The Security of e-Invoicing Does Not Begin on Paper
The e-invoicing and Fiscalization 2.0 market in Croatia is increasingly clearly showing the difference between formally meeting the minimum requirements and achieving real system security.
The e-invoicing and Fiscalization 2.0 market in Croatia is increasingly clearly showing the difference between formally meeting the minimum requirements and achieving real system security. In such an environment, clients are no longer looking only for technical connectivity, but for reliability, transparency, and clear partner accountability. Fran Karlo Strajher explains why certificates, operational procedures, and continuous monitoring are now just as important as the platform’s functionality itself.
At a time when digital document exchange is becoming a critical business infrastructure, the issue of e-invoice security is no longer a technical topic reserved only for IT departments. For companies, tradespeople, and institutions, it is a matter of business continuity, data protection, regulatory compliance, and trust in a partner who must guarantee that a document will arrive securely, intact, and on time. This is precisely why the market is increasingly clearly distinguishing between providers who meet only the formal minimum and those who build security as an operational standard in day-to-day work.
In such an environment, certificates such as ISO 27001 and ISO 9001 play an important role, but they are not sufficient in themselves if they are not backed by real processes, regular audits, access control, anomaly monitoring, and clearly defined incident response mechanisms. Megatrend Redok bases its position on many years of experience in digital document exchange, large processing volumes, and infrastructure that must ensure high availability and data integrity. Of particular weight in such an approach are day-to-day operational discipline, additional security checks, the use of independent external experts, and a clear sense of responsibility towards users. In a market where price often tries to take the leading role, it is precisely security, reliability, and transparency that become the key points of differentiation.
“Choosing the cheapest does not mean choosing the best, and especially not the most secure solution,” Fran Karlo Strajher, Director of Megatrend Redok, points out to ICTBusiness Media – ICTbusiness.info. In this conversation, we therefore opened a series of concrete questions: from certificates and audits, through cyber insurance and 24/7 monitoring, to client accountability and the real criteria by which an entrepreneur can assess to whom they will entrust their digital documents.
What certificates and accreditations does your organisation hold, and why are they relevant to the security of e-invoicing?
Megatrend Redok has been operating on the Croatian and international markets for many years. Security, reliability, and service quality are the foundation of our business and of the trust between our clients and us. All Megatrend Redok activities are carried out within certified management systems. Megatrend Redok has implemented ISO 27001 and ISO 9001 systems, with a scope that covers the development, hosting, and operational delivery of integration platform as a service (iPaaS) solutions for business application integration, EDI exchange, and information intermediary services, including the sending and receiving of e-invoices, fiscalization, and e-reporting. In other words, all process elements of the service we provide to our clients are certified, in order to confirm, in this way, the quality and security of the service we provide to our clients. The latest in a series of assessments was carried out in December 2025, thereby starting a new certification cycle that runs until 1 February 2029. In accordance with professional rules, all Megatrend Redok processes are subject to strict internal audits and third-party surveillance checks.
Do you hold ISO/IEC 27001 certification for information security management, and how often do you undergo external audits of how it is applied in practice, not just on paper?
Megatrend Redok has implemented an ISO/IEC 27001 information security management system, with the same core scope as for ISO 9001: the development, hosting, and operational delivery of our platforms, including EDI, e-invoices, and fiscalization. External audits are conducted by an independent certification body in regular cycles, through initial certification, annual surveillance audits, and periodic recertification. These reviews do not cover only documentation checks, but also detailed and concrete technical and organisational practices. Access control, logging, backups, incident management, and continuous improvement are just some of the elements that are additionally reviewed in detail.
Are you registered with the Croatian National Bank as an authorised payment service provider, and what does that regulatory obligation specifically mean for the level of security you must maintain?
Megatrend Redok does not currently provide payment services and, consequently, is not registered with the Croatian National Bank as a payment service provider. Our current focus is exclusively on the secure exchange and processing of electronic documents, e-invoices, fiscal messages, and other EDI documents, within the regulatory frameworks for e-invoicing and fiscalization, where we are connected to the central platform and aligned with all Tax Administration standards.
Is there a legal or regulatory gap in Croatia that allows someone to operate as an information intermediary in the e-invoicing system without minimum security standards, and how do you, as an industry, view that?
Fiscalization 2.0 requires information intermediaries to maintain a high level of operational reliability and security. However, this is only a formal minimum. We have witnessed numerous problems that clients and users, that is, business entities, have encountered in recent months, and these are the result of meeting only the minimum requirements. Serious service providers have significantly further upgraded their systems precisely in order to ensure the highest degree of quality and security in digital document exchange services for clients, the market, and business entities.
The market has already recognised the difference between various providers. Choosing the cheapest does not mean choosing the best, and especially not the most secure solution. Megatrend Redok has built its position in the Croatian as well as the international market on high security standards, service quality, transparent offerings, and positioning itself as a long-term partner to its clients regardless of their size.
It is precisely for this reason that Megatrend Redok also carries out regular additional checks and audits of all key processes, to act preventively and detect and eliminate potential weaknesses before they become incidents at all. We believe that the regulatory framework will continue to tighten over time and that serious security standards will become mandatory for everyone who wants to play a more important role in the market.
How is your infrastructure adapting to the new directives on digital operational resilience, DORA?
DORA is aimed at financial institutions and their key ICT service providers to strengthen the digital resilience of the financial sector. Although Megatrend Redok does not provide payment services and does not operate as a bank, strategically we are guided by the same principles: geographically distributed and redundant infrastructure, controlled change processes, and clear business continuity plans. In other words, although we are not formally an addressee of DORA regulation, our system design and operational processes already today reflect the key requirements of digital resilience: high availability, resilience to disruptions, vendor control, and a clearly defined service recovery model.
How does your organisation manage the risk of a cyber incident, financially and operationally?
We view the risk of a cyber incident as a business risk, not merely a technical one. That means we address it through a combination of three things: a certified security management system (ISO 27001), concrete technical and organisational controls in day-to-day work, and specialised cyber insurance that also covers our liability towards users. In practice, this includes regular risk assessments, clear incident management procedures, system segmentation, data encryption, restriction of access rights, and continuous monitoring of key services. In this way, we divide financial and operational risk between preventive investments in people, processes, and technology, and a protective layer through the insurer.
Do you have a cyber-risk insurance policy in place, and what does that policy cover: only your own operating costs or also damage incurred by your entrepreneur clients whose data may have been compromised?
Megatrend Redok has an active cyber insurance policy. The coverage does not apply only to our internal costs in the event of an incident, but also includes liability towards third parties, that is, our users. Given the confidentiality of this segment, we cannot disclose details, but our clients are insured and can be certain that in Megatrend Redok, they have a partner that performs its work consciously and responsibly, with concrete financial protection.
Do you conduct regular vulnerability assessments and penetration testing of your systems, and who performs those tests, your internal team or an independent third party?
We regularly conduct vulnerability assessments and security testing, and for key parts of the infrastructure and applications, we engage independent specialised companies that perform penetration testing and security audits. The security of our systems is therefore based on the work of internal experts, but also of independent external partners. The internal team then analyses the results, prioritises measures, and leads the implementation of corrective and preventive activities. Such a model enables us to retain in-depth knowledge of our own platform, but with a constant external “reality check” that further increases the level of security and resilience of our systems.
If one of your clients, a small tradesperson or company, suffers financial damage due to a security failure on your side, what protection and compensation mechanism is available to them?
Each user has a clearly defined framework within which they can seek compensation if it is proven that a security failure occurred on our side. We align the liability model, including limits, SLA credits, and special conditions, through the contractual process, especially with larger users and institutions. In this way, we avoid a one-size-fits-all approach and ensure that the level of protection is proportionate to the importance and volume of work we perform for an individual client. Liability and the compensation mechanism are governed by our contracts and general terms and conditions, and we communicate them clearly and transparently to our clients.
Do you have 24/7 monitoring, your own SOC, or a contracted external centre, and how is incident escalation organised?
All our key services, including processes related to F2.0 and e-invoices, are covered by support that operates in accordance with defined SLA parameters, which includes the handling of urgent cases on a 24/7 basis. Any incident that could potentially endanger the continuity of document exchange or data security is handled immediately under clearly defined escalation rules. Escalation includes the technical team, the persons responsible for security, and, of course, direct communication with the user.
The objective is only one: to quickly detect, isolate, and resolve the problem, with minimal impact on the user’s business and clear communication throughout the entire process.
What does your daily operational security monitoring look like?
For us, security is not a one-off project, but part of the daily operational rhythm. We continuously monitor the condition of key systems, logs, performance, and anomalies, and the results of this monitoring feed into internal reports and regular meetings at the operations and management levels. This includes monitoring service availability, integration flows, document exchange status, and security events, from attempted unauthorised access to unusual application usage patterns. In this way, we address risks before they turn into incidents.
Do you have an incident detection and response system that operates 24/7, and realistically speaking, how quickly can your team react to a security alert in the middle of the night or over the weekend?
All our systems and processes are designed so that key services have continuous monitoring and a defined response in line with the SLA, regardless of whether it is a working day or a weekend. In the event of a critical alert, there is a clear on-call mechanism through which the responsible team is activated, and operational procedures begin immediately. Our users know that such potential cases will be treated as a priority as soon as they are detected. This is the only way for e-invoice and F2.0 services to be truly reliable in practice.
Do you use anomaly monitoring systems, with or without AI, in data traffic that can detect unauthorised access or data theft promptly, such as the alleged extraction of 560 GB from the Spanish tax agency in a single move?
We use a combination of traditional and advanced monitoring mechanisms to recognise unusual behaviour patterns, for example, non-standard volumes, times, or methods of access. We do not go into the details of the technology stack for understandable security reasons, but we can say that we monitor all key metrics that would signal an attempt at massive data exfiltration or unauthorised access before it happens.
Our goal is not only to detect an event, but also to clearly connect the signal with the real risk, so that we can distinguish a legitimate increase in traffic from a real threat. Here, we combine numerous automated tools, AI, and human analysis.
When was the last time your organisation had a serious security incident or near-incident, and what specifically did you change in your protection system as a result?
Since its founding, Megatrend Redok has not experienced a case of document loss or an incident that would lead to a compromise of the integrity or availability of our users’ data. That does not mean we live under the illusion of “complete security”. In cases of smaller technical difficulties or near-miss events, our approach is always the same: first stabilise the situation, then conduct a root-cause analysis and, finally, implement permanent corrective measures. This includes, or may include, additional controls, configuration changes, or the tightening of procedures, depending on what is needed.
What RTO and RPO have you defined for key e-invoice exchange services?
The systems are designed with a high degree of redundancy, and for us, the key business indicator is simple: since our founding, we have not lost a single document. In practice, our storage and replication mechanisms have achieved what matters most both to us and to our users, that not a single e-invoice or other document is lost.
Formal RTO and RPO parameters are defined by contracts and SLAs, and their goal is to maintain the continuity of document exchange even in the event of more serious technical problems. Behind this stand redundant infrastructure, regular backups, and the separation of critical system components.
How do you notify clients in real time if you detect suspicious activity on their accounts?
The method of communication depends on the specific case. In the event of suspicious activities that may affect the security or integrity of data, we contact the user through the channels defined by contract, most often through a combination of email, telephone call, and information via support. It is important to us that communication be timely and clear: what is happening, what measures have been taken, what the user needs, or does not need, to do, and what the next steps are. With our users, we develop a culture of open partnership, not a minimalist “we stay silent until we have to” approach.
Who has access to the data that passes through your system, and how do you control that?
Access to data at Megatrend Redok is strictly limited and controlled. Operationally, we start from the only correct principle: all data belongs to the user, and our role is to securely transmit, process, and store it, with the minimum necessary operational insight. Technically, in practice, this is a combination of data encryption, controlled role-based access, and clear system segmentation. The goal we have achieved is to limit the number of people and systems that can come into contact with sensitive content at all.
Do you apply the principle of least privilege, meaning that each employee has access only to the data necessary for their work, and how do you ensure this technically?
Yes, Megatrend Redok applies the principle of least privilege as a standard. Each employee is assigned roles and access rights that are limited to the specific tasks they perform.
This is supported by technical access control mechanisms, logging, and regular periodic reviews of assigned rights. In this way, we prevent someone from retaining privileges they no longer need or accumulating an overly broad set of permissions over time.
Do you use subcontractors or cloud providers for the storage or processing of your clients’ data, and how do you ensure that they also meet the same security standards that you advocate?
Yes, we use cloud services, including AWS and others, with the key condition being data residency in the EU and compliance with relevant security standards. AWS itself supports 143 security standards and compliance certifications, alongside ISO 27001 and other industry certificates. We choose suppliers according to strict criteria, from technical capabilities and certificates to contractual guarantees and DPAs, and in this way, we ensure that the chain of trust does not stop with us, but also includes all key partners involved in data processing and storage.
How do you deal with the threat of insider attacks, situations in which a security breach does not come from outside, but from your own employee or former associate who has or had access to the system?
We devote equal attention to internal risks as to external threats. The mitigation of internal risks is based on three key elements: screening and contractual obligations at the time of hiring, including confidentiality, strict control, and segmentation of access rights, and a standardised offboarding process through which the powers of former associates are quickly and fully revoked. In addition, the content accessed by employees is encrypted, and every access is logged, so any misuse of privileges leaves a trace. In this way, we reduce both the motivation and the opportunity for an individual to abuse the trust placed in them.
What does an entrepreneur who uses your services actually know about how you protect their data?
We believe that security is not a “black box”. In our communication with clients, through the contract itself, SLAs, and the documentation we share with clients, we clearly communicate how the system is designed, which security measures we apply, and what the obligations are on both sides.
In addition, through direct communication with users, from initial meetings to day-to-day support, we try to explain security in simple, understandable language: what we do and why that matters to them in their everyday work.
Is there a clear, understandable, and publicly available document, not hidden deep in contracts, that explains what happens to a user’s data in the event of a hacker attack, and what their rights and steps are?
We have detailed internal documentation that defines the course of action in the event of a security incident, including notification obligations and all subsequent steps. This serves as the basis for contractual clauses and communication towards clients. Still, at this moment, it is not in the form of a separate, publicly available document published on the website. Through contractual documents and agreements with their account and technical contacts, users receive all concrete information about what happens in the event of an incident, what their rights are, and what the recommended steps are.
In which situations, under the law or your own business policy, are you obliged to notify a user about a security incident affecting them, and how quickly after detection do you do so?
When it comes to security incidents, communication is based on legal regulation: GDPR in the case of personal data, cybersecurity regulations, and our internal policies.
Megatrend Redok does not want merely to fulfil legal obligations, so we have defined our internal communication policies and methods of action in an even stricter and more rigorous way. Our goal is to notify the user as soon as possible, immediately after an irregularity is detected, once the incident has been sufficiently confirmed and clarified for the communication to be accurate and useful to the client.
Detailed timelines and communication channels are defined by SLAs and contracts, but the common denominator is that incidents affecting users do not remain “below the radar”, but are actively communicated together with a proposal for concrete steps.
If an entrepreneur tomorrow asks a simple question, “Why should I trust you more than some other intermediary?” what is your concrete, measurable answer that is not just marketing?
Megatrend Redok is a company specialised in information intermediation, EDI, and integrations. Digital document exchange is not a business we began to deal with only upon the announcement and entry into force of the Fiscalization 2.0 Act. Megatrend Redok has been engaged in digital document exchange for more than 15 years on the Croatian and international markets. Our platforms are used every day by more than 40,000 domestic and international organisations and business entities that exchange more than 70 million documents annually. Our processes, infrastructure, and team have been tested on large volumes and in real-world conditions. All our systems are certified, ISO 9001 and ISO 27001, and are regularly externally audited, with demonstrable compliance with applicable standards and regulations.
Since its founding, Megatrend Redok has not lost a single user document, and the system architecture and operating model are designed precisely to continuously improve and enhance the availability, integrity, and security of e-invoice exchange. Our goal is for our users to feel that they have a partner, not just a “solution supplier”.
Više vijesti iz kategorije
Infobip Bolsters Fraud Protection for Enterprises with T-Mobile Offerings
Infobip is extending security measures for enterprise customers as a go-to-market partner.
Lenovo Sees the Future of AI in Physical Devices That Work as Real User Partners
Lenovo no longer sees artificial intelligence merely as a software layer running in the background of a PC, but as an active collaborator capable of taking on parts of everyday work and linking the digital and physical worlds.
