With the Cybersecurity Act entering into force in February 2024, Croatia was, unexpectedly, one of the first EU member states to implement NIS2, and it seems this happened just in time. Throughout this year as well as in 2023, government and financial institutions, companies, and even airports and hospitals were targets of multiple cyberattacks. Unsurprisingly, these resulted not only in temporary loss of availability of crucial services but also in loss of data – at times even life-and-death patient data.
The local Cybersecurity Act, while retaining the main principles from NIS2 as well as the risk-based approach, has deviated from it slightly. The most notable distinction is the lack of registration obligation since in Croatia, the act envisions that relevant authorities will notify subjects in-scope on their categorization and obligations, not the other way around. The notifications should be provided by February 15, 2025 – within one year from when the act entered into force, although this deadline will likely be exceeded in practice. The idea was to provide for a gradual implementation of obligations, giving entities in scope enough time to ensure compliance.
The competent authorities for cybersecurity under the act are few, but most power resides with the Croatian Security and Intelligence Agency – a body whose main activity (up to now) was intelligence gathering and national security. This was one of the most disputed elements of the act and one which drew the most public attention. But after a while, the discussion grew quiet. Granted, cybersecurity is not the most interesting subject, but boredom cannot be an excuse for a lack of awareness. Although based on client activity and publicly available information, we could say that the level of awareness is rising – especially after the above-mentioned attacks, which attracted much media attention – it is still not sufficient given the upward trend of attacks and incidents.
This is especially important for lawyers and law firms who, regardless of size, are specific since they are bound by privilege and keep valuable data such as clients’ highly sensitive and/or personal data or financial information. This is well noted by cyber criminals too, and lawyers were not exempt from the locally occurring cyberattacks of late. Recent press clippings reported that local authorities just now arrested one of the culprits responsible for attacks that targeted more than 20 law firms, resulting in document leakage and financial loss.
Allegedly, at least some were targeted due to their connections to “high-profile” clients and cases, and their documents were supposedly leaked to the media after the lawyers failed to pay the requested ransom amount. The Croatian Bar Association commented that most attacks were conducted by way of phishing – attempts to gain unauthorized access by sending fraudulent e-mails, and in some cases, the attacks were reported to be quite sophisticated. The Bar, however, did not share any information on the level of IT security that the affected lawyers and law firms had (or did not have). Namely, local lawyers still independently decide which resources they will rely on for the protection of their and, more importantly, client data.
In Croatia, solo practices still make up much of the profession, while corporate law firms are a minority. After the pandemic prompted more governmental digitalization, local lawyers had to adapt and rely more on digital solutions, including web applications and cloud services. However, with this transition, appropriate levels of awareness did not follow. Similarly to grappling with data protection compliance, lawyers are likely to underestimate risks and often do not follow even basic security principles such as regular software updates or password changes.
This is likely to change now that the act comes into force, considering that lawyers will need to obtain cybersecurity assurances – to secure the ability to continue to provide legal support as part of their clients’ supply chain. Since being a vulnerability for their clients is not an option, the obligations under the act should be an additional encouragement for local lawyers to up their game when it comes to their IT security practices and data protection. As any legal professional knows (or should know), in addition to lost time, money, or effort, cybersecurity breaches can lead to loss of reputation and, most importantly, loss of client trust.
By Ema Mendjusic Skugor, Co-Managing Partner, and Anella Bukovic, Senior Associate, Divjak Topic Bahtijarevic & Krka
This article was originally published in Issue 11.11 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.
