Croatia has some of the most advanced cybersecurity laws in the world — at least on paper. In practice, citizens and small businesses are left to fend for themselves. It is precisely from this gap that Carbophile Group was born — a young association whose role model is the American Electronic Frontier Foundation, and whose ambition is clear: to push for institutional change, build international partnerships, and bring Croatian cybersecurity up to world standards. We’re glad they’ve found their place in the Split Tech City community.

Tell us briefly about your association. Who are you and how did it all start?

We are Carbophile Group, an association with the goal of advancing cybersecurity in Croatia to world standards. Our motivation is twofold: weak national infrastructure for cybersecurity, and a lack of independent civic communities that could drive change.

Our main role model is the American Electronic Frontier Foundation. Although we have associations like the Centre for a Safer Internet that will advise people to use stronger passwords, we didn’t have anyone pushing for institutional change or international partnerships.

Our name comes from the chemical term for a substance with an affinity for carbon. Carbon is by far our favourite element: it is the hardest natural material in the form of diamond, one of the few non-metal electrical conductors, and the foundation of life on Earth. Like carbon, we aim to be the “most” and the first in our industry.

How would you describe the current state of cybersecurity in Croatia?

I’d say we’re currently something of a “paper tiger”.

In terms of laws and regulations, we’re among the first in the world. Croatia is one of the first countries to transpose the European NIS 2 directive into national law — and it is, without doubt, one of the most advanced of its kind.

Unfortunately, in practice these things aren’t enforced. We have bodies like the national CERT, but citizens and small businesses are left to fight for themselves. The state acts reactively when it’s already too late, instead of proactively preventing incidents.

Which projects or partnerships are you most proud of?

We’re still relatively new, so we don’t have a large catalogue of completed projects, and many ongoing ones I can’t disclose yet. We’ve established partnerships with various industry companies, including Yubico, but that (at least for now) mostly revolves around our internal structure rather than external impact.

A very exciting project we’re working on, however, is connecting Croatia with the international CVE system, which is used to exchange information about software vulnerabilities. We’re currently in talks with ENISA, the European Union Agency for Cybersecurity, to potentially become a regional CVE Numbering Authority.

What technologies and tools do you use in your work?

Unfortunately, there’s nothing as exciting as in the movies. We mostly use standard office tools — email, word processors, presentation software, and the like.

A large part of cybersecurity is, after all, pure bureaucracy.

Do you work from an office or remotely?

We operate in a distributed way, almost exclusively online. We have members outside our county and obviously can’t exclude them from the work. We do of course meet in person as colleagues and friends, but the work itself happens online.

How big is the team, and are you planning to hire or take on volunteers?

There are five of us at the moment, and for now we don’t have a need to grow. Naturally, as we start taking on longer-term projects, we’ll have to adapt to a larger workload.

As for volunteers, we’re significantly limited in what we can engage them with. Due to the sensitive nature of the work, we’re almost forced to rely exclusively on permanent members for any serious tasks. That said, there will always be room for volunteers in “soft” roles such as PR and event organisation.

Do you consider cybersecurity a human right?

You won’t find cybersecurity in the Universal Declaration of Human Rights, of course, but I believe it is a natural extension of the right to privacy. In today’s world, where all our data lives on our devices, protecting that data also means protecting our privacy.

Someone once told me that physical safety is also a human right, but that the state isn’t obliged to hand out locks for our doors. The problem with that analogy is that a lock only protects one house. In the digital world, where everything can be easily copied, every change affects the community as a whole.

Cybersecurity is more comparable to the police and the legal system than to individual locks.

Why did you decide to join the Split Tech City community?

People are the foundation of our mission. Everything we do, we do for people; our work only has value if people apply it, and without people we have no voice on the international stage. Split Tech City allows us to connect with the very community we serve.

Is there anything else you’d like to share with our community?

If you have ideas, suggestions, wishes, complaints, or anything else — feel free to get in touch. As a member of the public, you are our stakeholder, and we answer directly to you.