Regulatory Services

hero image

In today’s rapidly evolving business environment, navigating regulatory requirements and compliance obligations has become increasingly complex and vital. Organisations are challenged by constant updates in laws and regulations, spanning critical areas such as data protection, cybersecurity and whistleblowing. The growing digital landscape further heightens the need for robust systems to protect data and ensure ethical business practices. Implementing effective compliance measures not only fulfils legal obligations but enriches organisational trust, sustainability, and operational resilience.

Our services

Regulatory data and cybersecurity services

In an increasingly digital world, safeguarding personal data is more critical than ever. At PwC, we are dedicated to helping organisations navigate the complexities of data protection and privacy laws with confidence. Our team of experts is committed to empowering organisations with robust strategies and solutions tailored to specific needs, ensuring compliance with the regulations such as the GDPR and other regulations (e.g. AI Act, DORA, NIS2 etc) in a client-centric, creative and commercially focused manner.

With data breaches and privacy concerns on the rise, ensuring the security and integrity of your data assets is not just a regulatory obligation, but a crucial component of maintaining trust with your stakeholders. We understand the challenges you face and are here to provide comprehensive advisory services.

Explore our data protection and cyber services and discover how we can help you achieve compliance while maximising business value and trust. 
 

Data Protection Regulatory Services

1. GDPR Compliance and Advisory Services:

  • Assisting organisations in understanding and complying with the General Data Protection Regulation (GDPR)
  • Conducting GDPR readiness assessments to identify gaps and areas for improvement

2. Data Protection Strategy and Governance:

  • Developing and implementing data protection strategies and governance frameworks
  • Drafting and reviewing data protection policies, transparency notices and other documentation
  • Designing frameworks to effectively monitor ongoing compliance
  • Establishing data protection roles and responsibilities within the organisation

3. Data Protection Impact Assessments (DPIAs):

  • Conducting DPIAs to evaluate and mitigate privacy risks associated with data processing activities
  • Assisting with the development of protocols for regular DPIA reviews and updates

4. Data Breach Management:

  • Assisting with the development and implementation of data breach response plans
  • Providing support and guidance during data breach incidents, including notifications to supervisory authorities and affected data subjects

5. Data Subject Rights Management:

  • Advising on the management and response to data subject access requests (DSARs)
  • Providing guidance on processes concerning requests for data rectification, erasure, and portability

6. Training and Awareness:

  • Conducting training sessions and workshops to raise employee awareness of data protection responsibilities
  • Developing customised training programmes tailored to organisational needs and compliance requirements

7. International Data Transfers:

  • Providing guidance on managing international data transfers while ensuring compliance with data protection regulations
  • Assisting with the implementation of Standard Contractual Clauses and Binding Corporate Rules

8. Data Protection Authority:

  • Assisting organisations in engagements with data protection authorities
  • Assisting with regulatory inquiries and investigations

9. Data Security:

  • Advising on the implementation of technical and organisational measures to ensure data security
  • Supporting the adoption of data protection technologies and tools

10. Third-Party Risk Management:

  • Evaluating and managing risks associated with third-party vendors and service providers
  • Performing comprehensive data protection audits to ensure compliance with applicable laws and regulations

11. Data Protection Officers (DPOs):

  • Providing guidance on the roles and responsibilities of DPOs in ensuring compliance
  • Providing the service of an external DPO

Cybersecurity Regulatory Services

1. Compliance Assessment and Strategy Development:

  • Conducting assessments to determine an organisation’s compliance status with the NIS2 Directive
  • Assisting with providing the public authorities with required information
  • Developing strategies and action plans to achieve and maintain compliance

2. Risk Management and Security Policies:

  • Assisting with developing and implementing risk management practices and security policies aligned with NIS2 requirements
  • Advising on the establishment of incident response and business continuity plans

3. Incident Reporting and Management:

  • Assisting with the establishment of incident reporting protocols and procedures
  • Assisting with managing cybersecurity incidents and fulfilling reporting obligations to national authorities

4. Training and Awareness Programs:

  • Providing training programmes to enhance employee awareness of cybersecurity threats and compliance responsibilities, tailored to your organisation’s specifics

Anti-money laundering

PwC is a market leader in assessing system vulnerabilities regarding Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) risks, evaluating compliance programs, and assisting in the enhancement of existing systems and controls. We have developed a comprehensive approach to risk reduction, risk management improvement, and operational solution implementation. We collaborate with you to ensure that compliance controls in the areas of anti-money laundering, counter-terrorist financing, and restrictive measures are effectively implemented and sufficient for quality risk management and regulatory requirements.

How can we assist you? 

Our team of experts can help you develop an effective and efficient anti-money laundering and counter-terrorist financing system that will monitor the risks your organisation faces and align with regulatory expectations and developments in the fields of anti-money laundering, counter-terrorist financing, and restrictive measures.

Our AML experts work closely with you to understand your business and assist in creating your own control systems in the areas of anti-money laundering, counter-terrorist financing, and restrictive measures, ensuring effective risk management and regulatory compliance.  

Our team of experts can assist you in the process of data collection and identification of the ultimate beneficial owner, submission of applications, updating data in the Register of Ultimate Beneficial Owners, and preparing requests for restricting access to data on the ultimate beneficial owner.

We can help you implement:

1. Alignment of internal regulations to reduce the risk of non-compliance

  • Ensuring compliance with regulations and guidelines from competent authorities 
  • Developing programmes and internal policies for anti-money laundering and counter-terrorist financing based on risk assessments
  • Verifying the adequacy of the existing anti-money laundering and counter-terrorist  financing system
  • Assessing the efficiency of the existing system

2. Compliance with regulatory requirements  

  • We understand the expectations placed on you regarding the development and implementation of action plans to address identified measures by regulators. Our experts can help you determine appropriate solutions.

3. Training

  • Sector-specific training for obligated entities
  • Employee training for those involved in the anti-money laundering and counter-terrorist financing  programme 
  • Annual anti-money laundering and counter-terrorist financing training (PwC's Academy AML seminars)
  • Specialised workshops
  • Customised workshops for company management, internal auditors, and authorised persons for anti-money laundering and counter-terrorist financing 
  • E-learning 
  • Custom training tailored to your specific needs

4. Risk Exposure Assessment

  • We can help you develop a framework for assessing the risk of money laundering, counter-terrorist financing, and restrictive measures to ensure you can identify the level of inherent risk to which you are exposed, as well as perform vulnerability analysis and assess the residual level of risk.

5. Registration and updating of data in the Register of Ultimate Beneficial Owners

  • Determining the ownership structure and submitting applications for registration in the Register of Ultimate Beneficial Owners
  • Providing assistance with the process of updating data in the Register of Ultimate Beneficial Owners

Find out more on Register of beneficial owners

Register of beneficial owners

With the adoption of the new Anti-Money Laundering and Terrorist Financing Act (OG No. 108/2017, 39/2019, 151/2022), the European regulations for anti-money laundering and terrorist financing (4th and 5th AML Directives) has been implemented in the national legislation. The Regulation introduces an obligation to establish a Register of Beneficial Owners.

The Ordinance on the Register of Beneficial Owners (OG No. 53/2019) was published on 24 May 2019 and prescribes the procedure and deadlines for submitting data on beneficial owners to be included in the Register of Beneficial Owners. The Financial Agency (FINA) maintains the Register.

Which entities need to provide data for the Register of beneficial owners?

The registration obligation applies to companies, branches of foreign companies, associations, foundations and institutions where the Republic of Croatia or local/regional unit of self-government is not the sole founder. 

Institutions where the Republic of Croatia or local/regional unit of self-government is the sole founder are not required to register data on the beneficial owner.

Companies listed on stock exchanges are not required to provide data on beneficial owners for the Register. Such companies are only required to provide information on which stock exchange they are listed, along with the date they have been listed, and whether their shares are issued to bearers.

Data on the persons authorised to represent associations, who will be considered as the beneficial owners of the associations, will be retrieved from the PIN system. Changes and updates of the provided data will be made by the persons authorised to represent the association.

Which data are being reported? 

Data on beneficial owners must be accurate, up-to-date, and adequate. The following data must be reported: name and surname, country of residence, date of birth, citizenship(s), identification number or data on the type, number, issuer, country and the validity date of the identification document, data on the nature and extent of the beneficial ownership.

What are the deadlines for entering the data into the Register of beneficial owners?

Every legal entity is required to enter information about its beneficial owner in the Register of Beneficial Owners within 30 days from the date of establishment. 

A legal entity or trustee must update the data within 30 days following any change to the previously entered data in the Register. 

Who has access to the information?

Most of the data on beneficial owners are publicly available, except for the identification number and details on the type, number, issuer, country and validity date of the identification document, which are available only to competent state authorities.

Access to data or part of data on the beneficial owner of a legal entity is restricted if the access to such data would expose the beneficial owner to a disproportionate risk, such as the risk of fraud, kidnapping, blackmail, extortion, abuse, violence, intimidation or if the beneficial owner is a minor or has been deprived of their business capacity.

In these cases, a legal entity or a public body may submit a clarified and substantiated request to restrict access to the data on the beneficial owner. 

What are the prescribed penalties?

A legal entity that fails to submit relevant, accurate and up-to-date data to its beneficial owner in the Register of Beneficial Owners, in the manner and within the deadlines prescribed by the Ordinance, may be fined  from EUR 660 to 46,450.

A fine ranging from HRK 5,660.00 -  9,950.00 is prescribed for a Member of Management Board or another responsible natural person of the legal entity.

How can we help you? 

We can assist you in collecting data and identifying the beneficial owner and submitting the application to the Register of beneficial owners. Additionally, we can help you prepare requests to restrict access to data on the beneficial owner. Furthermore, we can support you in updating information in the Register.

Find out more on Register of beneficial owners

Whistleblowing

Does your company employ more than 50 people?

If so, you are required to implement an internal reporting procedure that outlines the methods by which whistleblowers can report irregularities.

Additionally, if your company is subject to regulations in areas such as financial services, products and markets, prevention of money laundering and terrorist financing, traffic safety or environmental protection, you must implement an internal reporting procedure, regardless of the number of your employees.

Comply with your obligations and avoid penalties!

We encourage you to view the whistleblowing system as an opportunity. It can serve  as a valuable tool for identifying risks in your operations, enabling you to implement more effective solutions for a more sustainable business. By supporting and promoting a whistleblowing system more broadly, you will be able to identify various risks with negative sustainability impacts. Higher staff engagement in identifying such risks can help you find solutions more quickly and drive faster sustainability growth.

A team of PwC professionals with expertise in regulatory compliance will guide you through the entire process, from an initial assessment of your current status and possibilities for reporting incidents in your company, to the drafting of a tailor-made whistleblowing policy and the implementation of the whistleblowing system. 

1. Regulatory Analysis:

  • An independent analysis to determine the applicability of Croatian and EU whistleblowing legislation to your business operations.

2. Initial Assessment and Optimisation:

  • Assessing the current status and potential for reporting non-compliance incidents within your organisation (gap analysis)
  • Identifying areas for improvement to enhance the whistleblowing system’s accessibility and usability of the system for employees

3. Internal Whistleblowing System Design:

  • Advising on the development of a comprehensive whistleblowing framework that complies with relevant legislation
  • Assisting with the design of reporting mechanisms that ensure confidentiality, protection, and ease of use for whistleblowers

4. Policy Drafting:

  • Drafting tailored Whistleblower and Investigation Policies aligned with best practices
  • Assisting with the establishment of clear guidelines for handling whistleblower reports

5. Process Implementation and Support:

  • Providing ongoing support for communication with whistleblowers to ensure transparency and trust
  • Advising on the management of documentation concerning whistleblowing reports and internal investigations

6. Employee Awareness and Training:

  • Assisting with the development of an employee awareness programme to promote understanding and engagement with the whistleblowing process
  • Designing employee and management training programmes tailored to your organisation’s specific needs, in collaboration with PwC Academy

Benefits of Implementing a Whistleblowing System:

- Risk Identification and Mitigation:  Leverage whistleblowing as a proactive measure to identify and address operational and compliance risks that could impact sustainability and reputation

- Enhanced Compliance and Prevention of Penalties:  Ensure compliance with applicable legislation to prevent potential penalties and legal consequences  

- Corporate Culture and Trust:  Promote a culture of transparency and integrity that fosters employee trust and engagement

- Support for Sustainability Initiatives:  Integrate whistleblowing systems into broader strategic efforts to enhance sustainability performance and corporate social responsibility

For more information, we encourage you to contact us.

ESG

In today's rapidly evolving regulatory landscape, integrating Environmental, Social, and Governance (ESG) principles into business practices is not just a compliance requirement but a strategic imperative. At PwC, we understand that robust ESG strategies can drive long-term value creation and sustainability, enhancing both corporate reputation and stakeholder trust.

Our team of seasoned regulatory compliance professionals is committed to providing comprehensive ESG advisory services tailored to your organisation's unique needs. We offer expert guidance to help you navigate complex regulatory requirements, identify opportunities for sustainability, and mitigate potential risks. Whether you are seeking to develop ESG policies, improve transparency through effective reporting, or align your corporate governance with global best practices, we are here to support you every step of the way.

Leveraging our deep expertise in compliance and a forward-thinking approach, we empower businesses to transform ESG challenges into opportunities. Together, let's build a sustainable future and ensure your business thrives in an increasingly conscientious world. Explore our ESG advisory services to discover how we can help your organisation achieve its sustainability goals while strengthening corporate governance and social responsibility.

1. Corporate Governance Frameworks:

  • Developing and implementing corporate governance frameworks that align with best practices and regulatory requirements, while promoting ethical corporate culture and values
  • Advising on board structures, roles, and responsibilities to enhance governance effectiveness

2. ESG Policy Development:

  • Assisting in the creation and implementation of ESG policies that integrate sustainability principles into corporate strategies
  • Advising on key ESG factors relevant to the company’s industry and operations

3. Regulatory Compliance:

  • Assisting with ensuring compliance with applicable ESG regulations
  • Staying up-to-date with evolving ESG requirements and advising on necessary adjustments
  • Advising on disclosure requirements and reporting obligations

4. Board Advisory Services:

  • Advising boards of directors on ESG-related governance issues
  • Providing training on ESG and corporate governance topics, specialised for your industry

5. Stakeholder Engagement:

  • Developing strategies for effective communication with stakeholders on ESG matters
  • Facilitating stakeholder engagement processes and reporting on ESG performance

6. Ethics and Compliance Programmes:

  • Assisting in the development and implementation of corporate ethics and compliance programmes
  • Assisting in the development and implementing of programmes to promote diversity and inclusion within the organisation
  • Providing training on ethical conduct, anti-corruption, and compliance matters
  • Establishing whistleblower and reporting mechanisms
Stay connected:

Contact us

Hrvoje Jelic

Hrvoje Jelic

Country Managing Partner, Tax and Regulatory Services, PwC Croatia

Marko Marusic

Marko Marusic

Territory Tax and Regulatory Services Leader, PwC Croatia