security Act envisages IT security measures and standards and supervisory activities and applies to state authorities, local and regional authorities, legal entities with public authorities, which use classified and unclassified data, and to natural and legal persons that obtain access to or handle classified and unclassified data. 

• The Information Systems Security Bureau 
• National CERT 
• The Office of the National Security Council 
• Security and Intelligence Agency 
• National Cyber Security Centre 

• Cybersecurity act 
  • The Act prescribes the procedures for categorizing essential and important entities and regulates key obligations of the essential and important entities in the implementation of cybersecurity requirements. The categorized entities must implement measures for managing cybersecurity risks with the aim of ensuring safety of network and information system proportional to the determined risk. The measures are prescribed in more detail by the Cybersecurity Regulation and depend on the risks related to each specific entity. Depending on the categorization type, the entities subject to the Act also to conduct self-assessments of cybersecurity or engage security audits carried out by independent and certified auditors of cybersecurity.  
  • The essential and important entities are also obliged to report significant cybersecurity incidents to the authorities. 
  • The entities subject to the Act must also conduct mandatory cybersecurity exercises in line with the Plan for the Implementation of Cybersecurity Exercises, adopted by the Croatian Government, upon proposal of the Security and Intelligence Agency for the period of two years.
  • The Act also establishes a new cybersecurity management system, the competent authorities in the field of cybersecurity, their tasks and powers, and introduces a new functionality in the field of cybersecurity - the central state body for cybersecurity. The tasks of the central state body for cybersecurity will be performed by the National Cybersecurity Centre (NCSC-HR) established within the Security and Intelligence Agency (SOA).
• Information Security Act:
  • Obligation to implement IT security measures (prescribed in the detail by the implementing regulation);
  • Obligation to appoint an IT security adviser.

The Cybersecurity Act provides for fines up to 10 million EUR or up to 2% of the total annual worldwide turnover of the essential entity in the previous financial year, whichever is the greater, in cases of breaches of certain obligations under the Cybersecurity Act. The fines for responsible person within the essential entity are stipulated in the amount of up to EUR 6,000.

When it comes to breaches of the Act by the important entities, the fines are up to EUR 7 million or up to 1,4% of the total annual worldwide turnover, whichever is greater. The fines for responsible person within the important entity are stipulated in the amount of up to EUR 3,000.

There is also a fine of up to EUR 20,000 for the legal entity and EUR 1,000 for the responsible person for failing to deliver information that are required for categorization purposes, keeping of list of essential and important entities or failing to timely report and changes to the delivered information. The same fine applies to entities that do not deliver, or do not deliver timely, the information required to lead one of the special registries prescribed by the Cybersecurity Act, e.g. registry on entities providing domain name registration services, cloud computing service providers, data centre service providers, providers of online marketplaces and social networking services platforms.

Yes. National CERT was established in accordance with the Information Security Act.

The Cybersecurity Act establishes competent CSIRTs for different sectors.  

Yes, in 2025 the Croatian Government enacted the National Cyber Crisis Management Program.

N/A

• Link to The Information Systems Security Bureau web page: https://www.zsis.hr/default.aspx?id=30
• Link to CERT webpage: https://www.cert.hr/en/home-page/ 
• Link to the Office of the National Security Council webpage: http://www.uvns.hr/en
• Link to the Security and Intelligence Agency https://soa.hr/en
• Link to National Cyber Security Centre: https://ncsc.hr/en