1. Introduction

This document contains information about the operation, constituency and description and services offered by National CERT / CERT.hr. The document complies with the requirements of RFC 2350 (https://www.ietf.org/rfc/rfc2350.txt), which outline the requirements and expectations of the Internet community for the best practices of CSIRTs in their operations.

1.1 Date of Last Update

The version of this document bears the mark 6.0 and was published in June 2025.

1.2 Distribution List for Notifications

Currently, National CERT / CERT.hr has not established a mailing list to notify of updates to this document. Major update information is available on our website: https://www.cert.hr.

1.3 Locations where this Document May Be Found

The current version of this document is available from National CERT/CERT.hr website on the following link: https://www.cert.hr/wp-content/uploads/2025/06/CERT_hr_RFC2350_ENG_v6.0.txt

1.4 Authenticating this Document

1. Document title: CSIRT SPECIFICATION FOR NATIONAL CERT – CERT.hr
2. Version: 6.0
3. Document date: 16.6.2025.
4. Expiration: This document is valid until further notice.

This document has been signed with the National CERT’s PGP key.

Public PGP key of National CERT/CERT.hr is available at: https://www.cert.hr/wp-content/uploads/2019/02/ncert_asc.zip

Digitally signed document is available at: https://www.cert.hr/wp-content/uploads/2019/02/ncert_asc.zip

2. Contact Information

2.1 Name of the Team

National CERT / CERT.hr – National Computer Emergency Response Team

2.2 Address

Croatian Academic and Research Network - CARNET
Sector - National CERT
Josipa Marohnića 5
10000 Zagreb
Croatia

2.3 Time Zone

CET – Central European Time UTC+0100
(Start: last Sunday in October at 02:00; End: last Sunday in March at 02:00)
CEST – Central European Summer Time: UTC+0200
(Start: last Sunday in March at 03:00; End: last Sunday in October at 03:00)

2.4 Telephone Number

+385-1-6661-650

2.5 Facsimile Number

+385-1-6661-767 (not to use for secure information)

2.6 Other telecommunication

There’s none available.

2.7 Electronic Mail Address

cnre@tectrh.r – for general inquiries

niicedtnc@re.trh – for incident reporting – use of telephone and facsimile for reporting incidents should be avoided as much as possible

kz-sniicedtnc@re.trh – for the submission of reports about significant incidents from key service operators and digital service providers

2.8 Public Keys and Other Encryption Information

National CERT has a PGP key.
Primary User ID: Croatian National CERT
Key ID: 0xFCA254BB
Expiration: Never
Fingerprint:
E54B B60A C4D1 45E7 0FF4 CC5B E35C DB85 FCA2 54BB

The PGP key with a signature is available at Nacional CERT’s / CERT.hr’s website (https://www.cert.hr/en/contact/) and at most of the popular key exchange servers.

2.9 Team members

Assistant Director for the Sector – National Cert Natasa Glavor holds the post of head of National Cert / Cert.hr within the Croatian Academic and Research Network – CARNet. Inside Sector – National Cert are two services: Cyber incident handling service and safety management and Service for development and safety of service and infrastructure.

2.10 Other information

General information about the National CERT, as well as links to various recommended security resources can be found at: https://www.cert.hr . Most of the information is available only in Croatian.

Facebook page: https://www.facebook.com/CERT.hr/

2.11 Points of Customer Contact

The preferred method for reporting the incident is via e-mail to niicedtnc@re.trh, and also via fax.
The procedure of reporting an incident is described at:
http://www.cert.hr/en/report_incident.

Received reports about an incident will be handled by National CERT team.
National CERT recommends encryption of confidential information with PGP when reporting an incident.

If sending an e-mail is not possible (or not advisable due to security circumstances), incidents can also be reported via telephone during regular office hours.

Reports about incidents according to the Cybernetic Security Act on key service providers and digital service providers can be submitted to kz-sniicedtnc@re.trh. The instructions can be found on the link in chapter 6 of this document.

National CERT’s operating hours are generally restricted to regular business hours (09:00-16:00 Monday to Friday).

3. Charter

3.1 Mission Statement

The purpose of the National CERT is, firstly, to assist users of the Internet in Croatia by implementing proactive activities in order to reduce the risks of cyber incidents, and secondly, to coordinate responding to such incidents when they occur.

3.2 Constituency

Cert.hr deals with an incident if one of the sides in the incident is located in the Republic of Croatia, ie if in .hr domains or in the Croatian IP address space, in addition to state bodies, legal entities with public authority and local and regional self -government units, which are under the jurisdiction of the National Cyber Security Center (NCSC).

National Cert is the competent CSIRT for five sectors pursuant to the new Cyber Security Act (OG 14/24). These are the following sectors: Banking, Financial Market Infrastructure, Digital Infrastructure (for the Register of National Internet Domain Register), research and education system.

National Cert also performs the tasks of CSIRT for public and private entities, including citizenship.

3.3 Sponsorship and/or Affiliation

National CERT is financed by the Ministry of Science, Education and Youth via Croatian Academic and Research Network – CARNET. National CERT is a department within CARNET. Croatian Academic and Research Network – CARNET is engaged in the development, construction and maintenance of the ICT infrastructure connecting Croatian academic and scientific research institutions into a private network.

National CERT is a member of the following organizations:

• The CSIRT network was established by the NIS Directive, consisting of CSIRT EU Member States, Cert-Eu and Enis, and operates with the aim of contributing to the development of trust between Member States and promoting fast and effective operational cooperation.

• FIRST (Forum of Incident Response and Security Teams) is an international Confederation of CSIRTs that collaborate and resolve computer and safety incidents together and promote prevention programs.
  

• TF-Csirt (Task Force Csirt) is a working group that promotes cooperation and coordination between CSIRT in Europe and neighboring regions, at the same time establishing ties with relevant organizations globally and in other regions.

• TI (a trusted introducer) is a program that represents the reliable backbone of the teams of the teams and maintains a list of known, accredited and certified teams according to their exhibited and verified maturity level. It is one of the three elements that make up the core of the TF-Csirt portfolio with the meetings of the working group and Transits. Cert.hr has been an accredited member since 2010.

3.4 Authority

The National Cert was founded in accordance with the Law on Information Security of the Republic of Croatia and under this Law is one of the tasks of the cyber incident, ie the preservation of information security in the Republic of Croatia. According to the Rules of the National Cert, it deals with the incident, if one of the sides in the incident is in the Republic of Croatia (or if in .hr domain).

National Cert is a competent CSIRT for five sectors based on a cyber security (OG 14/24). These are the following sectors: Banking, Financial Market Infrastructure, Digital Infrastructure (for the Register of National Internet Domain Register), research and education system.

According to the Ordinance on the Organization and Management of the National Internet Domain (OG 38/10), national certs have the authority to seek temporary deactivation .hr domain if it is determined that there is a malware (Phishing URL, Malware URL), and if there is no timely reaction to a content removal.

National Cert has the right to bring instructions, guidelines, recommendations, advice and opinions in its jurisdiction.

4. Policies

4.1 Types of Incidents and Level of Support

National CERT is authorized to handle all types of cyber incidents and threats that occur within its constituency.

National Cert defines the following types of incidents:

• Picking infrastructure
• Collecting information
• Try unauthorized approach
• Successfully realized compromise
• Inaccessibility of service
• Fraud
• Unwanted messages
• Other

National CERT engages with its resources in helping to resolve significant incidents that are defined according to the following priorities:
a) incidents that pose a threat to human lives
b) incidents that have a significant impact on essential and important entities
c) incidents of major importance
d) new types of malicious attacks
e) other incidents

National CERT is required to respond to a report within two working days (Monday-Friday).

4.2 Co-operation, Interaction and Disclosure of Information

National Cert cooperates with relevant national and international stakeholders.

Most significant collaborations:

• Croatian National Bank (CNB)
• Croatian Financial Services Supervisory Agency (HANFA)
• National Cyber Security Center (NCSC)
• Ministry of the Interior (MUP) of the Republic of Croatia.
• Croatian Banking Association (HUB)

National Cert also cooperates with foreign CERTs through membership in the Forum of Incident Response and Security Teams (First) and TF-CSIRT Working Group.

4.3 Communication and Authentication

For communication with CERT teams and other authorities responsible for information security, National CERT uses Internet, telephone, electronic media and written form. Other forms of communication are available in specific situations. When storing, publishing and sending data, it is ensured that data sources can be protected and verified using appropriate cryptographic and electronic signature methods. Other authentication methods include verification through members of the FIRST organization, use of WHOIS information service and data with the relevant registration authorities on the Internet, confirmation phone call and the return e-mail.

All communication is subject to the Privacy Notice, which can be found at https://www.cert.hr/NCOoPInc.

5. Services

5.1 Incident Response

National CERT gives support for the following technical and organizational aspects:

5.1.1. Incident Triage

• determining whether the observed incident can be classified as a cyber incident, i.e. whether it is a type of incident defined according to the National Taxonomy of cyber Incidents
• security warnings are created on the basis of collected information, and distributed publicly or privately
• determining the extent of the incident

5.1.2 Incident Coordination

Coordination of response to significant incidents involving at least one party from Croatia where, due to its scope and significance, several CERTs or other relevant bodies are involved.

5.1.3 Incident Resolution

Reactive measures of incident resolution:
• Security warnings
• Coordination during resolution of major incidents

In addition, the National CERT collects statistics on incidents related to its area of activity and, where appropriate, reports to the public in order to encourage and facilitate protection against certain known types of attacks. To assist and mediate in handling of cyber incidents, a notification must be sent by e-mail to the National CERT address that complies with the parameters set out in Chapter 2.11.

Help and support of National CERT is provided according to chapter 4.1.

5.2 Proactive Measures

y taking proactive measures, National CERT acts before the occurrent of incidents or other events which pose a threat to the security of information systems, with the aim of preventing or mitigating possible damage.

Information about proactive measures are publicly available.

Proactive measures are as follows:

Security warnings: Based on tracking of events and situations in the field of computer security, analysis of available data and by foreseeing trends, National CERT prepares and publishes security alerts to adequately prepare to prevent or mitigate damage.

Monitoring of computer security technologies: National CERT regularly monitors the field of computer security technologies and integrates the findings into disseminated information.

Dissemination of information in the field of computer security: National CERT collects, aggregates, produces and disseminates relevant information and documents, recommendations and instructions in the field of computer security.

Vulnerability assesment: National CERT offers a vulnerability assesment service separately (and technically separated) for:
• Croatian Academic and Research Network – CARNET
• institutions that are connected to the CARNET network via permanent connection

More information is available here: https://www.cert.hr/provjera_ranjivosti/

Rising awareness of the importance of computer security: through public action and promotional activities, National CERT works to educate the general public and raise awareness about the importance of cumputer security.

Computer security education and training: National CERT prepares and conducts educational campaigns for targeted groups of users through educational materials.

6. Incident reporting forms

Instructions and forms for reporting incident according to the Cybernetic Security Act on key service providers and digital service providers is available at: https://www.cert.hr/zks-incident.

Cyber Security Law (OG 14/24) The incidents with a significant effect report via the Pixi platform, except in the case of its inaccessibility. Pixi platform is a closed system intended for entities that are obliged by the Cyber Security Law, the Dora Regulation, the competent authorities for the implementation of cyber security, the competent authorities for the implementation of special laws, the competent CSIRT bodies and a unique contact point.

7. Disclaimer

While every precaution will be taken in the preparation of information, notifications and alerts, National CERT assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.