Guidelines on Reporting Significant ICT Incidents and Serious Cyber Threats by Hanfa via the National Platform for Collecting, Analyzing and Exchanging Data on Cyber Threats and Incidents

1 Based on Article 15(3) of the Act on the Implementation of Regulation (EU) 2022/2554 on Digital Operational Resilience for the Financial Sector (Official Gazette No. 136/24) and Article 15(1) of the Act on the Croatian Financial Services Supervisory Agency (Official Gazette Nos. 140/05, 154/11, and 12/12), the Management Board of the Croatian Financial Services Supervisory Agency adopted on July 11, 2025

GUIDELINES ON REPORTING BY HANFA OF SIGNIFICANT ICT INCIDENTS AND SERIOUS CYBER THREATS VIA THE NATIONAL PLATFORM FOR COLLECTING, ANALYZING AND EXCHANGING DATA ON CYBER THREATS AND INCIDENTS

GENERAL PROVISIONS Article 1. (1) These Guidelines specify the details regarding the reporting by the Croatian Financial Services Supervisory Agency (hereinafter: Hanfa) of significant ICT incidents and serious cyber threats via the national platform for collecting, analyzing and exchanging data on cyber threats and incidents (hereinafter: PiXi Platform). (2) Except in cases where otherwise specified, the terms used in these Guidelines have the same meaning as in the Act on the Implementation of Regulation (EU) 2022/2554 on Digital Operational Resilience for the Financial Sector (hereinafter: the Act). (3) These Guidelines apply to supervised entities under Article 8(1) and (2) of the Act (hereinafter: supervised entities).

Article 2. (1) Supervised entities are required to report significant ICT incidents to Hanfa via the PiXi Platform, which was established by the law governing cybersecurity. By reporting significant ICT incidents to Hanfa via the PiXi Platform, the CSIRT is simultaneously notified. (2) By using the PiXi Platform, supervised entities voluntarily report serious cyber threats. (3) Penalty provisions related to the ICT incident management process are defined in points 56 to 65 of Article 19 of the Act.

ACCESS TO THE PIXI PLATFORM AND ALLOCATION OF AUTHORIZATIONS Article 3. (1) Access to the PiXi Platform for legal entity supervised entities is provided by CARNET based on notification from Hanfa. Access to the PiXi Platform is via the National Identification and Authentication System (NIAS) in accordance with instructions issued by CARNET.

2 (2) For legal entity supervised entities, CARNET conducts the procedure for revoking access to the PiXi Platform based on notification from Hanfa. Hanfa also delivers the notification of revocation of access to the PiXi Platform to the supervised entity. (3) Instructions for accessing the PiXi Platform, which include a description of the authorization allocation process, are available to supervised entities on the home page of the PiXi Platform (https://pixi.carnet.hr).

Article 4. (1) The person authorized to represent the supervised entity via the e-Authorizations service enables access to the PiXi Platform for persons who will report significant ICT incidents and serious cyber threats on behalf of that entity. (2) By granting e-Power of Attorney (allocation of authority to natural persons to create access rights to the PiXi Platform on behalf of the legal entity), the person authorized to represent the supervised entity appoints the person responsible for managing user accounts on the PiXi Platform (hereinafter: administrator). (3) The administrator must be an employee of the supervised entity, and the entity may appoint a maximum of two administrators. The administrator operationally allocates and revokes access rights to users of the PiXi Platform and may simultaneously be a user of the PiXi Platform. (4) The administrator has the authority to grant e-Power of Attorney for access to the PiXi Platform to other persons (hereinafter: users). Depending on the allocated access rights, users have the ability to enter reports on significant ICT incidents and serious cyber threats. (5) Users may be employees of the supervised entity or employees of third-party ICT service providers. The supervised entity remains ultimately responsible for the timely and complete reporting of significant ICT incidents.

REPORTING ON SIGNIFICANT ICT INCIDENTS Article 5. (1) Supervised entities classify ICT incidents in accordance with the classification criteria and significance thresholds prescribed in Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council as regards regulatory technical standards determining criteria for the classification of ICT incidents and cyber threats, significance thresholds, and details of reports on significant incidents.

Article 6. (1) If a supervised entity determines, based on the conducted classification, that an ICT incident is significant, it completes the report form for a significant ICT incident. The form is completed in English. (2) The report form for a significant ICT incident is available on Hanfa's website in the "Guidelines and Forms" section at the link https://www.hanfa.hr/regulativa/digitalna-otpornost/.

3 (3) Supervised entities complete the report form for a significant ICT incident in accordance with the reporting instructions for significant incidents from Annex II of Commission Implementing Regulation (EU) 2025/302 of 23 October 2024 establishing implementing technical standards for the application of Regulation (EU) 2022/2554 of the European Parliament and of the Council as regards standard templates, forms and procedures that financial entities use for reporting significant ICT incidents and notifying about serious cyber threats. (4) Supervised entities submit the completed report form for a significant ICT incident to Hanfa via the PiXi Platform within the prescribed deadlines. In the event of submitting an incomplete report form for a significant ICT incident, Hanfa may request its completion, and supervised entities are obliged to act on the request without delay and submit a new version of the report via the PiXi Platform. (5) Upon confirmation of receipt, Hanfa promptly forwards the initial notification as well as the interim and final report on the significant ICT incident to the competent European supervisory authority.

Article 7. (1) The deadlines for submitting the initial notification as well as the interim and final report are prescribed in Article 5 of Commission Delegated Regulation (EU) 2025/301 of 23 October 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council as regards regulatory technical standards determining the content and deadlines for the initial notification, interim and final report on significant ICT incidents, and the content of the voluntary notification on serious cyber threats.

Article 8. (1) The procedure for submitting reports via the PiXi Platform is described in the document "User Instructions for the PiXi Platform (DORA Obligated Entities)", which is available to supervised entities within the PiXi Platform.

REPORTING ON SERIOUS CYBER THREATS Article 9. (1) Supervised entities classify serious cyber threats in accordance with the classification criteria and significance thresholds prescribed by Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council as regards regulatory technical standards determining criteria for the classification of ICT incidents and cyber threats, significance thresholds, and details of reports on significant incidents.

Article 10. (1) If a supervised entity determines, based on the conducted classification, that a cyber threat is serious, it completes the notification form for a serious cyber threat. The form is completed in English. (2) The notification form for a serious cyber threat is available on Hanfa's website in the "Guidelines and Forms" section at the link https://www.hanfa.hr/regulativa/digitalna-otpornost/.

4 (3) Supervised entities complete the notification form for a serious cyber threat in accordance with the notification instructions for serious cyber threats from Annex IV of Commission Implementing Regulation (EU) 2025/302 of 23 October 2024 establishing implementing technical standards for the application of Regulation (EU) 2022/2554 of the European Parliament and of the Council as regards standard templates, forms and procedures that financial entities use for reporting significant ICT incidents and notifying about serious cyber threats. (4) Supervised entities submit the completed notification form for a serious cyber threat to Hanfa via the PiXi Platform. In the event of submitting an incomplete notification form for a serious cyber threat, Hanfa may request its completion, and supervised entities are obliged to act on the request and submit a new version via the PiXi Platform. (5) Upon confirmation of receipt, Hanfa forwards the notification of the serious cyber threat to the competent European supervisory authority.

ALTERNATIVE METHOD OF REPORTING Article 11. (1) In exceptional cases when the PiXi Platform is unavailable, supervised entities submit forms for significant ICT incidents and serious cyber threats via the system for submitting data in electronic form through the DORA-IR report. Supervised entities complete these forms in accordance with these Guidelines. (2) The technical instruction for reporting and working with the interface of the system for submitting data in electronic form is available on the home page of the system at the link https://reports.hanfa.hr/.

FINAL PROVISIONS Article 12. (1) These Guidelines enter into force on July 14, 2025, and are published on Hanfa's website.

CLASS: 011-01/25-07/01 FILE REFERENCE: 326-01-25-251-25-1 Zagreb, July 11, 2025

CHAIRMAN OF THE MANAGEMENT BOARD dr. sc. Ante Žigman