DORA, NIS2, and the Cybersecurity Act – What Companies Need to Know in 2025
Terms like NIS2, cybersecurity, DORA, and penetration testing are increasingly appearing not only in the IT sector but also across broader business and social contexts. Although these may initially seem like topics reserved for IT professionals, they actually affect all of us – citizens, companies, and users of online services.
In this blog, we’ll break down what these terms mean and why it’s important to understand them – regardless of whether you work in IT or use the internet “just” for online banking, social media, or email.
What is Cybersecurity?
Cybersecurity refers to the protection of everything connected to the internet – applications, data, computers, servers, mobile devices, and networks – from theft, misuse, or hacking attempts.
Today, it’s almost impossible to carry out daily activities without the internet – from online banking and cloud services to emails and social media. That’s exactly why cybersecurity has become one of the fundamental pillars of a digital society.
DORA – Digital Operational Resilience in the Financial Sector
DORA (Digital Operational Resilience Act) is an EU regulation that came into effect in 2023 and applies to all entities within the financial sector – including their IT service providers.
The aim of DORA is to strengthen the resilience of financial institutions against cyber threats. If your organization falls under this regulation, you are responsible for assessing and ensuring compliance with its requirements. In Croatia, oversight is carried out by the Croatian National Bank (HNB) and the Croatian Financial Services Supervisory Agency (HANFA).
What does this mean in practice?
Example: A company developing an app for online payments becomes the target of a cyberattack.
Before DORA – no recovery plan, no system backups, no obligation to report the incident.
After DORA implementation – the system is tested, backed up, and clear protocols and incident response plans are in place.
Result? Faster response, reduced losses, and greater user trust.
NIS2 – A New Level of Cybersecurity in the EU
NIS2 is a directive of the European Union that introduces stricter cybersecurity standards aimed at protecting essential sectors and infrastructure. In Croatia, it came into effect on February 15, 2024, replacing the original NIS1 directive from 2016.
NIS2 applies to organizations that are critical for the functioning of society – both public and private. These organizations will be officially notified of their inclusion under the directive, after which they have one year to achieve compliance. An additional two years are allocated for independent verification of compliance.
What does this mean for companies?
Compliance with NIS2 requires:
- Documenting security policies and procedures
- Monitoring systems and access controls
- Employee training and awareness
- Reporting major incidents within 24 hours
The Cybersecurity Act of the Republic of Croatia
In addition to DORA and NIS2, Croatia has adopted its own Cybersecurity Act, aligning national legislation with EU regulations. This law also came into effect on February 15, 2024.
The Act defines:
- Security measures that institutions and companies must implement
- The supervisory system for enforcing these measures
- Penalties for non-compliance
Why is this important?
Imagine a hospital being hit by a cyberattack – appointments can’t be scheduled, test results are inaccessible, and emergency services don’t have access to vital medication data.
If NIS2-compliant measures had been in place, the incident would have been:
- Detected earlier
- Reported within 24 hours
- Quickly resolved
The result? Greater safety and reliability for users of healthcare and public services.
Conclusion
| DORA | NIS2 | Cybersecurity Act of the Republic of Croatia | |
| Main goal | Financial security | General cybersecurity | Harmonization of legislation with the EU |
| Who it applies to | Financial institutions | Critical entities essential to societal functioning | Institutions and companies |
| What it achieves | Security and stability of banking services |
Protection of data and services |
Security of public and digital services |
DORA, NIS2, and the Croatian Cybersecurity Act are not just regulations for the IT sector – they are the foundation of a more secure digital society. Implementing security measures is not just a legal obligation, but also a key to building user trust, ensuring business continuity, and defending against increasingly frequent cyber threats.
Request a free compliance assessment – Contact us to find out if your organization is ready for DORA and NIS2.
Need help with cybersecurity? Reach out to our team of experts!
Download our free guide to NIS2 compliance.
