Assessment of the Global Value Chain in Croatia
Cybersecurity
� Assessment of the Global Value Chain in Croatia:
Cybersecurity
Croatia Competitiveness Reinforcement Initiative
December 2017
This document is a product of the staff of the International Bank for Reconstruction and Development/The World
Bank. The findings, interpretations, and conclusions expressed in this volume do not necessarily reflect the views of
the Executive Directors of the World Bank, the governments they represent, or the Government of Croatia. The World
Bank does not guarantee the accuracy of the data included in this work. The boundaries, colors, denominations, and
other information shown on any map in this work do not imply any judgement on the part of the World Bank concerning
the legal status of any territory or the endorsement or acceptance of such boundaries.
This report was prepared by a team from the World Bank (Stjepan Mandić and Austin Kilroy) and the Center for
Industrial Development (Centar za industrijski razvoj, CIRAZ) (Marina Kopjar and Kristijan Bošnjak).
Funding for this report was provided by the European Commission through the Operational Program for Competition
and Cohesion.
�Acronyms
AID Academy for Industrial Development
AIK Agencija za investicije i konkurentnost (Agency for Investments and Competitiveness)
BERD Business Enterprise Expenditure on R&D
CAGR Compound Annual Growth Rate
CERT Computer Emergency Response Team
CIRAZ Centar za industrijski razvoj (Center for Industrial Development)
CISA Certified Information Systems Auditor
CISEx Croatian Independent Software Exporters
CRANE Croatian Business Angels Network
DAST Dynamic Application Security Testing
DAZ Development Agency Zagreb
DZS Croatian Bureau of Statistics
EU European Union
FDI Foreign Direct Investment
FER Faculty of Electrical Engineering and Computing Zagreb
GDP Gross Domestic Product
GVC Global Value Chain
HGK Hrvatska Gospodarska Komora (Croatian Chamber of Economy)
HS Harmonized System
ICT Information and Communication Technology
IDC International Data Corporation
IOT Internet of Things
IP Intellectual Property
ISO International Organization for Standards
IT Information Technology
KET Key Enabling Technology
M&E Monitoring and Evaluation
MIT Međimurje IT
MOD Ministry of Defense
NACE Nomenclature statistique des activités économiques dans la Communauté européenne
(Statistical Classification of Economic Activities in the European Community)
NATO North Atlantic Treaty Organization
NSF National Cybersecurity Framework
R&D Research and Development
RDI Research, Development and Innovation
ROA Return on Assets
ROE Return on Equity
S3 Smart Specialization Strategy
SAST Static Application Security Testing
SMEs Small and Medium Enterprises
STPA Subthematic Priority Area
TVZ Technical University of Applied Sciences
ZSIS Information Systems Security Bureau
�Table of Contents
1. Context ................................................................................................................................................. 5
2. Cluster Profile ..................................................................................................................................... 8
2.1. Overview ....................................................................................................................................... 8
2.1.1. History and Significance of the Industry in Croatia.............................................................. 9
2.1.2. S3 and STPA ....................................................................................................................... 11
2.1.3. Regulatory Framework ....................................................................................................... 12
3. National Supply Profile .................................................................................................................... 14
3.1. Product Development.................................................................................................................. 14
3.2. Exports ........................................................................................................................................ 15
4. Industry Functioning ........................................................................................................................ 17
4.1. Economic Geography.................................................................................................................. 17
4.1.1. Number of Firms ................................................................................................................. 17
4.1.2. Clustering of Firms ............................................................................................................. 17
4.2. Profitability Analysis .................................................................................................................. 18
4.2.1. Assets, Debt, and Revenue .................................................................................................. 19
4.2.2. Employees ........................................................................................................................... 21
4.2.3. Cost Structure and Margins................................................................................................. 22
4.3. Productivity and Innovation ........................................................................................................ 24
4.3.1. Productivity ......................................................................................................................... 24
4.3.2. Innovation ........................................................................................................................... 24
5. Cluster Figures: Market-Based Actors ........................................................................................... 26
5.1. Core Firms .................................................................................................................................. 26
5.1.1. Notable Firms...................................................................................................................... 26
5.2. Peripheral Firms .......................................................................................................................... 27
5.2.1. Input Providers .................................................................................................................... 27
5.2.2. Buyers ................................................................................................................................. 28
5.3. FDI in the STPA ......................................................................................................................... 28
6. Cluster Agents: Cross-Cutting Support Bodies ............................................................................. 29
6.1. Professional Associations and Cluster Organizations ................................................................. 29
6.1.1. Cluster Organizations.......................................................................................................... 29
6.1.2. Professional Associations ................................................................................................... 30
6.2. Academic, Vocational, and Research Bodies ............................................................................. 31
6.2.1. Universities and Faculties ................................................................................................... 31
� 6.2.2. Vocational Schools ............................................................................................................. 31
6.2.3. Research Bodies .................................................................................................................. 32
6.3. Public Sector ............................................................................................................................... 32
6.3.1. Sector Support, Policy, and Intervention ............................................................................ 32
6.3.2. National Cybersecurity Framework .................................................................................... 33
7. Assessment on Cluster Interactions................................................................................................. 37
7.1. Relationship of Cluster Agents ................................................................................................... 37
7.2. Takeaway for the Change Management Process ........................................................................ 37
Bibliography .............................................................................................................................................. 38
�1. Context
The overall objective of the current technical advisory services is to assist and support the Ministry of
Economy, Entrepreneurship, and Crafts in its efforts to strengthen Croatia’s clusters position in selected
global value chains (GVCs) according to 13 thematic and subthematic priority areas (STPA) as defined
under the Croatian Smart Specialization Strategy (S3). The current advisory work consists of the following
five components:
• Component 1: Strengthening the Capacity of Beneficiaries and Partners
• Component 2: Strategic Analysis and Competitive Positioning
• Component 3: Action Plans and Policy Design
• Component 4: Design of Academy for Industrial Development (AID)
• Component 5: Monitoring and Evaluation
The list of deliverables under the current project is presented in Table 1.
Table 1: Project Deliverables by Component
Component Deliverables
Component 1 1. Programs and training modules and a comprehensive set of teaching materials to train the
client and Croatian Chamber of Economy (Hrvatska Gospodarska Komora, HGK)
competitiveness experts
2. Six modules of five days of training taught by international professors (at least 18 trained
competitiveness experts in beneficiaries and partners)
Component 2 3. Report on ‘Assessment of GVC Positioning of the STPA’ (7 documents, 1 document for
(STPAs 1–7) each of STPAs 1 to 7)
4. Report on ‘Strategic Segmentation’, covering the following sections: industry analysis,
strategy diagnostic and roadmap, and short- and long-term strategic plan (7 documents, 1
document each for STPAs 1 to 7)
Component 3 5. Report on ‘Investment Plan Proposal’ containing partnerships for joint investments to
(STPAs 1–7) improve the position in GVC for each STPA (1 document for the group of STPAs 1 to 7)
6. Report on ‘Action Plan to Strengthen the Position of Croatia in Selected GVCs’
containing short-term measures that could be implemented within 2 years as well as
measures for the midterm and long term (1 document for the group of STPAs 1 to 7)
7. Report on ‘FDI Strategy’ covering the following sections: identification of niches and
markets to attract foreign direct investment (FDI), Action Plan to attract investment in high-
technology sectors and emerging industries, and Action Plan for FDI promotional activities
with a marketing plan and branding strategy (1 document for the group of STPAs 1 to 7)
8. Report on ‘Export Strategy’ covering the following sections: list of products, services,
and markets for prioritization and Action Plan for the promotion of exports (1 document for
the group of STPAs 1 to 7)
9. Report on ‘Territorial and Product Branding Strategy’ covering the following sections:
list of Croatian brands and territorial and product brands in GVCs and Action Plan for
territorial and product branding (1 document for the group of STPAs 1 to 7)
Component 2 10. Report on ‘Assessment of GVC Positioning of the STPA’ (6 documents, 1 document
(STPAs 8–13) each for STPAs 8 to 13)a
11. Report on ‘Strategic Segmentation’, covering the following sections: industry analysis,
strategy diagnostic and roadmap 2, and short- and long-term strategic plan (6 documents, 1
document each for STPAs 8 to 13)
5
� Component 3 12. Report on ‘Investment Plan Proposal’ containing partnerships for joint investments to
(STPAs 8–13) improve the position in GVC for each STPA (1 document for the group of STPAs 8 to 13)
13. Report on ‘Action Plan to Strengthen the Position of Croatia in Selected GVCs’
containing short-term measures that could be implemented within 2 years as well as
measures for the midterm and long term (1 document for the group of STPAs 8 to 13)
14. Report on ‘FDI Strategy’ covering the following sections: identification of niches and
markets to attract FDI, Action Plan to attract investment in high-technology sectors and
emerging industries, and Action Plan for FDI promotional activities with a marketing plan
and branding strategy (1 document for the group of STPAs 8 to 13)
15. Report on ‘Export Strategy’ covering the following sections: list of products, services,
and markets for prioritization and Action Plan for the promotion of exports (1 document for
the group of STPAs 8 to 13)
16. Report on ‘Territorial and Product Branding Strategy’ covering the following sections:
list of Croatian brands and territorial and product brands in GVCs and Action Plan for
territorial and product branding (1 document for the group of STPAs 8 to 13)
Component 4 17. ‘Guidelines on Design and Management Model for AID’ containing the following
sections: proposal for operational concept and management model for AID, Action Plan for
AID, and proposal of the content for the first summer school for competitiveness’ 2 -week
program (1 document)
18. 1 set of (minimum 8) developed educational modules for entrepreneurs at AID
19. Training sessions for trainers (at least 16 certified trainers)
Component 5 20. Report on ‘Monitoring and Evaluation (M&E) of Cluster Initiatives’ b (1 document).
21. Two training sessions on M&E for the beneficiary institution
Note: a. This document will aggregate the information from the individual clusters into a single report, which will
include information on (i) first results of the Value Chains Enterprise Survey and (ii) Croatian Value Chains Maps
assessment.
b. This report will present the M&E framework and key performance indicators.
In the context of Components 2 and 3, the methodology for analyzing the industry-specific GVC of each
STPA follows the 10-step approach listed in Box 1.
Box 1: Cluster-Level GVC to Reinforce Competitiveness
The methodology for the analysis of Croatian industry from an industry-specific GVC perspective is adapted
from the ‘10 steps’ commonly used to analyze the competitiveness of clusters and identify strategic options for
their growth:
1. Mapping of the value chain activities in the STPA
2. Existing and emerging strategic segments globally for each STPA
3. Strategic segments attractiveness evolution globally
4. Advance global buyers purchase criteria for each segment
5. Generic strategic options for each segment
6. Key success factors of each segment
7. Ideal value chain and supporting environment for each segment
8. Segment suitability in function of value chain gaps and policy choices
9. Options for company position in the new segment
10. Definition of areas to improve at company, cluster, and policy levels
This document constitutes Deliverable 10 (‘Assessment of GVC Positioning of the STPA’) of the
current project. It presents the results of the data collection on Croatian industry at the national level and
presence of activities in the GVC, needed as step 1 of the 10 steps described in Box 1. This information
comes from secondary data and from direct company and institution interviews; unfortunately, due to delays
6
�in the company interviews, it lacks that information, but it is expected to be complemented during the rest
of the project.
The bulk of the analysis under Component 2 comes in the next Deliverable 11 (‘Strategic Segmentation’)
that includes the industry analysis, strategy diagnostic, and roadmap, and short- and long-term strategic
plan (steps 2 through 9 of the 10 steps described in Box 1).
• Background and contextual industry research is conducted to identify industry dynamics and trends
related to global supply, industry cost structure and margins, and the recent evolution in the value
chain structure
• The industry is grouped into strategic segments that reflect not only the mix of products and services
that are offered but also the users and markets that are served (Porter 1985).
• For each strategic segment, Porter’s ‘Five Forces’ analytical tool is used to assess industry
attractiveness by determining the profitability of the industry and identifying the actors within the
industry with the most bargaining power (thereby determining which actors appropriate the bulk of
the available profits) (Porter 1979). This analysis studies the trends in attractiveness by looking at
the forces in the recent past (before entering new Free Trade Agreement [FTA], for example) and
in the next 5–10 years, considering the structural industry trends.
• The advanced buyer purchase criteria, generic strategic options, and the key success factors are
used to determine the ideal value chain for each segment and identify the necessary value chain
systems that need to exist at local, national, and regional levels within a country’s ecosystem for it
to compete well.
• More attractive, higher-value-added segments that could allow Croatian industry to appropriate
more value will be highlighted. The ‘ideal value chain’ for those segments will be compared to the
Croatian context, which will itself be compared to leading countries in the highlighted segment(s)
to assess Croatia’s potential capacity to compete.
The third set of deliverables (12, 13, 14, 15, and 16) defined under Component 3 covers the specific
policy, investments, and/or institutional interventions that will be required for Croatia to ‘leap’ to those
segments. That is step 10 in the 10 steps described in Box 1.
• Deliverable 12: Report on ‘Investment Plan Proposal’ containing partnerships for joint investments
to improve the position in GVC for each STPA
• Deliverable 13: Report on ‘Action Plan to Strengthen the Position of Croatia in Selected GVCs’
containing short-term measures that could be implemented within two years as well as measures
for the midterm and long term
• Deliverable 14: Report on ‘FDI Strategy’ covering the following sections: identification of niches
and markets to attract FDI, Action Plan to attract investment in high-technology sectors and
emerging industries, and Action Plan for FDI promotional activities with a marketing plan and
branding strategy
• Deliverable 15: Report on ‘Export Strategy’ covering the following sections: list of products,
services, and markets for prioritization and Action Plan for the promotion of exports
• Deliverable 16: Report on ‘Territorial and Product Branding Strategy’ covering the following
sections: list of Croatian brands and territorial and product brands in GVCs and Action Plan for
territorial and product branding
7
�2. Cluster Profile
“Cybersecurity commonly refers to the safeguards and actions that can be used to protect the cyber domain,
both in the civilian and military fields, from those threats that are associated with or that may harm its
interdependent networks and information infrastructure. Cybersecurity strives to preserve the availability
and integrity of the networks and infrastructure and the confidentiality of the information contained
therein.” (European Commission 2013)
2.1. Overview
Cybersecurity includes a set of activities focused on protecting computers, networks, programs, and
data from unauthorized and/or unintended access. Modern societies are rapidly becoming more
digitalized so cybersecurity has become increasingly important as governments, corporations, and people
collect, process, and store vast amounts of confidential information and transmit that data across different
digital channels. Cyberattacks and various cyber threats have become commonplace in recent years. To
deal with those threats, individuals and companies across the world are becoming more aware of the
potential threats and are ready to allocate substantial resources toward products and solutions that help
mitigate such risks.
A report from Business Insider Intelligence estimated that US$655 billion will be spent on
cybersecurity initiatives to protect personal computers (PCs), mobile devices, and Internet of things (IoT)
devices by 2020, of which US$386 billion will be spent on securing PCs, US$172 billion on securing IoT
devices, and US$113 billion on securing mobile devices (Business Insider 2016). According to Bloomberg
and International Data Corporation (IDC), the largest areas of growth within cybersecurity are mobile
security, IoT security, and specialized threat analysis and protection (Rana 2016). These growth areas are
dwarfed by the overall information technology (IT) security market by size, but their projected compound
annual growth rates (CAGRs) are expected to be significantly higher than those of the IT security market.
For instance, while the specialized threat analysis and protection segment is only about US$1.5 billion in
size (minuscule compared to the US$35 billion IT security segment), its projected CAGR is about 28
percent, much higher than the 5 percent projected growth rate for the IT security segment (Rana 2016). This
reveals that these three growth areas will continue to propel and expand the cybersecurity industry going
forward. (Pendse 2017)
The Government of the Republic of Croatia has recognized cybersecurity as an increasingly
important area for national security and has set up a strategic framework for cybersecurity through
the National Strategy for Cybersecurity. The strategy is accompanied by the Action Plan that sets forth
measures and defines responsible bodies and implementation time line to make the strategy become
operational. The strategy identifies the following fields of importance: public electronic communications;
e-government; financial electronic services; critical infrastructure and crisis management; cybercrime; data
protection; technical coordination; international cooperation; and education, research and development
(R&D), and awareness campaigns in relation to cyber and information security. These areas were defined
based on assessment of key priority topics for secure cyberspace in Croatia and include five core and four
cross-cutting thematic areas (Republic of Croatia 2015), as shown in Figure 1.
8
�Figure 1: National Strategy for Cybersecurity - Core and Cross-Cutting Thematic Areas
Source: National Cybersecurity Strategy (Republic of Croatia 2015).
2.1.1. History and Significance of the Industry in Croatia
Through the creation of the Internet and the linking of a series of communication and information
systems in public, academic, and economic sectors, modern cyberspace has been created consisting
of many interconnected infrastructures. Users of this infrastructure generate vast amounts of data and
use a growing number of different services that need to be protected.
The cybersecurity industry has also become an area of rapid growth due to an ever-increasing
number of people on network systems and development of various new digital products. The main
driver of this growth in the past 10 years has been the financial sector that has strict regulatory requirements
on information security, imposed by the Croatian National Bank. Other than the financial sectors drivers of
growth in this area were “security sensitive government institutions” (such as intelligence services, military,
and police), as well as health services, the telecommunications industry, the insurance industry, and so on
(Republic of Croatia 2016).
Information and communication technology (ICT) is, without a doubt, the basic support service for
the cybersecurity industry. Since information security is a broad area and companies in the ICT sector
cover only certain parts of security services (as part of their overall market operations), it is hard to present
the exact number of ICT companies covering security-related R&D and services.
The ICT sector in Croatia has a great tradition and is considered one of the main drivers of economic
and social development in Croatia. There is considerable technical capacity and know-how among
Croatian ICT firms in the security field that date back to one or more of the following factors: (a) a relatively
9
�long history of industrialization and high levels of education in Croatia; (b) the need to build a defense
industry from the ground up due to the 1991–1994 Homeland War; and (c) good technical universities.
Figure 2: Significance of the Croatian ICT Industry for National Economy, ICT Industry as Percentage of
Croatian GDP, 2010–2014
6.00%
4.64%
4.13% 4.10%
4.07% 3.91%
4.00% 4.43%
3.89% 3.80% 3.77% 3.73%
2.00%
0.36% 0.37%
0.21% 0.18% 0.11%
0.00%
2010. 2011. 2012. 2013. 2014.
% of the ICT sector in GDP (Total) % of the ICT manufacturing in GDP % of the ICT services in GDP
Source: Center for Industrial Development (Centar za industrijski razvoj, CIRAZ) rendering of Eurostat data.
Note: GDP = gross domestic product.
Potential for development of the cybersecurity industry in Croatia lies on the demand side as well.
Nowadays, the right to access the Internet has become one of the common human rights. Statistics for
Croatia from 2010 to 2016 show considerable evolution of Internet usage in Croatia that correspondingly
also drives demand for digital security products. In the last six years, the number of Internet users has
increased by over 20 percent, but Croatia is still lagging behind some developed countries such as Norway
or other European countries similar to Croatia.
10
�Figure 3: Individuals Regularly Using Internet, Percentage of Individuals Ages 16–74
95%
85%
75%
65%
55%
45%
2010. 2011. 2012. 2013. 2014. 2015. 2016.
Croatia Norway Germany Czech Republic Slovenia
Source: CIRAZ rendering of Eurostat data.
2.1.2. S3 and STPA
The government’s S3 provides useful insight into the scope and focus of the STPA described in the strategy.
The Cybersecurity STPA within the S3 is one of three STPAs within the Security thematic priority
area. This STPA is mostly focused on “development and research of investments in several areas/niches
where Croatia intends to upgrade its current level of technological capacity, human resources and expertise”
(Republic of Croatia 2016) to become globally competitive in cybersecurity industry.
The strategy spans a varying set of activities and lays out a range of R&D topics and key enabling
technologies (KETs) that can be utilized to support private sector growth. The scope of the
Cybersecurity STPA includes Research, Development & Innovation (RDI) topics and associated indicative
RDI topics under cross-cutting themes KETs and ICT presented in Box 2. The RDI topics should serve as
the main drivers of growth and development of the industry and their activities.
11
� Box 2: Indicative RDI Topics under the Cybersecurity STPA (with Cross-Cutting Themes KETs and ICT)
• Cyber space monitoring systems
• Security of IT systems
• Crypto security communications systems—tailored to EU/NATO standards
• Security of SCADA systems
• Digital forensics
• Development of tailor-made systems for security education
• Cloud computing security
Associated indicative RDI topics under cross-cutting themes KETs and ICT are as follows:
• KETs for tools and techniques for cybersecurity including wireless security, cloud security and privacy,
and autonomic network defense
• KETs of micro- and nanoelectronics for embedded circuits and systems for severe operational conditions
and high-autonomy and communicating devices and secure and dependable communication platforms and
IT infrastructures and services, relying on cryptography, authentication, authorization, and accounting
methods
• Computer vision and machine learning with application in the field of cybersecurity
Source: S3 2016–2020 (Republic of Croatia 2016).
Note: EU = European Union; NATO = North Atlantic Treaty Organization; SCADA = Supervisory Control and
Data Acquisition.
These topics will be important for achieving innovation in the sector and will be more thoroughly assessed
in Deliverable 11 in the context of how they can support access to more attractive segments. More
immediately, the following sections take stock of how the Croatian industry is performing now—
particularly in the perspective of Global Value Chain (GVC) participation—and then map a set of relevant
actors, agents, and organizations that represent the ‘cluster’ associated with this sector.
2.1.3. Regulatory Framework
The Government of the Republic of Croatia recognized cybersecurity as a critically important
component of national security and has created a strategic framework for cybersecurity defined
through the National Strategy for Cybersecurity. The strategy has been adopted by the government in
October 2015. The national cybersecurity framework is implemented through the following:
• Coordination within the public sector
• National cooperation of the public, academic, and economic sectors
• Consultation with the interested public and information of citizenship
• International cooperation of cybernetic security stakeholders
As a member of the EU, Croatia has harmonized its legislation with acquis communatauire of the EU
and transposed it into its legal system. The Croatian cybersecurity framework thus follows key strategies
and guidelines set on the European level such as the Cybersecurity Strategy of the European Union and the
Convention on Cybercrime of the European Council. The Government of the Republic of Croatia
12
�additionally reinforced the national cybersecurity regulatory framework by adopting several laws and acts
that integrate some of the best practices from most relevant standard-setting authorities around the world.
Responsibility for implementation of the framework lies with several government bodies, most notably the
Ministry of Interior, Ministry of Defense (MOD), Croatian personal data protection agency, Croatian
regulatory authority for network industries, security and intelligence agency, Croatian national computer
emergency response team, and Croatian National Bank.
The most important pieces of legislation that regulate Croatian cybersecurity space are as follows:
• Cybersecurity Strategy of the European Union (European Commission, JOIN (2013) I final,
02.2013). The Strategy outlines the EU's vision in cybersecurity domain, clarifies roles and
responsibilities, and proposes specific activities at the EU level. Its goal is to ensure strong and
effective protection and promotion of citizens' rights to make the EU's online environment the safest
in the world.
• Convention on Cybercrime (European Council, ETS 185, 09.2001). The convention is the first
international treaty on crimes committed through the Internet and other computer networks, dealing
particularly with infringements of copyright, computer-related fraud, child pornography, and
violations of network security. It also contains a series of powers and procedures such as the search
of computer networks and interception.
• National Security Strategy (Croatian Parliament, Official Gazette 73/2017, 06.2017). The
strategy establishes the homeland security system as a response to the modern threats, which has to
be modern, cost-effective, efficient, and tailored to the tradition and needs of Croatia. The Act on
Homeland Security System stipulates systematic security management of security risks and crises
of national importance and establishes a homeland security system.
• National Cybersecurity Strategy (Croatian Parliament, Official Gazette 108/2015, 10.2015). The
strategy defines a framework for systematic and comprehensive planning of the most important
activities to protect all users of modern electronic services, in both public and private sectors.
• Information Security Act (Croatian Parliament, Official Gazette 79/07, 07.2007). The act defines
the concept of information security, measures and standards of information security; areas of
information security; and authorized bodies for establishing, implementing, and supervising
measures and standards of information security.
• General Data Protection Regulation (European Parliament, EU 2016/679, 04.2016). It defines
rules for protection of EU citizens with regard to the processing of personal data and the free
movement of such data.
• NIS Directive (European Parliament, EU 2016/1148, 07.2016). It defines a set of measures for a
high common level of security of network and information systems across the Union;
• Guidelines on Internet Payments Security (European Banking Authority, EBA/GL/2014/12,
12.2014). It sets the minimum security requirements that payment services providers in the EU are
expected to implement.
• Decision on Prudent Management of IT Systems (Croatian National Bank, Official Gazette
37/10, 03.2010). It defines requirements for managing IT systems of credit institutions in Croatia.
13
�3. National Supply Profile
The definition of the Croatian Cybersecurity STPA, as defined in Croatia’s S3, relies upon the sector
definitions used in international best practice and considers sector specifics related to the IT industry. In
that respect, for this analysis, the Croatian cybersecurity sector has been defined through a list of
representative companies mentioned in the strategy. The list was further updated by inputs from the
Ministry of Economy, Entrepreneurship, and Crafts and HGK’s CIRAZ.
Methodology. Financial analysis of the Croatian cybersecurity sector was conducted using the Bisnode
Portfolio Intelligence database. The database offers financial data on Croatian companies gathered through
collection of data from mandatory regulatory fillings of Croatian companies submitted yearly to FINA (the
Croatian Financial Agency, the payment and financial intermediary services provider) through a
standardized GFI-POD form.1 Figures showed in Sections 3, 4, and 5, unless otherwise stated, were created
by analysis of financial information of companies operating within the NACE2 sectors presented in Table
2. The database was accessed on October 17, 2017, with companies that had the status of (a) insolvent, (b)
bankrupted, or (c) erased, excluded from the analysis.
The cybersecurity industry is difficult to define through NACE or Harmonized System (HS) codes given
that most of the companies operating within the industry, in addition to their primary activities, often operate
across multiple IT sectors, and the NACE and HS codes do not distinguish the uses to which IT goods and
services are put. Mapping and analyzing the industry showed that a large number of the companies
operating within Croatian cybersecurity industry fall within the following NACE codes:
Table 2: Scope of the Croatian Cybersecurity STPA
Code Code Name
C26.20 Manufacture of computers and peripheral equipment
G46.51 Wholesale of computers, computer peripheral equipment, and software
G47.41 Retail sale of computers, peripheral units, and software in specialized stores
J62.01 Computer programming activities
J62.02 Computer consultancy activities
J62.03 Computer facilities management activities
J62.09 Other information technology and computer service activities
J63.11 Data processing, hosting, and related activities
Source: World Bank.
3.1. Product Development
Most companies within the cybersecurity industry are system integrators and mainly implement
solutions from leading global vendors of equipment or software and further customize those solutions
to their clients’ needs. Only a handful of Croatian companies are developing or offering their own solutions
(for example, Reversing Labs, Defense Code, Infigo IS, and Alfatec Group).
1Standardized Financial Agency’s annual financial statements form.
2Nomenclature Statistique des Activities Economiques dans les Communautes Europeennes (Statistical Classification of
Economic Activities of the European Community)
14
�Looking at the demand side, in 2013, almost 47 percent of IT budget in Croatia was spent by about
3,000 state and state-owned businesses (state administration bodies, agencies, institutes, courts, hospitals
and health centers, primary, secondary, and higher secondary schools, faculties and universities, local
government, municipalities, towns, and cities) and 1,420 public companies in total or predominantly state
ownership, followed by a group of about 40 blue chip companies that accounted for 20 percent of IT
spending. Around 200 companies from the financial sector spent 12 percent of Croatian IT budget, with the
telecom sector following with 8 percent of IT expenditure, while the remaining 13 percent was spent by
small and medium enterprises (SMEs) (Žitnik 2015).
Looking at the product level, IT services account for 30 percent of IT budgets in Croatia in 2015
followed by PCs with 18 percent and smartphones with 17 percent (Juras 2016).
Figure 4: Croatian IT Market Consumers 2013 Figure 5: Croatian IT Market by Product 2015
Periphery Servers Storage
SME 5% 3% 1%
Network
13%
Telecom equipment IT Services
sector 10% 30%
8% Public
sector
47%
Financial Packed
sector software
12% 16%
Personal
computers
Blue chip Smartphon
18%
companies es
20% 17%
Source: Hrvatska IT industrija 1995–2015–2025. Source: IDC Adriatics (Juras 2016).
According to Žitnik (2015), Croatian IT expenditure per capita in 2015 amounted to US$250, roughly 30
percent below average IT expenditure per capita within EU 28.
3.2. Exports
Croatian firms within the industry mostly export software and secondary equipment. Domestic sales
prevail in most sectors over exports. The highest ratio of exports can be seen in NACE J62.01 (34.3 percent),
where the largest number of companies operate. NACE J62.01 represents firms that develop own software
and application solutions and have exported 21.7 percent of their production.
15
�Figure 6: Exports versus Local Sales 2015 (% Export Share in Total Sales) (EUR)
€ 700,000,000
34,28%
€ 600,000,000
19,46%
€ 500,000,000
€ 400,000,000
€ 300,000,000
€ 200,000,000 15,13%
21,69% 28,43%
34,55%
11,27%
€ 100,000,000
8,24%
€0
J62.01 J62.02 J62.03 J62.09 J63.11 C26.20 G46.51 G47.41
Income from domestic sales Income from sales abroad
Source: HGK and Bisnode Portfolio Intelligence database.
16
�4. Industry Functioning
A total of 3,800 companies are operating within Croatian IT sector with more than EUR 1.9 billion
turnover in 2016 and employing more than 19,500 people. However, the vast majority of companies
dealing with cybersecurity are system integrators, integrating and implementing main global IT vendors’
products and solutions, and are working in areas outside of cybersecurity.
4.1. Economic Geography
4.1.1. Number of Firms
The vast majority of companies that are mapped to the aforementioned NACE codes are small
companies. Small companies play a big role in this sector, especially in NACE J62.01 computer
programming activities, and show the biggest potential for development of new, innovative solutions. Field
research has shown that reasons for lack of substantial R&D and innovation activities in bigger companies
can be attributed to lack of skilled workforce and human capacities given that the existing ones are
predominantly occupied by serving Croatian and regional clients.
Table 3: Number and Size of the Firms in the Cybersecurity STPA, 2015
Code Small Medium Large Total
C2620 210 7 2 219
G4651 221 1 0 53
G4741 116 0 0 222
J6201 2,075 10 2 116
J6202 360 2 0 2,087
J6203 132 3 0 362
J6209 442 2 0 135
J6311 244 3 1 444
Total 3,849 31 6 3,886
Source: HGK.
Note: Classification of the companies within a certain band is defined by the Croatian Accounting Act (Official
Gazette 78/2015).
4.1.2. Clustering of Firms
Analysis of geographical concentration was done according to NACE code (2007), classification of
business activities of main players. Majority of the firms are concentrated in the City of Zagreb (capital
city) and County of Zagreb, followed by the rest of Croatia with most of the activities focused around
big urban areas of Rijeka, Split, and Osijek. Significant factors for such concentration could be found in
better access to financial institutions and capital market, work force, and logistical connectivity (airports)
to other regions, both nationally and internationally.
Međimurje and Varaždin counties, north of Zagreb, have historically been manufacturing centers of
Croatia, so pockets of ICT industrial expertise (for example, companies that produce intelligent traffic
systems, cybersecurity laboratory at the Faculty of Engineering) have found their home there. Kvarner and
Istria regions that lie close to Italy and Slovenia have traditionally served these markets and are closely
integrated with many of the input suppliers operating in those countries.
17
�Figure 7: Distribution of Active ICT Companies by County on June 30, 2017
Source: Geostat, Croatian Bureau of Statistics (DZS), geostat.dzs.hr.
4.2. Profitability Analysis
Looking at the key financials of Croatian IT sector by aggregating data for companies operating under
NACE codes presented in Table 2, the sector posted stable revenue growth with CAGR of 7.84 percent
over the last three years. Firms were able to defend their margins and slightly increase operating profits
compared to the growth rates of revenues. To satisfy growing demand, the sector continued to add
employment at a CAGR of 6.34 percent with the total number of employees rising to 19,646 at the end of
2016.
Table 4: Croatian IT Sector Aggregated Key Financials 2014–2016 (EUR, millions)
2014 2015 2016 CAGR (%)
Assets 1,100,755,178 1,258,309,648 1,357,416,973 7.24
Equity 466,246,597 543,505,783 615,450,459 9.70
Financial liabilities 273,170,698 266,316,396 254,522,140 −2.33
Revenues 1,544,704,286 1,826,827,406 1,937,424,146 7.84
Net profit 96,575,557 112,320,461 130,288,254 10.50
Employees 16,336 17,846 19,646 6.34
Source: Bisnode Portfolio Intelligence database.
18
�Figure 8: Croatian IT Sector Financials CAGR 2014–2016
Employees
Net profit
Revenues
Finanical Liabilities
Equity
Assets
-4.00% -2.00% 0.00% 2.00% 4.00% 6.00% 8.00% 10.00% 12.00%
Source: Bisnode Portfolio Intelligence database.
4.2.1. Assets, Debt, and Revenue
Firms operating under NACE 62.01 code - Computer programming activities have a considerable role in
Croatian IT industry. Most of the players that produce their own cybersecurity solutions are also located
there but tend to present a small portion of total revenues of the sector. In 2016, top 10 players such as
Span, Apis IT, Asseco SEE, and IN2 accounted for 28 percent of all the revenues that are growing at CAGR
of 8.87 percent. Another big sector is represented by companies operating under NACE 26.20 code -
Manufacture of computers and peripheral equipment, where the top two players (M San Group and King
ICT) captured 56 percent sectors’ revenues in 2016. Sector NACE 62.02 - Information technology
consultancy activities (representative companies: Huawei technologies, Hewlett-Packard, Mrežne
tehnologije Verso) has recorded the highest growth rate with revenue CAGR of 16.75 percent in the last
three years.
19
�Figure 9: Croatian IT Sector Revenues 2014–2016 (EUR)
€ 800,000,000
703,756,695
€ 700,000,000
€ 600,000,000
527,886,642
€ 500,000,000
€ 400,000,000
€ 300,000,000
€ 200,000,000 156,938,546
133,300,899 133,905,229 125,129,764
101,257,461
€ 100,000,000 55,248,911
€0
J62.01 J62.02 J62.03 J62.09 J63.11 C26.20 G46.51 G47.41
2014 2015 2016
Source: Bisnode Portfolio Intelligence database.
Assets of the Croatian IT sector mimic the growth rates of net profits. Given that financial liabilities
remained steady, the increase in assets was mainly driven by retained earnings that increased funds for new
investments. Implied dividend payout ratio stood at 20 percent in 2014 and 35 percent in 2015.
Figure 10: Croatian IT Sector Assets 2014–2016 (EUR)
€ 600,000,000 566,148,160
€ 500,000,000
€ 400,000,000
302,794,707
€ 300,000,000
€ 200,000,000
132,927,086
84,371,616 72,193,402 95,489,923 82,968,930
€ 100,000,000
20,523,150
€0
J62.01 J62.02 J62.03 J62.09 J63.11 C26.20 G46.51 G47.41
2014 2015 2016
Source: Bisnode Portfolio Intelligence database.
Except for NACE J62.01 that witnessed a light increase in financial liabilities, most of the other sectors are
deleveraging given the abundance of own funds to finance their operations. The aggregated leverage ratio
(debt/equity) stood at 1.2 in 2016 representing a decrease for 1.36 in 2016.
20
�Figure 11: Croatian IT Sector Financial Liabilities 2014–2016 (EUR)
€ 100,000,000 93,026,967
€ 90,000,000
77,845,115
€ 80,000,000
€ 70,000,000
€ 60,000,000
€ 50,000,000
€ 40,000,000
€ 30,000,000
20,475,570 18,110,976
17,548,219
€ 20,000,000
11,040,997 10,428,333
€ 10,000,000 6,045,963
€0
J62.01 J62.02 J62.03 J62.09 J63.11 C26.20 G46.51 G47.41
2014 2015 2016
Source: Bisnode Portfolio Intelligence database.
4.2.2. Employees
Most employees, over 11,000, work for companies in NACE J62.01, which is at the same time the subsector
with the largest number of firms and has added new employees at a CAGR of 7.9 percent during 2014–
2016. The fastest employment CAGR of 10.15 percent was recorded by NACE J62.09,- Other information
technology service activities, represented by the companies iStyle, SedamIT, and Veracomp. Given that
this analysis uses only companies that are not bankrupt, insolvent, or erased, employment figures may be
upward biased.
Figure 12: Croatian IT Sector Employees 2014–2016
12,000 11,027
10,000
8,000
6,000
4,000
1,672 1,792 1,775
2,000 1,101 1,004 906
369
0
J62.01 J62.02 J62.03 J62.09 J63.11 C26.20 G46.51 G47.41
2014 2015 2016
Source: Bisnode Portfolio Intelligence database.
21
�Croatian IT sector employed 19,646 people at the end of 2016, adding 3,310 new employees in the last
three years. The largest share of the employees was in NACE J62.01 - Computer programming activities,
which accounted for 56 percent of the total IT sectors employment in 2016.
Figure 13: Croatian IT Sector Employment Structure 2016
G46.51 G47.41
C26.20 5% 2%
9%
J63.11
9%
J62.09 J62.01
8% 56%
J62.03
5%
J62.02
6%
Source: Bisnode Portfolio Intelligence database.
4.2.3. Cost Structure and Margins
Margins in Croatian IT industry remained constant and stood at on average 6.5 percent in the last three
years. The subsector NACE J62.01 witnessed the highest net margin peaking at 10.8 percent in 2016.
Lowest margins were recorded by the subsector NACE G47.41 - Retail sale of computers, peripheral units,
and software in specialized stores, evidencing competitive pressures from online sales of IT products. Given
that this analysis uses only companies that are not bankrupt, insolvent, or erased, net profit figures may be
upward biased.
22
�Figure 14: Net Profit Margins 2014–2016 per IT Industry Subsector
12.00%
10.80%
10.00%
8.00%
6.00%
4.20% 4.39%
3.68%
4.00% 3.22% 3.22%
2.29%
2.00% 1.37%
0.00%
J62.01 J62.02 J62.03 J62.09 J63.11 C26.20 G46.51 G47.41
2014 2015 2016
Source: Bisnode Portfolio Intelligence database.
Croatian IT industry remained profitable despite competitive pressures and unfavorable tax and business
environment.
Figure 15: Croatian IT Sector Return on Assets and Return on Equity 2014–2016
30.00%
25.24%
23.83% 24.28%
25.00%
20.00%
15.53% 15.66%
14.12% 13.51% 14.25%
15.00% 13.43%
12.30%
10.00%
6.64% 6.15%
5.15% 5.61%
4.33% 3.68%
5.00%
0.00%
J62.01 J62.02 J62.03 J62.09 J63.11 C26.20 G46.51 G47.41
Return on Assets Return on Equity
Source: Bisnode Portfolio Intelligence database.
On average the return on assets (ROA) recorded by the industry in the last three years stood at 9.1 percent
while return on equity (ROE) averaged 20.8 percent. The most profitable subsector is NACE 62.01 -
Computer programming activities, while NACE J62.09 - Other information technology service activities,
recorded the biggest decline. Given that this analysis uses only companies that are not bankrupt, insolvent,
or erased, net profit figures may be upward biased.
23
�4.3. Productivity and Innovation
4.3.1. Productivity
Data on productivity of Croatian IT firms can be approximated by analyzing the revenues per employee
ratio. In the last three years, overall productivity stagnated at around EUR 738,000 per employee. Compared
to 2015 when it reached a record level of EUR 767,000 per employee, the productivity of labor in the
Croatian IT sector even decreased in 2016. The major reason for such development is that demand for
highly skilled employees is driving staff cost that on average accounts for 20 percent of total capital
expenditure (CAPEX) in the Croatian IT industry. For example, average gross monthly salary increased by
5 percent to EUR 11,880 in 2016 compared to 2015 for companies operating in NACE J62.
Figure 16: Croatian IT Sector Productivity (Revenues per Employee) 2014–2016 (HRK)
2,500,000 2,230,507
2,000,000
1,500,000 1,299,160
1,122,945
1,000,000 908,044
756,405
600,651
478,659 523,702
500,000
0
J62.01 J62.02 J62.03 J62.09 J63.11 C26.20 G46.51 G47.41
2014 2015 2016
Source: Bisnode Portfolio Intelligence database.
4.3.2. Innovation
According to the SCIMAGO analysis (2015), during 1996–2014, Croatian researchers published 5,449
citable documents in all scientific disciplines involving computer science, ranking Croatia 9th out of
22 other Eastern European countries, including large countries such as the Russian Federation (Republic
of Croatia 2016). Evaluated quality of those articles on number of citations and h-index ranked Croatia 10th
within the same group of comparable companies (Republic of Croatia 2016).
Croatia, with 3.2 of European patent applications per million inhabitants, was only 41st out of the 48
ranked countries in 2016 according to the European Patent Office. The total number of patent
applications increased from 30 in 2015 to 41 in 2016.
The main reason for the weak innovation performance of Croatian industry is “the lack of a systematic
innovation policy, i.e. its inefficiency, and the complexity and fragmentation of the Croatian innovation
system, which generally lacks better coordination and synergy of its various parts. A very important factor
for this weaker innovation performance is the complete lack of innovation culture and consistent pursuit of
24
�all parts of the innovation system to create new, commercially viable products and services as well as
inadequate cooperation between academia/research institutions, industry and public sector” (Government
of the Republic of Croatia 2017). Because of this lack of coordination, support for investments in R&D,
and focus on internal market, the industry lacks knowledge and capacity for those segments as well as
know-how for R&D and export strategies. At the same time, policy makers failed to direct the existing
available financing toward practical use of innovation, aimed at further commercialization, which is the
crucial goal of every successful innovation (Government of the Republic of Croatia 2017).
Cybersecurity is regarded as an innovative subsector with substantial growth potential. However, the
Croatian ICT and cybersecurity industries have considerable problems with investing in R&D activities.
Figure 17 shows how much firms within the ICT industry have invested in R&D activities in four
years. It is evident that investments are very low (0.28 percent) and have been falling from their peak
in 2012.
Figure 17: Business Enterprise Expenditure on R&D (BERD) in the ICT Sector as Percentage of Total R&D
Expenditure by NACE Rev.2 Activity
0.80%
0.70% 0.71%
0.60%
0.60%
0.50%
0.40% 0.45%
0.30% 0.28%
0.20%
0.22%
0.10%
0.00%
2010 2011 2012 2013 2014
Source: CIRAZ rendering of Eurostat data.
25
�5. Cluster Figures: Market-Based Actors
When considering the cluster, it is important to look at all agents and actors operating in the sector. The
sector consists of both market actors (firms) and supporting bodies and organizations (for example,
universities and the government). Market-based agents are displayed to the left in Figure 18, while the
support bodies are cross-cutting across these. This chapter describes the market agents in the cluster, both
the set of ‘core’ firms that are the focus of the STPA and a number of other private firms that may be
necessary to help move the industry into more attractive segments. These market-based actors are depicted
in typified form in Figure 18: Cluster Mapping and are described in more detail in this chapter.
Figure 18: Cluster Mapping: Cybersecurity Sector
Source: CIRAZ and World Bank.
5.1. Core Firms
5.1.1. Notable Firms
Table 5: Croatian Notable Core Cybersecurity Companies, 2016
Company Solution Type Location Revenues (EUR) Net Profit (EUR) Employees
Alfatec Group System integrator Zagreb 4,040,511 1,067,243 27
INsig2 Education/training Zagreb 4,009,282 204,319 33
Information security
Infigo IS Zagreb 2,662,592 546,706 20
consulting
Information security
Diverto Zagreb 1,731,117 219,866 12
consulting
Defense Code Software development Zagreb 141,455 2,372 4
Source: FINA
INSig2, a company owned by IN2 Group, was established with two main objectives: to develop and
implement sophisticated solutions of integrated security and provide expertise in the field of digital
26
�forensics. Today, the company is the market leader in the region for areas of integrated security and digital
forensics, hosting educational workshops for clients such as Europol.
Infigo IS was founded in 2005. The company specializes in providing information security consulting
services. It offers services in the fields of GDPR consulting, security assessment, data leakage prevention,
security analytics, and fraud management. The company also acts as a system integrator for some leading
international security solutions such as Qualys, Splunk, and Digital Guardian.
Defense Code was privately founded in 2010. The company provides a range of consulting and assessment
services to help organizations measure their security posture and build a thorough and compliant security
program. Defense Code developed its own products designed to analyze and test web, desktop, and mobile
applications for security vulnerabilities using Dynamic Application Security Testing (DAST, BlackBox
Testing) and Static Application Security Testing (SAST, WhiteBox Testing) technologies. The company
also offers services of penetration testing, zero-day vulnerability research, security audit, and source code
security analysis.
Diverto was founded in 2007 and provides various IT security services such as penetration testing,
vulnerability testing, social engineering, education, ISO 27001 implementation, and IT security consulting.
Alfatec Group was founded in 1990 and employs around 60 experts. The company is active in the field of
information security and offers various cryptographic equipment and solutions, such as Thales e-Security,
Verisoft, Qualys, Collis, Arcot, Acertigo, and so on.
Top Five Firms: Revenues
5.2. Peripheral Firms
5.2.1. Input Providers
Table 6: Croatian Input Providers for Cybersecurity Companies, 2016
Locati Revenues (EUR, Net Profit (EUR,
Company Input Type Employees
on millions)_ millions)
Telecommunicat
Hrvatski telekom Zagreb 810.0 121.0 3,730
ions
Ericsson Nikola Communications
Zagreb 209.1 11.9 2,030
Tesla equipment
King ICT Hardware Zagreb 82.8 2.3 262
Huawei
Hardware Zagreb 37.1 0.5 18
technologies
Microsoft Croatia Sofware Zagreb 13.1 1.1 60
Source: FINA.
27
�5.2.2. Buyers
Table 7: Croatian Buyers of Cybersecurity Products, 2016 (EUR, millions unless otherwise specified)
Company Industry Location Revenues Net Profit Employees
Croatian government Public sector Zagreb 2017 Budget - 15.9 billion 231,224
Hrvatski telekom Telecommunications Zagreb 810.0 121.0 3,730
Zagrebačka banka Banking Zagreb 622.3 227.9 4,017
Privredna banka Banking Zagreb 604.3 214.0 2,855
Vipnet Telecommunications Zagreb 409.6 6.3 1,248
Source: FINA.
5.3. FDI in the STPA
World Bank analysis showed that only a minor part of FDIs in Croatia are investments in sectors
based on knowledge and R&D. FDIs in Croatia were primarily attracted by sectors such as trade and
financial sectors that do not necessarily promote knowledge transfer (World Bank Group 2006).
According to the Croatian National Bank, the overall FDI in NACE J63 (information service
activities) from 1993 up to February 2017 amounted to EUR 92.3 million (net incurrence of liabilities)
with 2016 being a record year with EUR 47.8 million of investments (Hrvatska narodna banka 2017).
28
�6. Cluster Agents: Cross-Cutting Support Bodies
Beyond the set of firms that are the focus of this study, a number of other public or nonmarket agents help
in supporting the industry. This chapter describes those actors and their impact on the performance of the
cluster.
6.1. Professional Associations and Cluster Organizations
6.1.1. Cluster Organizations
A number of privately led cluster organizations have also been established to represent the business
interests of different firms. Growth in the number of clusters in 2012/2013 is partially attributable to the
potential access to EU structural funds. Across the country, there are quite a few registered organizations;
some of the notable ones are as follows:
Table 8: Croatian ICT Clusters
Name of the Cluster Founded City/County No. of Members
Competitiveness Cluster
AIK ICT Industry Competitiveness Cluster 2013 Zagreb 54
Business Cluster
MIT Cluster Čakovec 2007 Čakovec 10
Jadranski ICT klister 2015 Split 16
Source: CIRAZ and World Bank.
Note: AIK = Agencija za investicije i konkurentnost (Agency for Investments and Competitiveness); MIT = Međimurje
IT.
AIK ICT Industry Competitiveness Cluster. It is one of the 13 clusters established by AIK in 2013 to
access grants and to provide a platform for cooperation in the sector. Goals and activities include
networking of the public and private sectors and the scientific and research institutions of the ICT industry;
strengthening of competitiveness and creation of new value added at the ICT industry level; effective use
of available sources of funding and obtaining nonrefundable funds from budget funds, EU funds, the
Community Program, and other available sources of financing; targeted attraction of domestic and foreign
investments in the ICT industry; lobbying at the national and EU levels for human resources development
and training of skilled workforce in ICT; sectoral networking and internationalization of the ICT industry;
and branding and promotion of the ICT industry (HKKICT 2017). Currently, the Croatian Competitiveness
Cluster of the ICT industry consists of 34 private sector entities, 6 support institutions, and 14 scientific and
research institutions.
MIT Cluster. It brings together 10 companies that are engaged in the field of ICT in Međimurje and
Međimurje University for Applied Science. The cluster members export 50 percent of their products and
services. Cluster activities include development, promotion, and coordination of professional and social
activities of its members; organization and coordination of joint promotion and appearances on the market;
organization of the exchange of experiences and knowledge in execution of projects in the field of ICT;
joint design and development of new ICT products and solutions; collaboration with IT organizations and
associations; development of programs for international collaboration; collaboration with other similar
associations in the country and abroad and all other organizations, institutions, legal entities, and individuals
29
�that support the work of the cluster; and organization of seminars and lectures for members of the cluster
to exchange experiences and information (MIT Cluster Čakovec 2017).
Jadranski ICT klaster. The cluster was founded by Entrepreneurial Accelerator Split d.o.o., which acts as
a cluster coordinator. The mission of the cluster is to create a group of suppliers and producers within the
ICT sector with the aim of fostering innovation activities, which is achieved through joint use of equipped
facilities; exchange of knowledge and expertise; and an effective contribution to knowledge transfer,
networking, dissemination of information, and collaboration between entrepreneurs and others cluster
organization (Jadranski ICT klaster 2017).
AIK Defense Industry Competitiveness Cluster. It is one of the 13 clusters established by AIK in 2013
to access grants and to provide a platform for cooperation in the sector. “The main goal of the Croatian
Defense Industry Competitiveness Cluster is contributing to growth of the Croatian Economy through
targeted investments into research and development with the primary goal of producing new products and
technologies (especially ones in defense “dual-use” field, cybersecurity and mine action program).” The
other role of the cluster is “to advocate a unified position towards the relevant state institutions and policy-
makers on scientific research, technological development and modernization related issues concerning the
defense of the security industry of Croatia concerning its actual capacity and interests of stakeholders of
the domestic industry.”3 Currently, the Croatian Competitiveness Cluster of the Defense Industry consists
of 39 private sector entities, 2 support institutions, and 10 scientific and research institutions.
6.1.2. Professional Associations
Beyond the clusters that represent the interests of firms, a number of associations exist to represent
professions and individuals in those professions. These cross-cutting professional associations are primarily
interested in networking and lobbying. In some industry and country contexts, professional associations
can also act as certification bodies for the competency/technical skill of individuals. The most relevant
professional associations include the following:
• Croatian Employers’ Association. It was established in 1993 as a voluntary, nonprofit, and
independent employers’ association that represents, promotes, and advocates for the interests of its
members. Founded on the principles of voluntary membership and democracy in representation of
all their members’ interest, the association promotes the ideas of entrepreneurial spirit, rights, and
freedom.
• Association of Information and Communication Activities is a voluntary and independent
association of employers that protects and promotes the rights and interests of its members,
particularly in the field of business environment, relations with public authorities, trade unions,
legislative framework, collective bargaining and the conclusion of collective agreements, labor
disputes, and other important issues for the employers’ economic and social development.
• Croatian Independent Software Exporters (CISEx). CISEx is an association whose main
activity is breaking through the obstacles between Croatian software development companies and
clients looking for high-quality software products and solutions. The association was founded in
January 2011. It gathers Croatian software companies oriented toward the global market. As an
3 Croatian Defense Industry Competitiveness Cluster https://hkkoi.hr/index.php/o-nama/.
30
� association, CISEx developed a set of collaboration tools aimed at bringing its members and clients
closer together.
• Croatian Business Angels Network (CRANE). CRANE is a nonprofit association that brings
together private investors who are interested in investing in innovative companies in the early
stages of development. CRANE is an umbrella organization of business angels in Croatia and one
of the most successful organizations of this kind in Europe. The association was launched in 2008
as a joint initiative of the partner institutions: AIK, Moves Ventures, Croatia, Private Equity and
Venture Capital Association, Association for the Promotion of Software and Online
Entrepreneurship “Initium”, and some of Croatia’s most prominent business angels.
6.2. Academic, Vocational, and Research Bodies
The knowledge and skills ecosystem surrounding the cluster is also important to consider. Typically,
knowledge and skills can be found in the system of universities and faculties, in vocational schools, and in
independent research bodies. The relevant actors and their contributions are detailed in this section.
6.2.1. Universities and Faculties
The university system is especially involved in the innovation of the sector and the supply of skilled labor,
including through some key facilities:
• Faculty of Electrical Engineering and Computing Zagreb (FER). FER is Croatia’s leading
academic and research institution in the field of electrical engineering, computing, and ICT
integrated into European higher education and research area. FER operates 21 independent
laboratories and employs 170 professors and 230 teaching and research assistants. The faculty has
developed respectable international cooperation with many institutions around the world.
• Faculty of Electrical Engineering, Mechanical Engineering, and Naval Architecture Split.
The basic activities of this faculty involve teaching, research, development, professional work, and
innovation in the areas of technical sciences, including electrical engineering, electronics,
mechanical engineering, naval architecture, computer science, industrial engineering, and natural
sciences.
• Faculty of Organization and Informatics Varaždin. It is one of the constituent units of the
University of Zagreb located in the northern part of Croatia, in the City of Varaždin. Established in
1962, the faculty has been providing education to future experts in the field of information sciences
and technologies, economics, organization, communication, and other related fields.
• Faculty of Electrical Engineering, Computer Science, and Information Technology Osijek. It
is a faculty within the University of Josip Juraj Strossmayer in Osijek, Croatia. The faculty provides
higher education in the field of electrical engineering, computer science, and information
technology.
6.2.2. Vocational Schools
Technical University of Applied Sciences (TVZ). TVZ in Zagreb is a polytechnic education institution
that provides training in various fields. TVZ educates engineers and specialists in the fields of electrical
31
�engineering, civil engineering, computer science, computer engineering, mechanical engineering,
mechatronics, and prosthetics. TVZ employs about 150 professors and assistants and more than 100 outside
lecturers from other higher education institutions.
Algebra. It is one of the leading regional information technology education providers. With 45 fully
equipped classrooms, the school is present in over 20 cities in Croatia, and with mobile and online
classrooms, it can cover every corner of the region. Algebra offers more than 300 seminars and 40
educational programs and annually trains more than 18,000 students.
6.2.3. Research Bodies
The Ruđer Bošković Institute. Regarded as Croatia’s leading scientific institute in the natural and
biomedical sciences as well as marine and environmental research, owing to its size, scientific productivity,
international reputation in research, and the quality of its scientific personnel and research facilities. The
institute is the leading and internationally most competitive Croatian institute by virtue of its participation
in international research projects, such as the IAEA and EC FP5-7 programs funded by the European
Commission, NATO, National Cybersecurity Framework (NSF), SNSF, DAAD, and other international
scientific foundations.
Končar Electrical Engineering Institute. Based on years of research in transformers, rotating machines,
switching devices, wind turbines, and rail vehicles, the institute offers its own solutions of control and
monitoring of electric power equipment and systems, renewable sources, and railway equipment and
systems. Qualified and accredited laboratories of the institute offer services of testing electrical equipment
and mechanical components, as well as diagnostic tests on site.
6.3. Public Sector
The public sector has several essential roles, namely, to monitor, to intervene, and to regulate. While
monitoring functions for the economy are largely delegated to the Croatian Bureau of Statistics and several
other ministerial departments, the more pertinent functions relate to the ministerial agencies that intervene
and regulate the sector. An institutional mapping of the pertinent sectoral support and regulatory bodies and
functions is provided in this section.
6.3.1. Sector Support, Policy, and Intervention
Ministry of the Interior. The ministry is in charge of policing and criminal police activities that involve
protection of life and personal security of people and property and the prevention and detection of crime.
• Department for High-Tech Crime: It systematically analyzes, monitors, and studies the
phenomenological and etiologic aspects of criminal acts of cybercrime and proposes solutions
aimed at raising the level of cybercrime fighting; carries out complex criminal investigations in the
area of criminal offences committed to the detriment of, and use of, computer systems and
networks; performs forensic analysis and surveillance of the Internet; participates in the planning
and construction of training programs for police officers who deal with cybercrimes; and
participates in the drafting of normative acts, reports, and other expert materials from the area of
cybercrime prevention.
32
� • Centre for Forensics ‘Ivan Vučetić’: The center is an organizational unit of the Police Directorate
of the Ministry of the Interior, with the core assignment of converting a trace from a criminal
offence scene into legitimate material evidence. During more than six decades of its existence, the
center evolved into a unique forensic institution in Croatia that directly participates in helping
detect origins of almost all criminal acts and finding their perpetrators in the territory of Croatia.
MOD. It is the Croatian government department responsible for implementing the defense policy set by the
Croatian government and is the headquarters of the Croatian Armed Forces. The MOD has been charged
with coordinating and supervising all agencies and functions of the government concerned directly with
national security and Croatian Armed Forces. With around 15,000 active soldiers, the MOD is one of the
biggest procurers of uniforms, weapons, and military equipment in Croatia.
The Central State Office for Development of the Digital Society. It is the central state body with the
task of monitoring and improving the development of the digital society and conforming to the
guidelines, directives, and regulations of the EU in the area of digital society and the economy.
HGK. It is an independent professional and business organization for all legal entities engaging in business
within Croatia. HGK was established in 1852 and organized as an institution that represents Croatian
economic interests. Membership is compulsory for all firms. The chamber founded CIRAZ with the purpose
of stimulating economic development through the process of making precise relations between the economy
and science, using innovations and R&D.
AIK. It is an agency of the Croatian government whose main task is to promote Croatia as a desirable
investment destination. Providing necessary help and assistance to foreign and domestic investors,
facilitating the implementation of investments, and enabling these projects to achieve their maximum
business potential are primary objectives of AIK.
Development Agency Zagreb (DAZ). It is a company owned by the City of Zagreb, founded with the
objective to stimulate and promote entrepreneurship, provide entrepreneurial education, and support private
business initiatives, especially in the areas of development and high technologies. DAZ provides
comprehensive support to SMEs and would-be entrepreneurs and helps them in development and
implementation of projects funded by the EU and national funding opportunities, with an aim to improve
and strengthen entrepreneurial environment and opportunities.
6.3.2. National Cybersecurity Framework
Beyond the agencies and ministries that play an active role in engaging the sector, a number of
different government bodies engage in the NSF, which regulates the sector and can enhance its
competitiveness by ensuring conformity to standards. The system of the NSF necessarily relies on
interlinked private and public actors that conduct inspections, provide monitoring of different parts of
Croatian cyberspace, and coordinate public and private actors. The Croatian NSF is defined by the National
Cybersecurity Strategy. The strategy seeks to achieve a balanced and coordinated response of a series of
institutions that represent all sectors of society to the security threats in the modern cybernetic space. A
conceptual depiction of how these actors interact within the NSF is given in Figure 19, although many of
them operate at different parts of the value chain.
33
�Figure 19: NSF
Source: World Bank team, adapted from Aleksandar Klaić. NVKS.
National Cybersecurity Council. It systematically monitors and coordinates the implementation of the
National Cybersecurity Strategy and discusses all issues relevant to cybersecurity; proposes measures to
improve the implementation of the strategy and Action plan for the implementation of the strategy; proposes
the organization of national exercises in the area of cybersecurity; issues recommendations, opinions,
reports, and guidelines related to the implementation of the strategy and Action plan; and proposes
amendments to the strategy and Action plan.
Information Systems Security Bureau (ZSIS). It is the central state authority responsible for technical
areas of information security of Croatia’s state bodies, which includes standards of information security,
security accreditation of information security, managing of crypto material used in the exchange of
classified information, and coordination of prevention and response to computer threats to information
system security.
National Computer Emergency Response Team (CERT). It promotes and preserves information security
of the public information systems in Croatia. National CERT was established in accordance with the
Information Security Act and its main task is processing of incidents on the Internet and preservation of the
34
�information security in Croatia. It has the right from its jurisdiction to issue instructions, guidelines,
recommendations, advice, and opinions.
Croatian Personal Data Protection Agency. The agency is a legal entity with public authorities. It carries
out administrative and professional tasks regarding personal data protection. In the framework of public
tasks, the agency supervises implementation of personal data protection, indicates the violations noticed
during personal data collecting, compiles a list of countries and international organizations that have
adequately regulated personal data protection, resolves requests to determine possible violations of rights
guaranteed by the Croatian Data Protection Act, and maintains the Central Register.
Croatian National Bank. It is the central bank of Croatia and is part of the European System of Central
Banks. Its primary objective is maintaining price stability and the stability of the financial system as a
whole. The Croatian National Bank executes monetary policy; manages international reserves of Croatia;
issues the Croatian currency, the kuna; issues authorizations of credit institutions, credit unions, payment
institutions, and electronic money institutions; and supervises their operation. The function of supervision
and oversight of credit institutions and credit unions is organized within the Prudential Regulation and
Supervision Area.
Croatian Standards Institute. It is an autonomous nonprofit public institution established as the national
standards body of Croatia with a view to accomplishing the following goals of standardization; increasing
the safety level of products and processes; protecting human health and lives and environmental protection;
promoting the quality of products, processes and services; ensuring the appropriate use of work, materials,
and energy; improving production efficiency; controlling variety; ensuring compatibility and
interchangeability; and removing technical barriers to international trade.
6.3.2.1. Standard Setting Bodies and Accreditation Agencies
The bodies that set standards and policy for the STPA include the following:
• ZSIS
• Croatian National Bank
• Croatian Accreditation Agency
• Croatian Standards Institute
6.3.2.2. Inspection Bodies
The bodies that set standards and policy for the STPA include the following:
• ZSIS
• Croatian Personal Data Protection Agency
• Croatian National Bank
6.3.2.3. Public and Private Certification and Accreditation Infrastructure
Public and private actors also compete for the provision of some certification and accreditation services;
however, there are some notable exceptions where public infrastructure use is mandated to complete the
inspection requirement.
35
�Beyond the public institutions involved in the national cybersecurity infrastructure, a number of accredited
private entities are involved in certification and the provision of testing services (Croatian Accreditation
Agency 2016).
• Accredited certification bodies: Bureau Veritas and SGS Adriatica offer ISO 27001
certification for management information systems security. ISACA—operating in Croatia as
well—is an independent, nonprofit, global association engaged in development, adoption, and
use of globally accepted standards and best practices for information systems security. ISACA
conducts Certified Information Systems Auditor (CISA) certification, one of the leading
certificates for information security professionals.
• Croatian Accreditation Agency is an independent and nonprofit public institution that acts as
the national accreditation service in Croatia. The agency was established to support
implementation of the technical regulations harmonized with acquis communatauire of the EU.
Accreditation is a voluntary decision of domestic conformity assessment and management of
conformity assessment bodies.
Together, these actors form the necessary support structure that enables the sector to reach foreign markets.
However, often these systems are inefficient, pose too much regulatory burden (or do not smartly apply it),
or do not define standards4 in a way that adequately overcomes the market failures that they aim to resolve.
4 Standards can be differentiated between public standards and private sector standards codified by industry. Public standards are
required for participation in a market and usually intended to achieve some public good (for example, safety), whereas private
sector standards are individually imposed by a buyer or by a firm itself. Such private standards often play a role in certifying
different grades of product that help the industry reduce imperfect market information and improve coordination along the value
chain. For firms, applying such standards helps meet international buyer specifications, improve quality, and achieve higher
margins.
36
�7. Assessment on Cluster Interactions
7.1. Relationship of Cluster Agents
In preparing this report, a team consisting of World Bank and CIRAZ staff interviewed 24 private
and 9 public sector (government agencies, universities, cluster organizations) agents from the
Croatian cybersecurity sector. Most of the agents expressed willingness for closer cooperation and
information sharing (access to foreign markets, intellectual property [IP] protection, joint products
development, and so on). The AIK ICT cluster seems to be passive in its efforts to serve the needs of
the clusters agents. Some other initiatives such as CISEx are perceived to be a better platform for
information exchange although there is still a vocalized need for improved collaboration between business
entities and the scientific community to boost the climate of innovation.
7.2. Takeaway for the Change Management Process
Based on the field interviews, the Croatian Cybersecurity STPA has the following characteristics:
• Companies dealing with cybersecurity are scarce and only a few have significant R&D activities.
• Most companies in this STPA act as system integrators that sell and integrate solutions made by
big international companies such as Cisco, Symantec, IBM, and so on.
• Value chain links within Croatia are shallow; successful export-oriented firms in this STPA tend
to source their inputs from outside the country (hardware and software).
• Many firms rely on sales to the public sector and are dependent on competitive bidding
processes.
• Successful firms in the STPA have staked a reputation on quality, which commands a premium
in a sector focused on safety and security. Such firms are less likely to complain about the bidding
process but stress the importance of finding a reliable and well-connected local partner when
venturing overseas.
• There is considerable technical capacity and know-how among Croatian firms that date back to
one or more of the following factors: (a) a relatively long history of industrialization and high levels
of education in Croatia, (b) the need to build a defense industry from the ground up due to the 1991–
1994 Homeland War, and (c) good technical universities.
• Cooperation between the companies is almost nonexistent, and it is not clear whether Croatian
companies are exploiting, to their full advantage, available and potential useful resources such as
the local AIK cluster.
• Competition in the domestic market is fairly high with both domestic and foreign companies.
• The cybersecurity industry is represented by various players such as software producers, IT
consultants, and various service providers. Research and academic institutions also play an
important role in clusters functioning. These institutions provide valuable services and inputs into
the value chain that enables it to achieve market viability.
• Despite the good supplier network and good quality of scientific institutions, intra-cluster
collaboration is weak and there is negligible collaboration between academia and businesses in
R&D.
37
�Bibliography
AIK. 2013. Competitiveness Clusters. Croatia. Retrieved from www.aik-
invest.hr/en/competitiveness/competitiveness-clusters/.
Business Insider. 2016. Business Insider. Retrieved from http://www.businessinsider.com/cybersecurity-
report-threats-and-opportunities-2016-3.
Croatian Accreditation Agency. 2016. Registry of Accredited Bodies. Retrieved from
http://www.akreditacija.hr/registry.
Croatian ICT Industry Competitiveness Cluster. 2017. Statut Hrvatskog klastera konkurentnosti ICT
industrije. Retrieved from http://www.aik-invest.hr/wp-content/uploads/2013/12/statut-11.pdf.
Čutura, S., and G. Selak. 2017. The ICT Sector in Croatia. Zagreb: Belgium Embassy.
European Commission. 2013. Cybersecurity Strategy of the European Union: An Open, Safe and Secure
Cyberspace. Brussels: European Commission.
Eurostat. 2013. Eurostat. Retrieved March 17, 2017, from http://ec.europa.eu/eurostat/statistics-
explained/images/6/63/Distribution_of_tertiary_education_graduates_by_field%2C_2013_%28%
25%29_ET15.png.
Eurostat. 2013. Eurostat. Retrieved March 17, 2017, from http://ec.europa.eu/eurostat/statistics-
explained/images/e/ed/Number_of_tertiary_education_graduates%2C_2013_%28thousands%29_
ET15.png.
Government of the Republic of Croatia. 2015. National Cybersecurity Strategy. Zagreb: Government of
the Republic of Croatia.
———. 2017. Strategy for Innovation Encouragement of Croatia 2014–2020. Retrieved from Official
Gazette: https://narodne-novine.nn.hr/clanci/sluzbeni/dodatni/434155.pdf.
Hrvatska narodna banka. 2017. Inozemna izravna ulaganja. Retrieved from HNB:
https://www.hnb.hr/statistika/statisticki-podaci/sektor-inozemstva/inozemna-izravna-ulaganja.
Jadranski ICT klaster. 2017. Retrieved from Jadranski ICT klaster: http://www.ictcluster.eu/pages/view/o-
nas.
Juras, I. 2016. Croatia IT Services Market 2016–2020 Forecast and 2015 Vendor Shares. IDC Adriatics.
Ministry of Public Administration. 2016. Registry of Civil Society Associations. Retrieved from
http://www.registri.uprava.hr/#!udruge.
MIT (Međimurje IT) Cluster Čakovec. 2017. Retrieved from MIT Cluster Čakovec: http://mit-cluster.hr/.
Pendse, G. 2017. Cybersecurity: Industry Report & Investment Case. Nasdaq Global Information
Services.
Porter, M. E. 1979. How Competitive Forces Shape Strategy. Harvard Business Review.
———. 1980. Competitive Strategy. New York: Free Press.
38
�———. 1985. The Competitive Advantage: Creating and Sustaining Superior Performance. New York:
Free Press.
———. 1990. The Competitive Advantage of Nations. New York: Free Press.
Rana, A. 2016. Cybersecurity Industry Report. Bloomberg Intelligence & IDC.
Republic of Croatia. 2016. Croatian Smart Specialization Strategy 2016–2020. Zagreb: Government of
the Republic of Croatia.
State Intellectual Property Office. 2016. Online Database Search. Retrieved from
http://www.dziv.hr/en/e-services/on-line-database-search/.
World Bank Group. 2006. Croatia's EU Convergence Report: Reading and Sustaining Higher Rates of
Economic Growth. Washington, DC: The World Bank Group.
United Nations. 2013. UN Department of Economic & Social Affairs. Retrieved March 17, 2017, from
https://esa.un.org/miggmgprofiles/indicators/files/Croatia.pdf.
Žitnik, B. 2015. Hrvatska IT industrija 1995–2015–2025. Open Info Trend.
39
�