European directives, local laws, and new compliance requirements have opened the door to more serious management of cybersecurity risks, but they have also brought uncertainty, superficial interpretations, and fragmented solutions to the Croatian market, says Antonija Vojnović, Head of the Governance, Risk and Compliance Department at Span. In her view, the issue is not regulation itself, but the way the market tries to understand it and turn it into concrete projects. “They have brought complete chaos to the market,” Vojnović says, warning that Croatia is a small market where many vendors try to offer one solution for every problem.
That logic, she argues, is one of the biggest challenges. Compliance cannot be reduced to buying software, hardware, or a ready-made package. “A solution that solves every problem is simply not true,” Vojnović says. She adds that companies do not comply directly with directives, but with local laws that transpose them into the national framework. That, in her view, is the first level of understanding that is often missing from market communication.
Regulation has nevertheless triggered an important shift. Management boards and responsible persons have started thinking more seriously about personal and corporate responsibility, including the possibility of fines, removal from office, and reputational damage. “People got a little scared and started thinking,” Vojnović says. She sees this as a positive move, but warns that compliance deadlines do not mean security can be solved once and for all. “You will not patch the servers and be done forever,” she stresses, noting that regulation requires continuous and periodic implementation of measures.
The biggest problem, she believes, is that some users still see security and compliance as projects with a beginning and an end, rather than as an ongoing process of risk management. In practice, that means buying individual tools, often without education, without awareness of processes, and without a clear understanding of what is actually being protected. “People realise they have bought a pig in a poke only when an incident happens,” Vojnović warns. Audits and inspections, she adds, will show how prepared organisations really are and whether earlier decisions were meaningfully connected to risk.
She particularly warns about the difference between formally buying technology and achieving real security maturity. Software or hardware alone is not enough if there are no processes, education, employee awareness, and incident response capabilities behind them. “They bought some software or hardware without education and without processes,” she says. In that environment, audits could play an important role because they may raise awareness before a serious security incident occurs.
When an incident does happen, the dynamics change quickly. Budgets suddenly appear, decisions are made rapidly, and everyone is ready to sign immediately. But that approach brings a new risk, because panic rarely produces a sound security architecture. “When an incident happens, it is too late,” Vojnović says. That is why companies, especially smaller ones, need a partner who will not push a sale just for the sake of selling, but an ally who can guide them through regulation, risks, and priority steps.
For the financial sector, which is already heavily regulated, a different level of preparedness can be expected, but the challenges are especially visible among micro and small companies that often do not understand why they have been classified as important. They may develop software, hardware, or services for larger European systems and only later realise that they matter within a broader supply chain. “Small companies will have a problem: where the money will come from, where the priorities are, and who their ally will be,” Vojnović says. If they already have a good GDPR foundation, she adds, new requirements can be an upgrade rather than a completely new start.
In a broader sense, she does not see regulation as an obstacle to development, but as an attempt to place data, risk, and responsibility into a more structured framework. The key is to understand that risk management is an everyday business discipline, not merely a technical obligation. “When you leave your apartment in the morning, you are managing risk,” Vojnović says. That is why she sees the future of compliance and cybersecurity in education, dialogue, and the gradual raising of maturity, especially among smaller organisations. Without that, the market will continue looking for shortcuts, while security will be taken seriously only after an incident has already revealed the cost of delay.
European directives, local laws, and new compliance requirements have opened the door to more serious management of cybersecurity risks, but they have also brought uncertainty, superficial interpretations, and fragmented solutions to the Croatian market, says Antonija Vojnović, Head of the Governance, Risk and Compliance Department at Span.
A new study from Juniper Research has found that the total value of cross-border B2B stablecoin transactions will reach $5 trillion by 2035, from $13.4 billion in 2026.
Europe’s smartphone market took a downturn in 1Q26 as shipments declined 6% YoY, according to Counterpoint Research.
