What is AI regulation in Croatia?
AI regulation: countries and regions
Croatia's main AI rules come from the directly applicable EU AI Act rather than a standalone Croatian AI statute in the official sources reviewed. Croatia has, however, started its national implementation work by designating several authorities for fundamental-rights supervision, including AZOP and multiple ombuds institutions. For organisations, that means AI compliance in Croatia is already live: you need to assess EU AI Act duties, data protection rules and the relevant Croatian authority landscape before deployment.
What this means
If you build, buy or deploy AI in Croatia, the starting point is the EU AI Act. Because it is an EU regulation, it applies directly in Croatia. Croatia does not need to rewrite the whole rulebook before organisations have duties.
Croatia's national role is mainly institutional and practical. It has to designate authorities, connect AI oversight with existing Croatian law, and make sure rights-sensitive uses of AI can be supervised on the ground. That is why Croatia has already named several bodies for fundamental-rights supervision, while AZOP remains important wherever personal data is involved.
At the same time, Croatia is still shaping its wider AI policy. Official ministry material shows work on a National AI Development Plan, but strategy is not the same as binding regulation. For now, the binding architecture is the EU AI Act plus Croatia's existing legal framework, especially data protection and other sector rules.
Why it matters
This matters because AI governance in Croatia is not just an abstract EU issue. Croatian public administration is digitising quickly, AI policy work is active, and organisations are under pressure to use automation and generative tools. But the latest official country report also says SME uptake of advanced technologies, including AI, remains below the EU average. That creates a risky combination: appetite to use AI, but uneven compliance maturity.
For founders, buyers, operators and public bodies, the practical stakes are clear. A system can trigger EU AI Act duties, GDPR duties and Croatian rights-based scrutiny at the same time. If you do not know your role, your risk level and which Croatian body may care, you can create procurement, privacy, discrimination, media, election or public-law problems long before any separate Croatian AI act is passed.
How it works
The core legal position
Croatia is governed first by the EU AI Act itself. The Act entered into force in 2024, is binding in all Member States and applies directly in Croatia. That means Croatian organisations should not wait for a domestic AI statute before doing compliance work. Some AI Act duties already apply at EU level, and the broader regime is the main legal baseline for Croatia's enforcement architecture from 2 August 2026.
In practical terms, Croatia is not building a separate alternative system for AI. Note that the European Commission has proposed a digital Omnibus package that could defer some high-risk obligations, so the 2 August 2026 dates should be read as the current legal position rather than a settled certainty. It is building the national layer around the EU regime: authorities, procedures, rights supervision and integration with existing Croatian law. For providers of general-purpose AI models, the centre of gravity remains largely at EU level rather than with a single Croatian body.
Croatian authorities and oversight
Croatia has publicly notified the authorities competent for supervision and enforcement of obligations linked to the protection of fundamental rights when high risk AI systems are used. The list includes the Ombudswoman of the Republic of Croatia, the Ombudswoman for Children, the Ombudswoman for Gender Equality, the Ombudswoman for Persons with Disabilities, the Personal Data Protection Agency, the State Electoral Commission and the Agency for Electronic Media.
That list is important because it shows that Croatia's AI supervision is not concentrated in one place. Different rights and sectors already point to different Croatian institutions. If your system affects elections, media, children, disability rights, equality or personal data, the likely supervisory interest is already split across specialist bodies.
The public picture for AI Act market-surveillance designations is less clear in the official materials reviewed. The European Commission's public page on Single Points of Contact for AI Act market surveillance did not show a Croatian entry in the material reviewed. So it is safer to treat Croatia's public enforcement map as partly settled and partly still being clarified, rather than assume one clearly published all-purpose AI regulator now exists.
What organisations must actually do
The first question is role. Under the EU AI Act, providers, importers, distributors and deployers do not carry the same obligations. The second question is risk. You need to work out whether the system is prohibited, high risk, subject to specific transparency duties, or largely outside the stricter parts of the Act. The detailed classification mechanics belong mainly on the EU page, but the Croatian consequence is simple: organisations operating in Croatia still need to make that classification now.
For Croatian deployers, the most practical local issue is the link between AI assessments and data protection assessments. AZOP's published FRIA methodology makes clear that, before certain high risk AI systems are introduced, public-law bodies, private entities providing public services and some deployers in sensitive areas must carry out a fundamental-rights impact assessment. AZOP also says that where both a FRIA and a data protection impact assessment are needed, they should be combined so they reinforce each other.
That guidance also matters for governance timing. AZOP says a FRIA is required at the deployment stage for covered high risk AI uses, while a data protection impact assessment should be done at the beginning, before AI system development starts. In other words, a Croatian organisation should not leave privacy and rights review until procurement is already finished or the tool is nearly live.
The national digital context
Croatia's wider digital policy is broadly pro-adoption. The Digital Croatia Strategy until 2032 is the umbrella national framework for digital transformation, built around an innovative digital economy, digital public administration, very high-capacity networks and digital skills. In parallel, official ministry work has started on a National AI Development Plan and accompanying action planning.
But Croatia's digital context is mixed, not uniformly advanced. The Commission's 2025 Digital Decade country report says Croatia has made strong progress in infrastructure, cybersecurity and public digital services, while still facing challenges in SME digitalisation and in the uptake of AI and other advanced technologies. That matters operationally: many Croatian organisations will be trying to adopt AI before they have a mature governance stack, so leadership teams should expect capability gaps in documentation, procurement, oversight and incident handling.
Examples
Before a covered high risk public deployment. If a Croatian public-law body, or a private entity providing a public service, plans to introduce a covered high risk AI system, a FRIA has to be built into the deployment path. If the system also processes personal data, AZOP recommends combining that FRIA with a DPIA rather than running two disconnected reviews.
A chatbot in a sensitive context. AZOP's methodology gives a practical example: a chatbot will often count as a medium-risk AI system, but if it is used in a sensitive context the personal-data processing may still be high risk. In that case a DPIA may be required even if a FRIA is not.
A rights-sensitive deployment with more than one Croatian touchpoint. If an organisation in Croatia uses AI in an area that can affect elections, media pluralism, children, disability rights, equality or personal data, one internal reviewer is unlikely to be enough. The designated authority list shows that these questions already sit with different Croatian bodies, so a serious deployment workflow should map those rights dimensions at design stage, not only after a complaint arrives.
Common misunderstandings
Misunderstanding: Croatia has no AI regulation until it passes its own AI law. Correction: The EU AI Act already applies directly in Croatia.
Misunderstanding: AZOP is the only Croatian AI regulator. Correction: AZOP is important, especially for personal data, but Croatia has already designated several different fundamental-rights authorities.
Misunderstanding: If a tool is not high risk, there is nothing to do. Correction: Non high risk tools can still raise transparency, privacy, consumer, employment, media or discrimination issues.
Misunderstanding: A FRIA and a DPIA are the same assessment. Correction: They are related but different. They have different triggers and, in Croatian guidance, can be combined when both are needed.
Misunderstanding: Croatia's fast digitalisation means most organisations are already AI-ready. Correction: Official country reporting still shows gaps in SME digitalisation and advanced technology uptake.
Risks and boundaries
This page is about Croatia's national implementation picture, not the full detail of every EU AI Act category, exemption or technical obligation. If your question turns on whether a specific system is prohibited, high risk, or subject to conformity assessment, you need the EU-level mechanics as well.
The official sources reviewed show a partly complete and partly evolving Croatian enforcement map. Croatia has publicly designated its fundamental-rights authorities, but the public picture for market-surveillance designations and a Croatian Single Point of Contact was not complete in the official materials reviewed. That may change.
Official ministry material also shows work on a National AI Development Plan and accompanying action planning. That is important for policy direction, funding and governance culture, but it is not the same thing as binding compliance duties.
Finally, the AI Act is not the whole story in Croatia. Depending on the use case, organisations may also need to deal with GDPR, Croatia's GDPR implementation framework, anti-discrimination law, media regulation, election rules, procurement duties, employment law, sector safety rules and, in some cases, criminal law. This is an explanatory overview, not legal advice.
What to do next
Start with an AI inventory for Croatia, not a generic global list. For each system, identify your role in the EU AI Act chain, the business or public-service context, the data involved and the Croatian rights areas it could affect. Then decide which systems may need a FRIA, a DPIA or both, and make sure those assessments happen early enough to change design, procurement and vendor selection if needed.
Put one named executive owner in charge of watching the Croatian authority picture. The public map is split across specialist bodies and still developing. Your contracts should require access to technical documentation, instructions for use, logging, human-oversight settings, incident support and evidence needed for assessments. Finally, make AI literacy part of staff training now, because waiting for a separate Croatian act is the wrong trigger for action.
FAQs
Does Croatia have its own standalone AI Act?
In the official sources reviewed, Croatia's binding AI regime still comes mainly from the directly applicable EU AI Act rather than from a standalone Croatian AI statute.
Which Croatian authority regulates AI?
There is no single clearly published all-purpose AI regulator in the official materials reviewed. Croatia has designated several authorities for fundamental-rights supervision, and the public market-surveillance picture is still incomplete.
What role does AZOP play?
AZOP is Croatia's personal data protection authority under GDPR and is also one of the Croatian bodies designated under the AI Act's fundamental-rights supervision model.
Do Croatian public bodies have extra AI duties?
Often yes. Certain public-law bodies, private entities providing public services and some deployers in sensitive areas may need a FRIA before deploying covered high risk AI systems.
If my AI tool is not high risk, can I ignore Croatian compliance issues?
No. You may still face data protection, transparency, employment, consumer, media or discrimination duties, even if the strictest AI Act layer does not apply.
Is Croatia preparing a national AI strategy?
Yes. Official ministry material shows work on a National AI Development Plan until 2032 and an accompanying action plan, but strategy is not the same as binding regulation.
Why is the Croatian authority map important for buyers and deployers?
Because rights-sensitive AI uses in Croatia can attract attention from different bodies at once, including data protection, equality, children, disability, election and media authorities.