The Digital Operational Resilience Act (DORA) is reshaping the digital governance landscape across the European Union. For the first time, banks, insurers, payment providers, investment firms, financial market infrastructures, and critical ICT suppliers will operate under a shared cybersecurity and operational resilience framework.
Although the regulation applies uniformly across the EU, the pace and quality of its implementation vary significantly between member states. Croatia — one of the newer EU markets with a growing digital economy — offers an intriguing case study. How does its progress compare with more mature financial centers? And what can we learn from its emerging regulatory strategy?
This analysis examines the Croatian DORA rollout, contrasts it with EU benchmarks, and highlights the policy, market, and technical implications for the region.
1. Croatia’s Starting Position: A Young but Digitally Ambitious Market
Croatia’s financial sector is smaller and less complex than those of major EU economies. Yet, its digital transformation has accelerated rapidly over the past decade. The expansion of mobile banking, e-payment solutions, and fintech services has increased both opportunity and exposure to ICT risks.
A structured overview of Croatia’s regulatory posture is available in the analysis DORA Croatia, which notes that Croatian regulators have embraced DORA as an opportunity to strengthen the country’s economic and technological resilience.
Croatia’s advantages include:
- A unified supervisory structure led by the Croatian National Bank (HNB) and the Croatian Financial Services Supervisory Agency (HANFA).
- Strong alignment with EU cybersecurity initiatives through the National Cyber Security Strategy.
- Increasing public–private collaboration on digital resilience.
However, these strengths exist alongside structural challenges, including limited specialized cybersecurity talent, dependency on foreign ICT providers, and fragmented legacy infrastructure across parts of the financial sector.
2. How Croatia’s Implementation Strategy Differs from the EU Leaders
Some EU countries — notably Germany, Luxembourg, the Netherlands, and Estonia — entered the DORA era with sophisticated pre-existing regulatory architectures. Many had national guidelines similar to DORA long before the regulation was drafted.
Croatia, however, is categorized as a “fast follower.” The distinction lies in three dimensions:
A. Regulatory Maturity
EU leaders developed advanced frameworks covering:
- ICT governance
- outsourcing due diligence
- cyber-incident reporting
- penetration testing standards
- cloud oversight
Croatia is implementing many of these components for the first time in a fully harmonized way, requiring significant regulatory adaptation.
B. Industry Readiness
In countries like the Netherlands or Germany, large banks and financial institutions already maintained resilience programs compatible with DORA’s requirements.
Croatian institutions are catching up, but readiness levels differ widely across the market — especially between large banking groups and smaller investment or payment firms.
C. Supervisory Capacity
Larger EU economies have extensive supervisory resources and dedicated digital-resilience departments. While Croatia’s regulators are highly committed, their capacity is still growing. Cross-border collaboration and regulatory training programs remain essential.
3. Comparative Insights: Where Croatia Leads, Matches, and Lags
Areas Where Croatia Performs Well
- Alignment with EU cybersecurity strategy: Croatia’s national initiatives integrate directly with DORA’s core objectives.
- Adoption of EU technical standards (RTS/ITS): Croatian institutions have shown willingness to incorporate newly finalized technical rules without delay.
- Banking sector resilience: Large banks, often part of European financial groups, are implementing DORA more rapidly thanks to centralized group-level expertise.
Areas Where Croatia Matches the EU Average
- Initial DORA awareness and risk mapping: Croatian entities are on par with EU peers in conducting gap analyses and ICT inventories.
- Incident reporting preparations: Most entities are modernizing their reporting systems to meet DORA’s strict timelines.
Areas Where Croatia Is Struggling
- Third-party risk oversight: Croatia, like several Southern and Eastern EU states, depends heavily on external ICT providers, many of which operate across borders — complicating contract renegotiations.
- Penetration testing and TLPT readiness: Specialized local capacity is limited; most firms will rely on external EU testing providers.
- ICT workforce shortage: Croatia’s cybersecurity labor market is thinner than that of Northern and Western Europe, slowing implementation.
4. What Croatia Can Learn from EU Front-Runners
Three lessons stand out when comparing Croatia’s implementation journey with leading EU members:
1. Prioritize Governance Before Technology
Countries ahead in DORA implementation established governance structures early:
- centralized ICT risk committees
- senior-management ownership
- board-level reporting structures
Croatia is moving in this direction but needs consistent adoption across smaller entities.
2. Build Testing and Incident Response Capacity
Luxembourg, Estonia, and Germany invested heavily in national cyber-testing labs and threat intelligence centers. Croatia’s ecosystem is improving, but scaling capacity will be crucial.
3. Strengthen Domestic Third-Party Oversight
Countries with mature cloud and ICT markets (e.g., the Netherlands) better control outsourcing risks. Croatia should focus on clear standard contracts, continuous monitoring, and cross-border supervisory cooperation.
5. Outlook: Croatia’s Path to Full DORA Alignment
Croatia is not behind — but it is not leading either. Instead, it is positioned in the “active transition” category: the group of EU nations implementing DORA seriously but still building institutional and market capacity.
If Croatia accelerates the following over the next 12–24 months, it can become a regional example of effective digital resilience:
- professionalizing ICT governance at all levels
- expanding domestic cybersecurity talent pipelines
- strengthening oversight of critical ICT suppliers
- fully operationalizing EU-level testing and reporting frameworks
Given the pace of harmonization across Europe, Croatia has a unique opportunity: by aligning early, it can attract fintech investment, improve financial stability, and participate more competitively in the EU’s digital transformation.
Conclusion
DORA is more than a regulatory requirement — it is a long-term resilience framework that will shape the digital infrastructure of Europe’s financial sector. Croatia’s journey, while still evolving, shows a clear commitment to meeting EU expectations. Its challenge is not intent but capacity.
Compared with leading EU countries, Croatia is learning fast, implementing steadily, and narrowing the maturity gap. How it manages the next phase of deployment will determine whether it becomes a digital-resilience follower — or a regional frontrunner.
