Fiscalization 2.0 and NIS2: Information Intermediaries Are No Longer a Technical Footnote, but the Backbone of the System

Fiscalization 2.0 has opened a new chapter in Croatian public-sector digital transformation and fundamentally changed how the role of information intermediaries is perceived. What, until recently, was seen as a technical service is now treated as part of the critical national infrastructure. In parallel, the EU’s NIS2 framework is introducing significantly stricter requirements around risk management, executive accountability, and operational resilience. In this context, it is no longer sufficient to have documentation and basic technical controls. The focus shifts to people, processes, and the ability to respond effectively to real incidents.

That distinction between formal compliance and real security is at the center of our conversation for ICTbusiness Media – ICTbusiness.info with Alen Delić, one of Croatia’s leading cybersecurity experts. His analysis raises questions that go well beyond IT and reach into the core of corporate governance.

Q: In the context of Fiscalization 2.0, information intermediaries are being positioned in practice as part of key state digital infrastructure. Do you believe they are formally and regulatorily clearly recognized as essential entities under the NIS2 framework?

Croatia’s Cybersecurity Act explicitly states that information intermediaries involved in the exchange of electronic invoices between businesses are classified as essential entities, regardless of their size. Operationally, there are steps to categorize each entity and formally assign the relevant obligations and deadlines, but there is no ambiguity at all about the recognition of intermediaries as essential entities.

Q: Who makes the classification decision in practice, and based on which criteria?

The competent sectoral authority, which in this case is the National Cybersecurity Center. I also know that, in practice, some intermediaries have already received notification that categorization has been completed, as well as those for whom the incident reporting obligation has already started, which means they received that notification last year.

Q: Is there a risk of uneven application of NIS2 obligations among intermediaries of different sizes and market power?

We need to be realistic and speak without labels. The security measures prescribed by the Act and the related Regulation are neither “just paperwork” nor “just technology.” They are a complex combination of technical and organizational requirements. In practice, that means having people, processes, and resources to, for example, detect and respond to incidents on time, maintain service continuity, manage suppliers, and regularly test systems.

From a security perspective, the issue is not that smaller entities necessarily do “worse,” but that real implementation of these measures is a capacity question: can the organization translate requirements into daily practice and sustain them continuously? For smaller organizations, it is often harder to reach the same level of operational resilience without a disproportionately higher cost per employee and per unit of revenue, precisely because the requirements are complex and demand constant discipline, not a one-off project or a stack of documents. Ultimately, size is not a guarantee of quality, but capacity is a prerequisite for obligations not to remain only on paper.

Q: How will the system prevent a situation where large essential entities, such as banks or state agencies, effectively become regulators by imposing unrealistic conditions on small software companies, thereby stifling innovation and competition?

Globally, supply chains and security requirements are far from “solved,” and it would be naive to pretend otherwise. In practice, we often see “large players” insisting on strict measures from their suppliers while simultaneously lacking the real capacity to consistently control them, because modern systems are extremely interconnected and depend on a large number of suppliers. The result is that instead of increasing security, we increase the volume of paperwork, or e-paper.

At the same time, security among smaller suppliers is still not sufficiently recognized as a serious business and operational risk. In my view, there are many areas where requirements toward smaller vendors still need to be raised, and the “innovation will be stifled” argument often serves as an excuse.

Q: Will the state offer subsidies or an “easier route” to compliance for smaller IT firms that are technologically critical but financially constrained?

If the state continues in the direction it has taken so far, the answer is yes. The European Union, and therefore Croatia, has already recognized that resilience cannot be built only through regulation, but also through targeted support for those who are technologically critical yet financially constrained. At the end of last year, CARNET concluded a call for non-refundable grants to improve cybersecurity for micro, small, and medium-sized enterprises, which is a positive signal that there is awareness of the need for such mechanisms.

Q: NIS2 significantly raises requirements for cyber risk management, supply-chain security, and board accountability. How ready are Croatia’s information intermediaries in reality to meet all organizational and technical NIS2 requirements, not just baseline technical controls?

When we talk about overall readiness, market research shows that a large share of organizations still lack the fundamental prerequisites for operational security. Intermediaries are not isolated from that context, so on that basis alone, we can expect readiness to be uneven. On the other hand, the Act and the Regulation provide an adjustment period, but if we are honest, an entity founded a few months ago, without serious investment and without people, can hardly have truly implemented operational security measures today.

Q: Which areas are currently weakest in practice: risk management, business continuity, supplier security, or incident response?

I could almost choose all of the above. In practice, all these areas are challenging, but the greatest difficulties typically appear in monitoring, incident management, and supplier security, because intermediaries are a hub between multiple systems and every weakness quickly spills over to others. Risk management and business continuity are also critical, but for many, they are covered better formally than they are tested operationally in real scenarios.

Q: Do you already see a difference between declared compliance and real operational resilience?

Yes, and this is one of the key distinctions we will increasingly see in practice. Declared compliance means policies and procedures exist as evidence that something has been prescribed. Operational resilience means that, during a real incident, the system can absorb the impact, that the incident is detected in time, escalation is clear, damage is contained, the service is maintained or quickly recovered, and that all of this can be proven through logs and records. The biggest problem is that declared compliance can be achieved relatively quickly, while operational resilience is built over time.

Q: Do you expect an increase in D&O (Directors and Officers) insurance premiums, or even refusals by insurers to cover risks related to NIS2 penalties?

Organizations that can prove their security measures are truly alive in operations will have a better negotiating position. Still, what many forget is that such insurance will not automatically, and sometimes not at all, cover damages from cyber incidents or regulatory consequences.

Q: How do you define the boundary between “poor security governance” and a sophisticated attack that even the best measures would not have stopped?

When there is demonstrable security governance, an incident is a breach of proportionate defenses. When that governance does not exist, the incident is simply a mirror of poor management and internal failures. I would like us not to see too many examples of the second category in the coming months.

Q: NIS2 introduces personal accountability for board members for neglecting cybersecurity obligations. Are the management teams of information intermediaries and IT companies even aware of the level of personal and financial responsibility they are taking on?

Some are, but still not enough. We still often see the reflex that security is purely an IT topic, something delegated downward, and then people expect documents and tools to solve the problem. In practice, awareness changes the fastest only after an incident occurs.

Q: How should cybersecurity be integrated into corporate governance, internal controls, and audit processes?

By stopping being a one-off project and becoming part of governance.

Q: Can NIS2, in practice, change investment structures and management priorities in IT and security programs?

Yes, and it already is. When security measures become an obligation rather than a recommendation, governance layers naturally, although sometimes reactively and slowly, redirect investment and open space for new processes. Security-regulated industries such as finance and telecommunications are, on average, more mature because they have lived for years with oversight, mandatory controls, and the “discipline of evidence.” That does not guarantee incidents are impossible, but it does mean processes, people, and budgets for security were established earlier as a standard, not an exception.

Q: How will the regulator ensure penalty proportionality for Croatian IT companies for whom a €10 million fine would mean immediate bankruptcy?

If a business entity, through gross negligence or repeated ignoring of security obligations, causes an incident that threatens the continuity of a critical service or generates damage to society and the economy, then the legitimate question is: should we mourn the fine or the consequences it produced? Proportionality matters, but it cannot become a synonym for tolerating irresponsibility. Competent institutions must have mechanisms to apply that proportionality.

Q: What is the appeal and expert assessment mechanism in a dispute over whether “appropriate measures” were taken?

Supervision and decisions by competent authorities are not about whether someone likes your security posture, but whether there is a logical and demonstrable link between the risks, prescribed measures, and actual implementation. If a dispute remains over whether measures were appropriate and implemented, judicial protection exists.

Q: NIS2 penalties can be imposed even without an actual incident, for example, due to missing prescribed measures or delayed reporting. How aware is the market that regulatory risk is no longer tied only to “being hacked,” but also to procedural failures?

That is actually a good approach, because waiting for an incident means we react only after damage is done. The logic of security measures is the opposite: the obligated entity must manage security systematically, implement the prescribed measures, and be able to prove it, with external control through supervision and audit. This is how security stops being treated as an “event” and becomes a continuous process, which is the only realistic way to reduce risk and consequences, rather than searching for a culprit after an incident. There is still room for that awareness, especially at the management level, to increase.

Q: How would corrective measures, such as enhanced supervision or a temporary service suspension, affect the continuity of Fiscalization 2.0 and user trust?

At this moment, I would primarily see enhanced supervision as a preventive measure, and honestly, I would be satisfied to see more of it. Not to “hunt” anyone, but to spot weaknesses earlier and stabilize the system before damage occurs. At the same time, we must not forget this is not only under the remit of the Tax Administration or the National Cybersecurity Center. There are multiple competent bodies in the system, each with its own powers, responsibilities, and deadlines, and some are often overlooked in public discussions. For example, the Croatian data protection authority can act concerning personal data processing conducted by various market participants.

Q: Is there a scenario in which problems at a larger information intermediary could have a systemic effect on the entire system?

Yes, due to the very architecture of the system. If an intermediary has a meaningful market share and a portion of invoice exchange flows through it, a serious outage or compromise can cause a chain effect, including delays in invoice exchange and fiscal reporting, disruption of business processes for companies that depend on that intermediary, and pressure on alternative channels that may not be dimensioned to absorb a sudden load shift.

Q: Do national authorities, such as CERT or the competent security bodies, have enough capacity to process and analyze thousands of incident reports in real time, or will this become a “data graveyard”?

In recent years, competent bodies have continuously increased their capacities, and so far they have shown they are, as the saying goes, ready to respond to challenges. Any additional investment in people and technology should be viewed positively, because without it, there can be neither quality processing of reports nor useful feedback to the market.

In addition, we should not forget public-private cooperation. In security, that model has proven to be one of the more effective ones: faster information sharing, joint learning from incidents, and raising the resilience level of the entire ecosystem, not just individual entities.

Q: What exactly defines a “significant incident” in the fiscalization context: is it a five-minute outage or data loss, and who makes that assessment in a critical moment?

A significant incident is not defined only by minutes, but by impact, according to the criteria in the Regulation. In the context of e-invoice exchange or fiscalization, a five-minute interruption can be insignificant, or it can be serious, depending on how many users are affected and for how long, whether availability or service quality is compromised, and especially whether confidentiality, integrity, or authenticity of data has been affected. The Regulation is quite specific: significance is determined through thresholds related to service unavailability and the number of affected users, through events such as unauthorized access or modifications of critical data or configurations, through financial losses above defined thresholds, through significant harm to other persons, and through repeated incidents that may not be significant individually but become significant cumulatively. The obligated entity identifies and reports the incident based on those criteria.

Q: Fiscalization 2.0 relies on a complex ecosystem of state systems, information intermediaries, data centers, and ERP solutions. Is the current model sufficient for long-term resilience in the context of NIS2 and the CER Directive, which require both cyber and operational resilience?

The model can be good and sustainable, but only if we implement it as a systematic discipline rather than a one-off compliance exercise. If it remains at the level of “everyone figures it out on their own,” we will end up with formal compliance and real insecurity.

Q: Will security requirements for intermediaries need to be further centralized or standardized in the future?

The baseline requirements are already defined. For intermediaries and system architecture, it makes sense to further specify technical details at the state level. That is the best way to avoid situations in which different documents or specifications produce different interpretations.

Q: Could NIS2, instead of being a brake, become a long-term catalyst for market consolidation and professionalization across the entire e-invoice ecosystem?

Yes, that is a very realistic scenario. Consolidation can happen because some obligated entities will simply exit the segment, as they do not want or cannot continuously invest in the required level of security measures. Also, if they fail to meet the demanded levels, they may end up under corrective measures or sanctions that, in practice, force them to stop providing such services.

Q: How is a scenario treated where an information intermediary uses a Public Cloud environment, such as Microsoft Azure or AWS, who is then responsible for physical security under the CER Directive, the Croatian company, or the global provider?

The intermediary remains responsible for its part of the story: selecting external suppliers, setting security requirements, contract obligations, and continuous oversight. At the same time, of course, it can and should rely on the supplier’s capabilities. That is precisely why the supplier is a supplier: it has scaled processes, expertise, and control mechanisms that an individual entity often cannot build alone, including in relation to regulatory requirements.

Q: Will supervisory oversight be integrated to avoid administrative duplication for entities subject to both directives?

The goal of oversight is not to produce paperwork, but measurable resilience, and that is achieved through coordination, shared criteria, and exchange of findings between competent bodies. We will only see in the future how far that can realistically go.