NIS2 and SOC Have Changed Boardroom Conversations

The Croatian IT market is entering a phase in which differences between companies are no longer measured in nuances but in a structural gap in technological maturity. While some organizations are rapidly adopting cloud, artificial intelligence, and managed services, others are only just beginning basic digitalization. This “two-speed Croatia” has become one of the key themes of 2025. In such an environment, the role of the IT integrator is changing significantly—from a technology supplier to a strategic partner.

In an interview with ICTbusiness Media – ICTbusiness.info, Marijana Bačić, President of the Management Board of Combis and Member of the Management Board of Hrvatski Telekom, analyzes the key technological and business shifts that marked the past year. She speaks about the return of cloud, but in a smarter form, a more mature phase of artificial intelligence, and security, which has finally become a board-level topic. The interview reveals how Combis’ strategy has adapted to the new market reality, with a particular emphasis on measurable technology outcomes.

Cybersecurity in 2025 was no longer a technical topic reserved for IT departments. The regulatory framework, the rise of sophisticated attacks, and the growing dependence of business on digital systems have elevated security to the boardroom. The NIS2 directive and related requirements have changed the language of discussion—from technology to accountability. In this environment, SOC and managed security services are experiencing strong growth.

Marijana Bačić explains in detail how the evolution of threats has turned into a “war of algorithms.” She discusses the role of artificial intelligence in defense, automated incident response, and the importance of collective knowledge. Special emphasis is placed on reaction speed and prevention. The interview provides concrete, real-world examples of what modern defense looks like in practice. Security here is not sold as compliance, but as peace of mind.

Digital transformation today is no longer measured by implemented systems, but by business outcomes. Users are not interested in infrastructure, but in service availability, data security, and cost flexibility. This is precisely why managed services and OPEX models are experiencing strong growth. The shortage of IT professionals is further accelerating this trend.

In the interview, Marijana Bačić explains why the “access over ownership” model has proven to be crucial for the sustainability of the Croatian economy. She speaks about changing customer expectations and the maturity of the market for AI.

Looking ahead to 2026 reveals an industry facing the paradox of an abundance of technology and a lack of clarity. Cloud, AI, security, regulation, and geopolitics are simultaneously shaping investment decisions. Costs are rising, while tolerance for error is falling. Managing complexity is becoming a key competence. In the interview, Marijana Bačić talks about the end of the “cloud first” era and the arrival of the “cloud smart” approach.

How would you describe the key technological and business trends that marked the IT market in 2025, and how did they impact Combis? How did demand for advanced IT services such as cloud modernization, AI integration, and managed security services change? Which market segments showed the fastest growth, and where did Combis see the greatest opportunities? How did macroeconomic pressures, regulation, and changes in customer behavior influence the planning and prioritization of your investments?

If I had to summarize 2025 in a single sentence, I would say it was the year of “great awareness and polarization.” What do I mean by that? The data we see, including figures from the Croatian Bureau of Statistics for 2025, show a picture of a “two-speed Croatia.”

On one side, we have large systems and the ICT sector, where cloud adoption exceeds 80%, and according to some studies, 40% of large enterprises are already actively using artificial intelligence. At Combis, for example, we are at the level of the ICT industry itself.

On the other side, the market average is lagging. Cloud adoption stands at 47%, and the gap is even more drastic when it comes to AI—only 15% of the overall economy uses it, while small businesses are at just 12%.

This gap in the adoption of advanced technologies is not narrowing—it is widening. And that is precisely what defined our strategy. Our role is not merely to sell technology, but to provide access to expertise for those who cannot employ large teams of engineers.

We saw three key waves of demand. The first was the return to the cloud—but a smarter cloud. After stagnation in previous years, companies realized that on-premise infrastructure cannot support AI ambitions. However, no one is rushing into the cloud blindly anymore—optimization and the so-called Cloud Smart approach are now required.

The second wave is, of course, AI—but at a level far beyond when AI was reduced to chatbots. The euphoria, or hype, around artificial intelligence is still present, but we are now in a more mature and much more concrete phase, both in terms of solutions and delivery. We are now talking to boards about how AI solves concrete problems such as labor shortages or the automation of repetitive processes, with clear indicators of increased efficiency.

The third, and perhaps most intense wave, is security. The NIS2 directive has done its job—cybersecurity has finally become a board-level topic. People have realized that compliance is not bureaucracy, but a matter of survival.

We saw the greatest opportunities precisely at this intersection: companies and institutions that must digitalize their operations because they lack people, and must do so securely due to regulation. That is where we grew the most—in managed services and security. Macroeconomic pressures helped paradoxically. Since capital is more expensive and expert salaries (if you can even find them) are at record levels, it is more cost-effective and simpler for companies to take us on as a partner, especially given our experience and expertise, than to try to build everything in-house. This is the key shift from ownership to access—access over ownership—that defined this year.

What were the key projects in 2025? This year, we saw the market sober up when it comes to AI—clients are no longer asking for “something with AI,” but for solutions that reduce costs or generate revenue. Which concrete, measurable AI projects did you implement in the Croatian enterprise sector this year? Which industries contributed most to the growth of your project and services portfolio? Can you highlight projects where AI delivered a measurable impact? How is the development and commercialization of your own products and platforms progressing?

I completely agree with the term “sobering up,” and I welcome it. It was time to stop talking about AI as a magic wand and start talking about ROI—return on investment.

One of my favorite examples from 2025 is the project with the Đuro Đaković Group. This is heavy industry, defense, transport—a serious system. We did not just “introduce Copilot.” We carried out a complete transformation of the way people work, resulting in higher efficiency and time savings of more than one hour per employee. Imagine what that means for productivity on an annual level. The key was not the license, but our methodology—we worked on Adoption Advisory, teaching people how AI can be their partner, not a threat.

We are often asked about Zagrebačka banka and the AI assistant Mia. I would like to mention this project as proof of the maturity of technology that has become standard. Mia reduced call handling time by 50% and independently resolves a quarter of inquiries, enabling agents to focus on more complex issues and improving the customer experience. However, our focus is now on what comes next.

I am particularly proud of OneCityApp. It is not just an app—it is a platform that is already live in Split, Rovinj, Otočac, and Vodice. We have concrete data: more than 150,000 digitally paid bills and 40,000 citizen inquiries. That is real digitalization of society.

Strategically, the recent announcement of cooperation between Deutsche Telekom and OpenAI is key for us. It means that in 2026, we are bringing global technology locally—to our customers and our employees. In this context, our cooperation with Cynomi is also extremely important. Combis has become a key European center of excellence within the DT Group for the vCISO service based on their AI platform. Our experts worked on preparing the platform for the market and are leading the implementation of a solution that automates compliance with the NIS2 directive for users across Europe. This is a perfect example of how we combine our own expertise with global platforms and enable world-class solutions for Croatian customers.

How are customer expectations evolving when it comes to IT solutions and digital transformation, especially with the growing presence of AI? How much are clients moving toward managed services and OPEX models instead of traditional projects? What is the maturity level of customers regarding AI integration into business processes? How does Combis balance rapid innovation with stability, security, and long-term cost efficiency?

Expectations have changed dramatically. In the past, customers asked for “system availability.” Today, they ask for “business outcomes.” They are no longer interested in which server is “under the hood”—they want applications to work fast and data to be secure.

The shift toward managed services and the OPEX model is massive, and logically so. Let’s look at the data from the Croatian Bureau of Statistics—only 14% of companies in Croatia have their own IT professionals, and that number is declining year after year. Companies simply cannot—and do not need to—employ large teams to maintain infrastructure or monitor cyber threats 24/7.

That is why they turn to us. Our Cloud No.9 portfolio and 30SEC security services are growing precisely because of this need. Customers want access over ownership—access to top-tier technology and experts without having to own or employ them. This gives them cost flexibility and solves the talent shortage.

When it comes to AI maturity, the market is still polarized. Large systems—banks, telecoms, large manufacturing companies—are mature and integrate AI into processes. Medium and small companies are still at the stage of “how can this help me write an email?” The main barriers are unstructured data and security concerns. That is where we step in, because you cannot build AI on poor data or insecure infrastructure.

At Combis and Hrvatski Telekom, we have a clear and comprehensive strategy. First, through education programs such as “AI – You Can Do It,” we invest in mass education, because AI is not magic—it is a tool that requires knowledge. Second, in implementation, given the lack of computing infrastructure for training large models in Croatia, our role is to be a bridge to global solutions, offering an end-to-end approach—from connectivity to security.

Balancing innovation and stability is our “secret ingredient.” As part of the HT Group, Combis has both the luxury and responsibility to be rock-solid stable—because we operate critical infrastructure—while also being agile like a tech company. We achieve this by first testing, stress-testing, and refining innovations internally or in controlled environments, and only once they are proven stable and secure do we bring them to customers. Security is always the zero point—the foundation, not an add-on at the end of a project.

Cybersecurity and SOC are increasingly important parts of Combis’ portfolio. How do you see the evolution of threats and customer needs in 2025? What types of attacks marked this year, and how must SOC adapt? How strong is the interest in SOC-as-a-Service, and how does SOC respond to AI-generated attacks? Are we now fighting a “war of algorithms”?

The term “war of algorithms” is a very accurate description of what is happening. Attackers today use AI to automate attacks, scan vulnerabilities 36,000 times per second, and generate phishing emails that are grammatically perfect and fully localized. No human analyst, no matter how brilliant, can process that volume of data alone—it would become a bottleneck.

That is why our SOC no longer relies solely on people staring at screens. We do not build AI defense with a single tool, but with a combination: red teaming, where our ethical hackers simulate AI-driven attacks; blue teaming, where we use AI in SIEM and SOAR tools for automatic detection, triage, and response; and finally, GRC, because it is essential to establish clear accountability policies.

Our system learns what normal behavior looks like and what constitutes an anomaly. I will give you a real example from this year. Our team detected a suspicious VPN connection at 11:01. By 11:20, the attacker had been removed. That is 19 minutes from detection to action to remediation and security resolution. Without AI-assisted analytics, this would have taken hours or days—and by then it would have been too late.

This year, we have seen an explosion of ransomware, which has become quieter and more dangerous—it no longer encrypts immediately, but steals data for months. Supply-chain attacks have also become critical.

Interest in SOC-as-a-Service is growing exponentially. We currently protect more than 140 companies, and that number has increased by 75% in a single year. Medium and large companies understand that they cannot build a SOC on their own—it is too expensive and too complex. They are looking for a partner to “have their back.” We have more than 50 cybersecurity experts and over 180 engineers in Zagreb, backed by a network of 14 Deutsche Telekom SOCs and thousands of experts. If a new threat appears in Berlin at 10 a.m., our customer in Osijek is protected within minutes. That is what customers are buying—collective immunity.

As for regulation—NIS2, national cybersecurity law, DORA—it actually helps us. It has imposed a language that boards understand: accountability. We have embedded these requirements into our services. A customer who adopts our vCISO service or SOC automatically resolves a large part of their regulatory obligations. We are not selling “compliance”—we are selling peace of mind that, incidentally, also complies with the law.

What do you see as the biggest challenges for the IT industry in 2026, and how should companies prepare? Cloud first has evolved into cloud smart—what does that mean in practice? How do geopolitics, regulation, and stricter security requirements influence technology planning and investment? Which technologies will define the next investment cycle?

For 2026, I see one key challenge that encompasses all others: managing complexity. We have more technology than ever before, but it is increasingly difficult to make it all work together—securely and cost-effectively.

When it comes to cloud, the era of “throw everything into the cloud” is definitely over. Customers have received their first large bills and realized that the cloud can be extremely expensive if it is not managed intelligently. I recently read an analysis stating that 80% of organizations overpay for cloud services by 20 to 50%. That is an enormous amount of money leaking away.

That is why FinOps—cloud cost management—is one of the most sought-after competencies today. Our approach with the Cloud No.9 service is precisely this hybrid model. Some data must remain local due to latency or regulation, while some belongs in the public cloud for scalability. We help customers find that balance and optimize every cent.

We address the talent shortage in two ways: by creating experts and by sharing resources. Not everyone can have a top cybersecurity expert. But through Combis, more than 140 companies share our experts. That is a sustainable model for the Croatian economy—sharing expertise instead of each company trying to do everything alone.

Geopolitics and regulation have become an integral part of technology planning. Digital sovereignty is no longer just a phrase from Brussels. Companies want to know where their data is and who has access to it. This is where our advantage of a local data center and EU compliance standards is enormous.

As for future technologies, we are looking toward edge computing, because data processing must be closer to the source—the factory, the camera, the sensor. Quantum security is something we are preparing for, although it is still early for broad commercialization. What will truly define the next cycle, however, are automations at all levels and AI agents that do not merely “chat,” but execute complex tasks.

The foundation, however, remains the same: robust infrastructure and, as I like to say, paranoid security. Without that, everything else is a house of cards.

In the IT industry, we often say that change is the only constant. But in 2026, something else will be more important than ever—the ability to manage that change. Technology without strategy is just a collection of tools. And a strategy without the right partners is just a PowerPoint presentation.