ROBERT MIKAC, KREŠIMIR MAMIĆ, IVA ŽUTIĆ:  CYBERTERRORISM THREATS TO CRITICAL INFRASTRUCTURE: COORDINATION AND
                                      COOPERATION FROM BRUSSELS TO SOUTH-EASTERN EUROPE AND BACK

            The regulatory framework for the protection of critical infrastructure in cyberspace and criti-
            cal information infrastructure was initiated by the enactment of Regulation (EC) No 460/2004
            on establishing the European Network and Information Security Agency (European Parlia-
            ment and Council of the European Union, 2004). This regulation was replaced by Regulation
            (EU) No 526/2013 concerning the European Network and Information Security Agency (Eu-
            ropean Parliament and Council of the European Union, 2013), which was called the European
            Union Cybersecurity Act. It was finally replaced by Regulation (EU) No 2019/881 on ENISA
            (the European Union Agency for Cybersecurity) and on information and communications
            technology cybersecurity certification (European Parliament and Council of the European
            Union, 2019). The same bodies issued another important document during 2016: Directive
            2016/1148 of the European Parliament and of the Council concerning measures for a high
            common level of security of network and information systems across the Union (hereinafter:
            NIS Directive) (European Parliament and Council of the European Union, 2016).

            All these documents have become a framework for critical infrastructure protection, defining
            the direction of action required by the actors, and outlining the mechanisms that need to be de-
            veloped and put in place to ensure that cooperation on the protection of critical infrastructure
            and critical information infrastructure is effectively enforceable. However, what is challeng-
            ing in the field of research of this paper is that ‘cyberterrorism’ in the EU policy environment
            may be deemed a misnomer, since it has not yet been explicitly defined at EU level (Pierozzi,
            2018: p 1) and that “neither the definition nor the context of the term cyberterrorism have
            reached so far a broad consensus within the (international) instances dealing with this topic”
            (CyberROAD, 2016: p 17). So, the conclusion is that if the ‘cyberterrorism’ in the EU policy
            environment is not framed through clear policies and guidelines, then it is difficult to talk
            about protecting critical infrastructure from such a threat.

            By reviewing and analyzing strategies and key normative documents, we have come to sev-
            eral important points that need to be highlighted for further discussion: a) the European Union
            points out that there is a great deal of critical infrastructure in its territory (the territory of
            the Member States) whose disruption or destruction would have significant, transboundary
            effects; b) bilateral cooperation between the Member States needs to be upgraded with com-
            prehensive EU-wide solutions; c) the responsibility for protection lies with the Member States
            and critical infrastructure operators, and the EU can assist them in these efforts; d) the EU has
            primarily focused its initial discourse on critical infrastructure protection on defence against
            terrorism, and e) over time, other risks are increasingly accepted and considered.

            3.1 A Strategic and Normative Framework for the Protection of Critical Infrastructure
               in the Republic of Croatia

            In the same way as the European Union, the Republic of Croatia set its first strategic discourse
            on critical infrastructure from the aspect of protection against terrorism. In 2008 the National
            Strategy for the Prevention and Suppression of Terrorism states: “In principle, terrorist threats
            can vary between individual attacks on highly symbolic values, attacks aimed at causing as
            many casualties as possible, spreading as much fear and as much destruction as possible, and
            attacks on critical national infrastructure” (Government of the Republic of Croatia, 2008:
            Point 8). While the strategic documents mentioned below considered critical infrastructure
            primarily from the central interest position of the said documents, the Republic of Croatia
            Protection And Rescue Plan of 2010, as the most crucial document for planning the operation
            of the security and rescue forces and the organization of civil protection systems in response

                                                                                    121