# HR Market Entry Bilko Croatian market entry documentation # 00 — Overview & Index # Bilko HR Market Entry — Overview & Index **Last Updated:** 2026-05-28 **Status:** ACTIVE — ongoing consolidation **Owner:** ALAI Holding AS / Bilko Product Team --- ## Executive Summary Croatia (HR) represents a strategic market for Bilko due to: - **Currency:** EUR (eurozone since 2023) - **EU Status:** Full member since 2013 - **Market Size:**50K–500K SMBs - **Regulatory Complexity:** Mandatory e-invoicing (HR-FISK 2.0) since January 2026 - **Open Banking:** PSD2 full compliance (Berlin Group NextGenPSD2) **Current Challenge:** Bilko cannot launch in Croatia without: 1. HR-FISK 2.0 / eRačun integration via certified partner (FINA certificate path is high-friction) 2. Legal entity structure decision (d.o.o. vs paušalni obrt vs no HR entity) 3. Bank integration plan (PSD2 AISP/PISP readiness per top HR banks) 4. Regulatory compliance (PDV, OIB, CIT, data retention) --- ## Timeline
DateEventMC
2026-05-19Sveračun/Storecove partner pack prepared
2026-05-20Registration pack finalized\#100332, #8675
2026-05-28Legal/tax research commissioned (Lexicon)\#102422
2026-05-28Bank integration plan commissioned (Finverge)\#102423
2026-05-28BookStack consolidation (Skillforge)\#102437
TBDSveračun/Storecove partner decision
TBDHR entity structure decision
TBDHR-FISK integration Phase 1 (ZKI generation)
2027-01-01Non-VAT registered taxpayers must issue e-invoices (compliance deadline)
--- ## Mission Control Tasks - **\#100332** — Sveračun outreach (CEO action: contact `info@sveracun.hr`) - **\#8675** — Storecove sandbox/provisioning (BLOCKED: no real account/credentials yet) - **\#102422** — Legal/tax research (Lexicon — d.o.o. vs obrt vs no entity, OIB, PDV, NO-HR tax treaty) - **\#102423** — Bank integration plan (Finverge — PSD2 readiness, QWAC/QSeal, Tok gap analysis) - **\#102437** — BookStack consolidation (Skillforge — this document) --- ## Documents in This Book ### [01 — Sveračun & Storecove Partner Status](./01-sveracun-storecove) Consolidation of registration pack (9 files): - Morning brief (partner/intermediary strategy) - Company data checklist - Storecove action plan - Sveračun action plan - Bilko HR technical description - Vaultwarden secret plan - Post-approval handoff to engineering **Status:** OPEN — waiting for CEO outreach (#100332) and Storecove account provisioning (#8675). ### [02 — Legal & Tax — Entity Options & OIB](./02-legal-tax) **MC #102422** — Lexicon legal memo covering: - 6 entity options (d.o.o. / j.d.o.o. / obrt / paušalni obrt / branch / no-entity) - OIB requirements for NO physical + legal person - PDV obligations for SaaS sales from NO to HR (OSS scheme? B2B reverse charge? 60K EUR threshold?) - NO-HR double taxation treaty application - HR-FISK 2.0 obligation for foreign provider **Status:** OPEN — Lexicon drafting (42118 bytes expected, 816 lines, 19 sources cited). ### [03 — Bank Integration Plan — PSD2 / Tok / QWAC](./03-bank-integration) **MC #102423** — Finverge banking memo covering: - Per-bank PSD2 readiness status (PBZ, Zaba, Erste, OTP, Addiko, RBA, HPB) - eIDAS QWAC/QSeal certificate requirements via DigiCert - SEPA Instant support - ISO 20022 (CAMT.053, pain.001) integration plan - Tok platform coverage for HR (gap analysis) - TPP regulatory registration (HR AISP/PISP authorization vs EEA passporting from NO via HANFA) **Status:** OPEN — Finverge drafting (50917 bytes expected, 49368 chars, 31 sources). ### [04 — Regulatory Reference — VAT/CIT/HR-FISK/SEPA](./04-regulatory-reference) Existing regulatory documentation merged: - Croatia (HR) regulatory requirements (VAT/PDV, CIT, chart of accounts) - HR-FISK 2.0 technical spec (UBL 2.1, ZKI/JIR, FINA certificate, OIB validation) - E-invoice mandatory deadlines and penalties - Bank integration format (ISO 20022, SEPA Instant) **Status:** COMPLETE — regulatory reference consolidated. --- ## Key Open Questions ### Partner/Intermediary Path (Priority 1) 1. **Storecove:** Can they provide fast sandbox + production path for HR-FISK 2.0 routing? 2. **Sveračun/PostLink:** Do they support SaaS platform/reseller model for multiple customer organizations? 3. **Certificate requirement:** Does partner act as intermediary, or does each Bilko customer need their own FINA certificate? 4. **KYC:** Must Bilko KYC each Croatian customer through partner? 5. **Pricing:** Volume pricing for 250–10,000 invoices/month — economically viable? 6. **Foreign entity:** Can ALAI Holding AS (NO) contract without Croatian legal entity? ### Legal/Tax Structure (Priority 2) 1. **Entity:** Should ALAI form Croatian d.o.o., paušalni obrt, or operate via NO entity with VAT registration? 2. **OIB:** Can NO legal entity obtain OIB without HR resident director? 3. **PDV registration:** Is 60K EUR threshold per-country or global? OSS scheme vs direct registration? 4. **NO-HR treaty:** Does treaty cover SaaS income? Permanent establishment risk? 5. **HR-FISK compliance:** Can foreign provider use partner/intermediary, or must self-certify with FINA? 6. **Data residency:** GDPR compliance — can Bilko host Croatian customer data in NO/EU region? ### Bank Integration (Priority 3) 1. **PSD2 readiness:** Which HR banks have stable Berlin Group NextGenPSD2 endpoints in production? 2. **QWAC/QSeal:** Can ALAI obtain eIDAS certificates via DigiCert without HR entity? 3. **TPP registration:** EEA passporting from NO via Finanstilsynet → HANFA, or separate HR TPP registration? 4. **Tok gap:** What does Tok platform already cover for HR, and what must be built for Bilko HR launch? 5. **SEPA Instant:** All top HR banks support SEPA Instant? 6. **ISO 20022:** Do HR banks provide CAMT.053 (statements) and accept pain.001 (payments)? --- ## Decision Framework ### Phase 0 — Partner Selection (CURRENT) - **Outcome:** Storecove OR Sveračun OR other certified intermediary - **Gate:** Real sandbox credentials + fake invoice ACK + volume pricing quote - **MC Tasks:** #100332 (Sveračun outreach), #8675 (Storecove provisioning) ### Phase 1 — Legal Entity Structure - **Outcome:** d.o.o. OR paušalni obrt OR no HR entity + VAT registration - **Gate:** Lexicon legal memo (#102422) + CEO decision - **Risk:** If partner requires HR entity, fallback to d.o.o. formation (4–8 weeks) ### Phase 2 — Bank Integration Plan - **Outcome:** Tok platform extended for HR banks OR separate Bilko-HR bank integration - **Gate:** Finverge memo (#102423) + per-bank PSD2 readiness matrix - **Critical path:** QWAC/QSeal procurement (8–12 weeks) + TPP regulatory passporting (4–6 weeks) ### Phase 3 — HR-FISK Integration (Engineering) - **Outcome:** ZKI generation + FINA cert loading + FISK API client - **Gate:** Partner sandbox ACK + Bilko code integration + E2E test - **Duration:** 3–5 weeks (after partner selected) ### Phase 4 — Croatian MVP Launch - **Outcome:** Bilko HR live for 5–50 pilot customers - **Gate:** Proveo E2E validation + regulatory compliance checklist + CEO approval - **Compliance deadline:** January 1, 2027 (non-VAT registered taxpayers must issue e-invoices) --- ## Source Files (Local Disk) All source files have canonical BookStack links added to their headers: 1. **Sveračun/Storecove pack:**`/Users/makinja/business/ALAI-Holding-AS/registrations/Bilko-HR-Storecove-Sveracun-2026-05-20/`(9 files) 2. **Legal memo:**`/Users/makinja/business/ALAI-Holding-AS/products/Bilko/docs/legal/hr-market-entry-options.md`(placeholder — MC #102422 open) 3. **Banking memo:**`/Users/makinja/business/ALAI-Holding-AS/products/Bilko/docs/integrations/hr-bank-integration-plan.md`(placeholder — MC #102423 open) 4. **Regulatory README:**`/Users/makinja/business/ALAI-Holding-AS/products/Bilko/docs/regulatory/HR/README.md` 5. **HR-FISK spec:**`/Users/makinja/business/ALAI-Holding-AS/products/Bilko/docs/integrations/hr-fisk-spec.md` --- ## Next Steps 1. **CEO:** Contact Sveračun (`info@sveracun.hr` / `+385 1 410 1130`) per MC #100332. 2. **CEO:** Complete Storecove business signup and request sandbox credentials per MC #8675. 3. **Lexicon:** Deliver legal/tax memo per MC #102422. 4. **Finverge:** Deliver bank integration plan per MC #102423. 5. **Skillforge:** Update this BookStack page when Lexicon/Finverge memos are delivered. 6. **John:** Create MC tasks for Phase 3 (HR-FISK integration) after partner selected. --- **BookStack Canonical URL:** [https://docs.alai.no/books/bilko-hr-market-entry/page/00-overview-index](https://docs.alai.no/books/bilko-hr-market-entry/page/00-overview-index) # 01 — Sveračun & Storecove Partner Status # Bilko HR — Sveračun & Storecove Partner Status **Prepared:** 2026-05-19 evening **Open:** 2026-05-20 morning **Market:** Croatia / HR **Entity for partner signup:** ALAI Holding AS unless a Croatian entity is later created **Relevant MC tasks:** #8675 Storecove sandbox/provisioning, #100332 Sveračun outreach --- ## Goal Unblock Croatian Bilko launch path by getting a **Path B intermediary/partner** for HR-FISK 2.0 / eRačun instead of trying to self-certify directly with FINA. Primary paths to pursue: 1. **Storecove** — Peppol/e-invoice API provider. MC #8675 is currently blocked because no actual account, credentials, or sandbox ACK evidence exists. 2. **Sveracun / PostLink d.o.o.** — Croatian FISK/eRačun partner candidate. MC #100332 asks CEO to contact `info@sveracun.hr` / `+385 1 410 1130`. --- ## 1. Morning Brief ### Executive Summary Croatia is not blocked by code first; it is blocked by **e-invoice/fiscalization partner access**. CEO decision already favors **Path B — certified intermediary/partner**. Do not spend time trying to form a Croatian d.o.o. or self-certify unless partner path fails. ### What to do tomorrow 1. Contact Storecove or complete business signup. 2. Contact Sveracun/PostLink for partner/API/reseller terms. 3. Ask both for: - Croatia HR-FISK/eRačun support - REST API documentation access - sandbox credentials - production onboarding timeline - reseller / SaaS platform terms - volume pricing for 250–10,000 invoices/month - whether Bilko can submit on behalf of Croatian customer organizations 4. Save proof of contact and any portal screenshots. 5. Do not mark #8675 done until there is actual sandbox/prod credential evidence and at least a fake invoice ACK/test path. ### Known Bilko HR state - `packages/domain-hr/` exists. - Supports Croatian tax config: PDV 25% / 13% / 5% / 0%. - Uses EUR and OIB. - HR-FISK/eRačun implementation is scaffold/placeholder, not production-ready. - Direct FINA certificate path is high-friction; intermediary path is intended. ### Important questions for partner - Do they support **Croatia B2B eRačun / Fiscalization 2.0** specifically? - Do they provide API access for a SaaS accounting platform/reseller? - Are customer certificates needed per end-customer, or does partner act as intermediary? - Does Bilko need to KYC each Croatian customer through partner? - Can ALAI Holding AS contract without Croatian legal entity? - What data processing agreement/DPA is required? - Sandbox timeline and production activation timeline? ### Decision rule - If Storecove provides fast sandbox + production path: continue #8675. - If Sveracun provides clearer local HR-FISK path/pricing: prioritize #100332. - If both require Croatian entity/certificate: escalate for CEO legal decision. --- ## 2. Company/Signup Data Checklist ### Contracting entity Default signup entity: - [ ] Legal name: ALAI Holding AS - [ ] Country: Norway - [ ] Org.nr: 932 516 136 - [ ] Address: `________________________` - [ ] VAT/MVA number if requested: `________________________` - [ ] Authorized signer: Alem Bašić / verify exact legal role - [ ] Billing email: `________________________` - [ ] Technical contact email: `________________________` - [ ] DPA/security contact email: `________________________` ### Product - [ ] Product name: Bilko - [ ] Market: Croatia / HR - [ ] Product type: cloud accounting and e-invoicing SaaS - [ ] Target customers: SMBs / accountants in Croatia - [ ] Estimated volume: 5–50 HR customers × 50–200 invoices/month = 250–10,000 monthly invoices - [ ] Needed environment: sandbox + production ### Documents to collect Put non-secret files under `place-documents-here/`: - [ ] ALAI Holding AS registry extract / company certificate - [ ] Proof of authorized signer if requested - [ ] Partner email thread / contact form copy - [ ] Partner onboarding terms - [ ] DPA / subprocessor terms - [ ] Pricing quote - [ ] Sandbox approval/activation screenshot - [ ] Production approval/activation screenshot ### Security notes - Do not save API credentials in this folder. - Do not commit partner contracts if marked confidential without CEO approval. - Credentials go only to Vaultwarden paths (see section 6 below). --- ## 3. Storecove Action Plan **Website:** https://www.storecove.com/ **Task:** #8675 — Storecove account provisioning + sandbox access ### Goal Get real Storecove business account access, sandbox credentials, production onboarding requirements, and a test/fake invoice acknowledgement path for Croatia. ### Steps 1. Open Storecove website and create/contact business account. 2. Register ALAI Holding AS as legal entity. 3. Ask for Croatia HR-FISK/eRačun / Peppol routing support. 4. Request: - sandbox API credentials - production onboarding checklist - OAuth2/API auth details - REST API documentation - pricing and billing setup - DPA/subprocessor terms 5. Save screenshots/emails in `place-documents-here/partner-emails/` or `portal-screenshots/`. ### Copy/paste inquiry ``` Hello Storecove team, We are building Bilko, a cloud accounting and e-invoicing SaaS for SMEs in Croatia and the Balkans. We want to integrate Croatia e-invoicing / HR-FISK 2.0 / eRačun through a certified intermediary/API provider rather than self-certifying directly. Company: ALAI Holding AS, Norway, org.nr 932 516 136 Product: Bilko Target market: Croatia Expected initial volume: 250–10,000 invoices/month Use case: Bilko submits and receives e-invoices on behalf of customer organizations through API. Could you confirm: 1. Do you support Croatian B2B eRačun / Fiscalization 2.0 routing? 2. Can Bilko operate as a SaaS platform/reseller for multiple Croatian customer organizations? 3. Can you provide sandbox API credentials and REST API documentation? 4. What is the production onboarding/KYC process? 5. What are the pricing tiers and DPA/subprocessor terms? 6. Is a Croatian legal entity or end-customer FINA certificate required? Best regards, Alem / ALAI Holding AS ``` ### Completion criteria for #8675 \#8675 should remain blocked/open until there is real evidence of: - Storecove account exists; - sandbox and/or production credentials issued; - credentials stored in Vaultwarden; - fake invoice sandbox submission/ACK verified or partner confirms exact test flow; - MC updated with non-secret evidence. --- ## 4. Sveračun / PostLink Action Plan **Candidate:** Sveračun / PostLink d.o.o. **Email:** info@sveracun.hr **Phone:** +385 1 410 1130 **Task:** #100332 — CEO outreach Sveračun Path B partner for HR FISK 2.0 ### Goal Determine if Sveračun can be Bilko’s Croatian HR-FISK/eRačun intermediary/API partner, and get partnership/API/pricing terms. ### Ask for - SaaS reseller/platform partnership terms - REST API documentation access - Sandbox/test environment - Production onboarding timeline - Volume pricing tiers - Whether Bilko can submit for multiple customer organizations - Whether Croatian legal entity is required - Whether each end-customer must provide certificate/OIB onboarding - DPA/subprocessor/security terms ### Copy/paste email in Croatian/BHS ``` Poštovani, Mi smo ALAI Holding AS iz Norveške i razvijamo Bilko, cloud računovodstveni i e-invoicing SaaS za mala i srednja preduzeća u Hrvatskoj i regiji. Tražimo HR-FISK 2.0 / eRačun partnera preko kojeg Bilko može slati i primati e-račune za hrvatske korisničke organizacije putem API-ja. Osnovni podaci: - Kompanija: ALAI Holding AS, Norveška, org.nr 932 516 136 - Proizvod: Bilko - Tržište: Hrvatska - Planirani volumen u MVP fazi: 5–50 korisnika × 50–200 računa mjesečno, okvirno 250–10.000 računa mjesečno - Model: Bilko kao SaaS računovodstvena platforma za više korisničkih organizacija Molimo informacije: 1. Da li nudite REST/API pristup za HR-FISK 2.0 / eRačun integraciju? 2. Da li podržavate SaaS/reseller model gdje Bilko šalje e-račune za više korisničkih organizacija? 3. Možemo li dobiti sandbox/test pristup i API dokumentaciju? 4. Koji je onboarding proces za produkciju? 5. Da li je potrebna hrvatska pravna osoba ili može ugovor potpisati ALAI Holding AS? 6. Da li svaki krajnji korisnik mora imati poseban certifikat/OIB onboarding? 7. Koji su cjenovni razredi za 250–10.000 računa mjesečno? 8. Koji DPA/security uslovi su potrebni? Hvala unaprijed, Alem / ALAI Holding AS ``` ### After contact - Save email copy/response in `place-documents-here/partner-emails/`. - Update MC #100332 with exact result. - If API access is offered, create/keep credentials only in Vaultwarden. --- ## 5. Bilko HR Technical Description (For Partners) ### Osnovni podaci **Naziv softvera:** Bilko **Dobavljač:** ALAI Holding AS **Tržište:** Hrvatska **Tip softvera:** cloud računovodstveni i e-invoicing SaaS za mala i srednja preduzeća ### Kratak opis Bilko je cloud računovodstveni sistem za mala i srednja preduzeća. Sistem omogućava izdavanje i upravljanje fakturama/računima, osnovno dvojno knjigovodstvo, PDV obračun, finansijske izvještaje, bank reconciliation i čuvanje revizorskog traga. Za Hrvatsku, Bilko treba podržati HR-FISK 2.0 / eRačun tok kroz certificiranog posrednika ili Peppol/e-invoice API partnera. Bilko čuva konfiguraciju po korisničkoj organizaciji i šalje e-račune u propisanom strukturiranom formatu preko partner API-ja. ### Hrvatska funkcionalnost - PDV stope: 25%, 13%, 5%, 0%. - Valuta: EUR. - Identifikator: OIB. - E-račun: UBL 2.1 / EN 16931 / HR-CIUS gdje partner zahtijeva. - Statusno praćenje e-računa. - Storno/otkazivanje prema pravilima partnera/platforme. - Revizorski trag za sve slanje, promjene statusa i greške. - Encrypted storage za API credentials i konfiguraciju po organizaciji. ### Integracijski model Bilko preferira partner/intermediary API model: 1. Bilko generiše fakturu i metapodatke. 2. Bilko šalje e-račun partneru preko REST/API interfejsa. 3. Partner radi routing prema HR-FISK/eRačun/FINA/Peppol sistemu. 4. Partner vraća ACK/status/ID. 5. Bilko čuva status i audit trail. ### Sigurnost - API ključevi i tajne se čuvaju šifrovano. - Tajne se ne upisuju u logove. - Pristup je odvojen po korisničkoj organizaciji. - Sistem podržava DPA/subprocessor evidenciju. - Finansijski podaci se čuvaju u EU/EEA cloud regionu ako partner/kupac zahtijeva. --- ## 6. Vaultwarden Secret Plan Do not store real secrets in this folder. ### Storecove sandbox Item name: ``` Bilko/sandbox/HR/storecove-api ``` Fields: ``` environment=sandbox provider=Storecove market=HR company=ALAI Holding AS auth_type= api_base_url= client_id= client_secret= api_key= issued_at= notes= ``` ### Storecove production Item name: ``` Bilko/production/HR/storecove-api ``` Same fields as sandbox. ### Sveracun sandbox/production Item names: ``` Bilko/sandbox/HR/sveracun-api Bilko/production/HR/sveracun-api ``` Fields: ``` provider=Sveracun / PostLink d.o.o. market=HR company=ALAI Holding AS auth_type= api_base_url= client_id= client_secret= api_key= certificate_ref= issued_at= notes= ``` ### After storing credentials Update MC #8675 or #100332 with only: - provider name; - Vaultwarden item name; - non-secret evidence path; - sandbox/prod status; - next engineering task. --- ## 7. Post-Approval Handoff to Engineering Use this after Storecove/Sveracun access is received. ### Handoff checklist - [ ] Partner selected: Storecove / Sveračun / other - [ ] Contract/commercial terms saved in `place-documents-here/contracts/` - [ ] DPA/subprocessor terms reviewed or flagged - [ ] Sandbox credentials stored in Vaultwarden - [ ] Production onboarding status recorded - [ ] API documentation link/file saved - [ ] Fake invoice sandbox ACK obtained or test flow scheduled - [ ] MC #8675/#100332 updated with non-secret evidence ### Engineering next tasks - Align Bilko `domain-hr` adapter with partner API, not theoretical direct FINA path. - Confirm auth type: OAuth2/API key/mTLS/certificate. - Map Bilko invoice model to partner payload/UBL requirements. - Implement sandbox smoke test. - Store partner invoice ID/status/JIR/ZKI equivalents returned by provider. - Add contract test for HR e-invoice payload. - Decide whether customer OIB onboarding/KYC is a user-facing workflow. ### Blockers to escalate - Partner requires Croatian legal entity. - Partner requires each customer to provide certificate and no SaaS proxy model exists. - Partner terms prohibit accounting SaaS reseller use. - Pricing makes MVP uneconomical at 250–10,000 invoices/month. --- ## Current Status - **Storecove (#8675):** BLOCKED — no real account/credentials yet. Prior evidence was only research/outreach claims, not actual sandbox ACK. - **Sveračun (#100332):** OPEN — CEO outreach not yet sent. - **Next action:** CEO to contact both partners and collect sandbox credentials + pricing quotes. --- **Local source:**`/Users/makinja/business/ALAI-Holding-AS/registrations/Bilko-HR-Storecove-Sveracun-2026-05-20/` **BookStack Canonical URL:** [https://docs.alai.no/books/bilko-hr-market-entry/page/01-sveracun-storecove](https://docs.alai.no/books/bilko-hr-market-entry/page/01-sveracun-storecove) # 02 — Legal & Tax — Entity Options & OIB # Croatian Market Entry Options for Norwegian SaaS Provider **Document Type:** Internal Research Memo **Subject:** Legal and tax options for ALAI Holding AS (Norwegian entity) entering Croatian market with Bilko SaaS **Date:** 2026-05-28 **Status:** ⚠️ NOT LEGAL ADVICE — Final confirmation requires licensed Croatian attorney and tax advisor **Entity:** ALAI Holding AS (Org.nr 932 516 136), Norwegian AS, CEO Alem Basic (Norwegian resident) **Product:** Bilko (SaaS accounting platform, target: Croatian SMBs) --- ## TL;DR — Recommended Path **For Phase 1 (0-50 clients, <€300K annual revenue):** ✅ **No Croatian entity initially** — Sell directly from ALAI Holding AS (Norwegian company) - ✅ B2B reverse charge (clients self-assess Croatian VAT) — no VAT registration needed - ✅ B2C via Non-Union OSS scheme if B2C sales >€10,000/year threshold - ✅ Norwegian CIT applies (22%), withholding exempted per Norway-Croatia tax treaty - ⚠️ **HR-FISK e-invoice:** UNCLEAR if mandatory for foreign provider — requires legal clarification - ⚠️ **OIB:** Not mandatory for pure digital service from abroad, but recommended for banking/contract relationships **Trigger point for Croatian entity (d.o.o.):** - Revenue >€300K/year in Croatia OR - Physical presence needed (office, employees) OR - HR-FISK compliance requires local entity (TBD by legal counsel) **Rationale:** Lower overhead, test market fit, comply via reverse charge (B2B) and OSS (B2C), minimal Croatian administrative burden. --- ## Decision Matrix: 5 Entity Options | Option | Capital Requirement | Timeline | Annual Overhead | Best For | HR-FISK Eligible? | Risk Level | | -------------------------------------- | ------------------- | --------- | ------------------------------------ | ----------------------------------------------- | --------------------------- | ----------- | | **No HR entity** (direct sale from NO) | €0 | Immediate | ~€5K (accounting/legal review) | <€300K revenue, pure B2B/light B2C | ⚠️ UNCLEAR | Low-Medium | | **d.o.o. (Croatian LLC)** | €2,630 (HRK ~20K) | 2-4 weeks | €8K-€15K (accounting, audit, filing) | >€300K revenue, local presence, hiring plans | ✅ Yes | Medium | | **j.d.o.o. (Simplified LLC)** | €1 (symbolic) | 1-2 weeks | €5K-€10K | <€1M revenue, max 3 founders, simpler structure | ✅ Yes | Medium | | **Obrt (Sole Proprietorship)** | €0 | 1 week | €3K-€6K | Solo freelancer, revenue <€60K | ⚠️ FOREIGN OWNER RESTRICTED | Medium-High | | **Paušalni obrt** | €0 | 1 week | €2K-€4K | Very low revenue (<€60K), lump-sum tax | ⚠️ FOREIGN OWNER RESTRICTED | High | | **Branch (Podružnica)** | €0 | 3-6 weeks | €6K-€12K (separate accounting) | Parent wants direct control, HR ops significant | ✅ Yes | Medium | ### Criteria Definitions 1. **Capital Requirement:** Minimum paid-in capital (d.o.o. requires ~€2,630; j.d.o.o. only €1) 2. **Timeline:** From paperwork start to registration complete 3. **Annual Overhead:** Estimated cost for accounting, bookkeeping, tax filings, audit (if required), annual FINA filing 4. **Best For:** Revenue size and operational model 5. **HR-FISK Eligible:** Can the entity obtain FINA certificate for mandatory e-invoicing? 6. **Risk Level:** Legal/compliance complexity for foreign founder --- ## Question 1: Entity Registration Options ### 1.1 d.o.o. (Društvo s ograničenom odgovornošću — Croatian LLC) **Legal Basis:** Zakon o trgovačkim društvima (Companies Act), NN 111/93 and amendments **Key Facts:** - **Minimum Capital:** HRK 20,000 (~€2,630), must be deposited before registration - **Shareholders:** Min 1, max unlimited; can be 100% foreign-owned (Norwegian individual or company) - **Management:** Minimum 1 director (can be foreign resident, but must have Croatian OIB for registration) - **Registration:** Court of Registry (Trgovački sud) via HITRO.HR portal - **Timeline:** 2-4 weeks (faster if all docs prepared) - **Seat Requirement:** Must have registered address in Croatia (can use virtual office initially) - **Accounting:** Full bookkeeping per Croatian Accounting Act, annual financial statements filed with FINA - **Audit Requirement:** If exceeds 2/3 criteria: revenue >€8M, assets >€4M, employees >50 (unlikely for SaaS startup) - **Annual Costs:** ~€8,000-€15,000 (accountant, bookkeeper, annual FINA filing, legal compliance) **Advantages:** - ✅ Limited liability (shareholders liable only up to capital contribution) - ✅ Credibility with Croatian customers (local company) - ✅ Can hire Croatian employees directly - ✅ Full HR-FISK eligibility (can obtain FINA certificate) - ✅ Can open Croatian bank account easily **Disadvantages:** - ❌ Upfront capital requirement (€2,630) - ❌ Annual accounting/audit overhead - ❌ Must file annual financial statements with FINA (public record) - ❌ Subject to Croatian CIT (18% or 10% if revenue <€1M) - ❌ Potential WHT on dividends to Norwegian parent (10%, reducible per treaty) **When to Choose:** Revenue >€300K/year in Croatia, need local employees, want local bank account, HR-FISK mandatory compliance confirmed --- ### 1.2 j.d.o.o. (Jednostavno društvo s ograničenom odgovornošću — Simplified LLC) **Legal Basis:** Zakon o trgovačkim društvima, Art. 390a-390t (introduced 2012, updated 2019) **Key Facts:** - **Minimum Capital:** €1 (symbolic, one of lowest in EU) - **Founders:** Max 3 natural persons (can be foreign, but at least one must be Croatian resident OR foreign founder must appoint Croatian representative) - **Revenue Limit:** Max €7.5M annually; if exceeded, must convert to regular d.o.o. within 6 months - **Management:** Simplified governance (founders = directors, no supervisory board needed) - **Accounting:** Simplified bookkeeping (single-entry permitted if revenue <€300K) - **Registration:** Same as d.o.o. (HITRO.HR portal, Trgovački sud) - **Timeline:** 1-2 weeks (faster than d.o.o. due to simpler docs) - **Annual Costs:** ~€5,000-€10,000 **Advantages:** - ✅ Minimal capital (€1) - ✅ Faster setup than d.o.o. - ✅ Simplified accounting for small revenue - ✅ Limited liability - ✅ HR-FISK eligible **Disadvantages:** - ⚠️ Founder must be natural person (not legal entity like ALAI Holding AS) — **CEO Alem would be founder personally, not company** - ❌ Max 3 founders (not scalable for larger shareholder base) - ❌ Revenue cap €7.5M (good problem to have, but requires conversion) - ❌ Less formal governance = less attractive to investors (if future fundraising planned) **When to Choose:** CEO Alem willing to be personal founder (not ALAI Holding AS), revenue €300K-€1M range, want minimal capital, need HR entity quickly --- ### 1.3 Obrt (Sole Proprietorship / Craft Business) **Legal Basis:** Zakon o obrtu (Crafts Act), NN 143/13 **Key Facts:** - **Owner:** Natural person only (not legal entity) - **Foreign Ownership:** ⚠️ **RESTRICTED** — Foreign (non-EU) citizens need work permit and residency in Croatia (Norway is outside EU/EEA for this purpose as of 2026) - **Revenue Limit:** Unlimited in theory, but paušalni regime only up to €60K - **Liability:** Unlimited personal liability (owner personally liable for all debts) - **Registration:** Ministry of Economy (Ministarstvo gospodarstva) via HITRO.HR - **Accounting:** Simplified bookkeeping for small revenue - **Annual Costs:** ~€3,000-€6,000 **Advantages:** - ✅ No capital requirement - ✅ Simple setup (1 week) - ✅ Lower accounting overhead than d.o.o. **Disadvantages:** - ❌ **Foreign owner needs Croatian residency/work permit** — NOT viable for Norwegian resident CEO without relocating - ❌ Unlimited personal liability - ❌ Owner = business (no legal separation) - ❌ Revenue cap €60K for paušalni regime - ⚠️ HR-FISK eligibility unclear for foreign-owned obrt **When to Choose:** NOT RECOMMENDED for Alem (Norwegian resident). Only viable if CEO relocates to Croatia. --- ### 1.4 Paušalni Obrt (Lump-Sum Taxed Sole Proprietorship) **Legal Basis:** Zakon o porezu na dohodak (Income Tax Act), NN 115/16, Art. 31 **Key Facts:** - **Revenue Cap:** €60,000 annually (hard limit) - **Taxation:** Lump-sum tax based on activity type (not actual profit) — typically €500-€3,000/year flat rate - **VAT:** Not VAT-registered (below threshold), cannot charge/reclaim VAT - **Owner:** Natural person only - **Foreign Ownership:** ⚠️ **SAME RESTRICTION AS OBRT** — foreign owner needs Croatian residency **Advantages:** - ✅ Very low tax burden (fixed lump-sum) - ✅ No capital requirement - ✅ Minimal accounting (no double-entry) **Disadvantages:** - ❌ **Foreign owner needs Croatian residency** — NOT viable for Norwegian resident - ❌ Revenue cap €60K (too low for SaaS growth) - ❌ No VAT registration (cannot serve VAT-registered clients properly) - ❌ Unlimited personal liability **When to Choose:** NOT RECOMMENDED for Alem. Only for Croatian residents doing side business. --- ### 1.5 Podružnica (Branch of Foreign Company) **Legal Basis:** Zakon o trgovačkim društvima, Art. 464-468 **Key Facts:** - **Definition:** Croatian registered branch of ALAI Holding AS (Norwegian parent) - **Legal Status:** NOT separate legal entity (parent ALAI Holding AS fully liable) - **Capital:** No minimum paid-in capital (but parent must demonstrate solvency) - **Registration:** Court of Registry (Trgovački sud) via HITRO.HR - **Timeline:** 3-6 weeks (longer than d.o.o. due to foreign company documentation) - **Accounting:** Separate Croatian bookkeeping + consolidation with parent (dual overhead) - **Taxation:** Branch profits taxed in Croatia (18% CIT), then remitted to Norway (treaty prevents double taxation) - **Audit:** If branch exceeds size thresholds, requires audit - **Annual Costs:** ~€6,000-€12,000 (accounting for both branch and parent coordination) **Advantages:** - ✅ Parent (ALAI Holding AS) retains direct control - ✅ No Croatian shareholders needed (100% Norwegian parent) - ✅ HR-FISK eligible - ✅ Can hire Croatian employees **Disadvantages:** - ❌ Parent ALAI Holding AS fully liable (no limited liability shield) - ❌ Dual accounting overhead (branch + parent) - ❌ More complex tax filings (branch CIT in Croatia, then consolidation in Norway) - ❌ Longer setup timeline - ❌ Perceived as "foreign" by Croatian customers (less local credibility than d.o.o.) **When to Choose:** Parent wants direct operational control, Croatian operations are significant (>€500K revenue, 5+ employees), willing to accept unlimited parent liability --- ### 1.6 No Croatian Entity (Direct Sale from Norway) **Legal Basis:** Croatian VAT Act (Art. 4, 17), EU VAT Directive 2006/112/EC (place of supply rules for electronic services) **Key Facts:** - **Entity:** ALAI Holding AS sells directly from Norway (no Croatian company) - **B2B Sales:** Reverse charge applies — Croatian VAT-registered customer self-assesses Croatian VAT (ALAI issues invoice without VAT) - **B2C Sales:** If annual B2C sales to Croatia >€10,000, must register for Non-Union OSS scheme (One-Stop Shop) in Norway and remit Croatian VAT (25%) via Norwegian tax authority - **CIT:** ALAI Holding AS taxed in Norway (22% Norwegian CIT), no Croatian CIT (unless permanent establishment created) - **Permanent Establishment (PE) Risk:** None if purely digital service, no Croatian office, no employees, no fixed place of business (per OECD Model Tax Convention Art. 5, adopted by Norway-Croatia treaty) - **HR-FISK:** ⚠️ **UNCLEAR** if foreign provider must issue e-invoices via HR-FISK for Croatian customers (see Question 5 below) **Advantages:** - ✅ Zero setup cost, immediate start - ✅ No Croatian administrative overhead (accounting, filings) - ✅ Taxed in Norway only (22% CIT, familiar regime) - ✅ No Croatian audit, FINA filing, or court registration - ✅ Test market fit before committing to Croatian entity **Disadvantages:** - ⚠️ HR-FISK compliance unclear (may require local entity — see Question 5) - ❌ Perceived as "foreign" (may reduce trust with Croatian SMB customers) - ❌ Cannot open Croatian bank account (must use Norwegian account, EUR SEPA transfers) - ❌ B2C VAT compliance via OSS (if >€10K B2C sales) - ❌ May trigger Croatian VAT registration if threshold exceeded or if HR-FISK requires local entity **When to Choose:** Phase 1 (<€300K revenue, mostly B2B), test market, avoid overhead, HR-FISK exemption confirmed OR work-around via Peppol (see Question 5) --- ## Question 2: OIB (Osobni Identifikacijski Broj) **OIB = Croatian Tax Identification Number** (11-digit unique identifier for all natural and legal persons transacting in Croatia) **Legal Basis:** Zakon o osobnom identifikacijskom broju (Personal Identification Number Act), NN 60/08 ### 2.1 OIB for Foreign Natural Person (CEO Alem Basic) **When MANDATORY:** - If registering Croatian company (d.o.o., j.d.o.o., obrt) as founder/director - If employed by Croatian entity - If owning Croatian real estate - If opening Croatian bank account (most banks require OIB) **When NOT mandatory (but recommended):** - If providing services remotely from Norway to Croatian clients (no Croatian entity) — NOT legally required, but some Croatian clients may request for their accounting records - If signing Croatian contracts as Norwegian entity representative — recommended but not mandatory **How to Obtain:** 1. Submit application to **Croatian Tax Administration** (Porezna uprava) via: - In-person at any Tax Administration office in Croatia (bring passport + proof of purpose) - OR via Croatian embassy/consulate in Norway (Oslo embassy) — requires appointment 2. **Documents Needed:** - Valid passport (Norwegian) - Proof of purpose (e.g., company registration docs, employment contract, bank account opening letter) 3. **Timeline:** 1-2 weeks if in Croatia, 4-6 weeks via embassy 4. **Cost:** Free **Recommendation:** If Alem plans to register Croatian entity OR open Croatian bank account → **obtain OIB proactively**. If selling purely from Norway with no Croatian entity → NOT urgent (can defer until needed). --- ### 2.2 OIB for Foreign Legal Entity (ALAI Holding AS) **When MANDATORY:** - If registering Croatian branch (podružnica) - If registering Croatian subsidiary (d.o.o. as separate entity, then parent ALAI Holding AS as shareholder needs OIB) - If VAT-registered in Croatia (as foreign taxable person) **When NOT mandatory:** - If selling digital services from Norway with reverse charge (B2B) or OSS (B2C) — **NOT required** - If transacting via SEPA as Norwegian entity — NOT required (use Norwegian org.nr 932 516 136) **How to Obtain:** 1. Submit application to **Croatian Tax Administration** (Porezna uprava) with: - Certificate of Incorporation (Norwegian BR Registerutskrift) translated to Croatian (sworn translation) - Proof of Norwegian company registration (Org.nr 932 516 136) - Power of Attorney if representative applies on behalf of company 2. **Timeline:** 2-4 weeks 3. **Cost:** Free (translation ~€50-€100) **Recommendation:** If registering Croatian entity or VAT → obtain OIB for ALAI Holding AS. If direct sale from Norway → **NOT needed initially** (can defer). --- ## Question 3: VAT (PDV) for SaaS Sales from Norway to Croatia **Norway = Outside EU** (Norway is EEA member for free movement, but NOT in EU Customs Union or VAT area). For VAT purposes, Norway is "third country" (non-Union). **Legal Basis:** - Croatian VAT Act (Zakon o porezu na dodanu vrijednost), NN 73/13 and amendments - EU VAT Directive 2006/112/EC (Croatia bound as EU member since 2013) - Place of supply rules for electronic services: Art. 58 (B2C) and Art. 44 (B2B) ### 3.1 B2B Sales (Business-to-Business): Croatian VAT-Registered Customer **Rule:** **Reverse Charge Mechanism** (Art. 17 Croatian VAT Act) **How it Works:** 1. ALAI Holding AS (Norwegian provider) issues invoice to Croatian VAT-registered customer **WITHOUT Croatian VAT** 2. Invoice must state: _"Reverse charge — customer must self-assess Croatian VAT per Art. 17 VAT Act"_ (or Croatian: _"Obrnuto opterećenje — primatelj usluge plaća PDV prema čl. 17 Zakona o PDV-u"_) 3. Croatian customer self-assesses 25% Croatian VAT and reports it on their Croatian VAT return (input VAT deductible if business use) 4. ALAI Holding AS does **NOT** charge, collect, or remit Croatian VAT 5. ALAI Holding AS does **NOT** need Croatian VAT registration for pure B2B sales **Requirements for ALAI Holding AS:** - ✅ Customer must provide Croatian VAT ID (format: HR + 11-digit OIB, e.g., HR12345678901) - ✅ ALAI must verify customer's VAT ID via **EU VIES system** (https://ec.europa.eu/taxation_customs/vies/) — Croatia is in VIES - ✅ Invoice must clearly state reverse charge clause - ✅ ALAI should keep records of customer VAT IDs (for audit defense if questioned by Norwegian or Croatian tax authorities) **Outcome:** ✅ **No Croatian VAT registration needed for B2B SaaS sales** --- ### 3.2 B2C Sales (Business-to-Consumer): Croatian Non-VAT-Registered Customers **Rule:** **Non-Union OSS Scheme** (One-Stop Shop for suppliers outside EU selling to EU consumers) **How it Works:** 1. If ALAI Holding AS annual B2C sales to **all EU countries** (including Croatia) exceed **€10,000 threshold**, ALAI must register for **Non-Union OSS** in Norway 2. Once registered, ALAI charges **Croatian VAT (25%)** on all sales to Croatian consumers 3. ALAI files **quarterly OSS return** via Norwegian Tax Administration (Skatteetaten), declaring sales per EU country and remitting VAT 4. Norwegian Tax Administration distributes collected VAT to each EU country (including Croatia) **Threshold Details:** - **€10,000 = Total B2C sales to ALL EU** (not just Croatia) — if Bilko sells €5K to Croatia + €6K to Germany = €11K total → OSS registration required - Before exceeding €10,000: ALAI can charge **Norwegian VAT (25%)** OR voluntarily register for OSS early - After exceeding: **MUST register for OSS** within 10 days of exceeding threshold **Requirements for ALAI Holding AS:** - ✅ Register for Non-Union OSS via Norwegian Skatteetaten: https://www.skatteetaten.no/en/business-and-organisation/vat-and-duties/vat/foreign-businesses/oss/ - ✅ Charge 25% Croatian VAT on Croatian B2C sales - ✅ File quarterly OSS return (deadlines: Apr 30, Jul 31, Oct 31, Jan 31) - ✅ Keep records of customer country (IP address, billing address, payment method country — 2 out of 3 match) **Alternative (if under €10K):** - Charge **Norwegian VAT (25%)** instead of Croatian VAT — simpler, but customer pays Norwegian VAT (may be confusing for Croatian consumers expecting Croatian VAT on invoice) **Outcome:** ⚠️ If B2C sales >€10,000/year → **OSS registration required** (via Norway, not Croatia directly) --- ### 3.3 Threshold €60,000 — Does it Apply to Foreign Providers? **Answer:** ❌ **NO** — The €60,000 threshold in Croatian VAT Act Art. 90 applies **only to Croatian residents** (natural or legal persons established in Croatia) **Legal Basis:** Croatian VAT Act Art. 90 (_Oslobođenje od plaćanja PDV-a za mala poduzeća_) — small business exemption for domestic entities with turnover <€60K **Foreign providers (like ALAI Holding AS from Norway):** - NOT eligible for Croatian small business exemption - Must follow **place of supply rules** (reverse charge for B2B, OSS for B2C >€10K) - €60,000 threshold does NOT apply **Outcome:** ✅ ALAI Holding AS is **NOT bound by €60K Croatian threshold** — only OSS €10K threshold matters for B2C --- ### 3.4 When MUST Norwegian Provider Register for Croatian VAT? **Mandatory Croatian VAT Registration Triggers:** 1. **Permanent Establishment (PE) in Croatia:** - If ALAI Holding AS establishes Croatian office, hires Croatian employees, or has fixed place of business → PE created → **MUST register for Croatian VAT** - If purely digital service from Norway (no Croatian office/staff) → NO PE → NO Croatian VAT registration needed 2. **Branch (Podružnica) Registration:** - If ALAI registers podružnica in Croatia → **MUST register for Croatian VAT** (branch is taxable person in Croatia) 3. **Exceeding B2C OSS Threshold (€10K):** - If B2C sales >€10K → **MUST register for Non-Union OSS** (in Norway, not Croatia) — see 3.2 above 4. **Supplies NOT Covered by Reverse Charge:** - If ALAI sells goods (not services) or services other than electronic services → may trigger Croatian VAT registration (but SaaS = electronic service → covered by reverse charge/OSS) **Outcome:** ✅ For pure SaaS from Norway (no Croatian PE) → **NO direct Croatian VAT registration needed** — use reverse charge (B2B) and OSS (B2C) --- ## Question 4: Norway-Croatia Double Taxation Treaty **Treaty Status:** ✅ **YES** — Bilateral tax treaty in force **Official Name:** _Convention between the Kingdom of Norway and the Republic of Croatia for the Avoidance of Double Taxation and the Prevention of Fiscal Evasion with Respect to Taxes on Income_ **Signed:** November 14, 2013 **Entered into Force:** December 30, 2014 **Legal Basis:** Norwegian treaty: https://lovdata.no/dokument/TRAK/traktat/2013-11-14-4 **Croatian treaty:** Published in NN-MU 1/2015 (Međunarodni ugovori) --- ### 4.1 Corporate Income Tax (CIT) Treatment **Article 7 (Business Profits):** - Norwegian company's business profits are taxable **only in Norway** UNLESS the company has a **Permanent Establishment (PE)** in Croatia - If PE exists → Croatia may tax profits **attributable to that PE** (arm's length allocation) **For ALAI Holding AS selling SaaS from Norway:** - ✅ No Croatian office, no employees, no fixed place of business → **NO PE** → **taxed in Norway only** (22% Norwegian CIT) - ✅ No Croatian CIT liability (18%/10%) **PE Definition (Art. 5):** - Fixed place of business (office, branch, factory) - Building site/construction project >12 months - Agent with authority to conclude contracts on behalf of company - **Explicitly EXCLUDES:** Server location (per 2017 OECD update on digital economy) — SaaS server in Croatian data center does NOT create PE **Outcome:** ✅ For pure SaaS from Norway → **NO Croatian CIT** (taxed in Norway only at 22%) --- ### 4.2 Withholding Tax (WHT) on Royalties / Licence Fees **Article 12 (Royalties):** - WHT rate: **5%** (reduced treaty rate; Croatian domestic rate is 15%) - **Definition of Royalty:** Payment for use of intellectual property, software licence, patent, trademark, copyright **Does SaaS Subscription = Royalty?** - ⚠️ **DEBATED** — Depends on contract structure: - If Bilko subscription grants **right to use software** (installed/downloaded) → potentially royalty (5% WHT) - If Bilko subscription is **access to cloud service** (no software transfer, pure SaaS) → generally **NOT royalty** (per OECD Model Commentary Art. 12, para. 14.4) → **business profit (Art. 7)** → NO WHT **OECD Guidance (2017 BEPS Action 1):** - Cloud computing (IaaS, PaaS, SaaS) generally **NOT royalty** if customer does not acquire rights to exploit software (only access to service) - Croatian Tax Administration **follows OECD Model** (EU member, OECD observer since 2000s) **Practical Interpretation for Bilko:** - Bilko is **pure SaaS** (web app, no software download, no licence to resell/modify) → **NOT royalty** → **business profit** → NO WHT - If future Bilko offers **downloadable software licence** (on-premise version) → may trigger 5% WHT **Outcome:** ✅ For pure SaaS (no software transfer) → **NO Croatian WHT** (business profit, not royalty) --- ### 4.3 Permanent Establishment (PE) Risk **When Does Norwegian Company Create PE in Croatia?** **Article 5 (Permanent Establishment):** 1. **Fixed place of business** (office, branch, workshop, factory) — YES creates PE 2. **Building site/construction project** >12 months — YES creates PE (not relevant for SaaS) 3. **Dependent agent** with authority to conclude contracts in Croatia on behalf of Norwegian company — YES creates PE 4. **Server location** — ❌ **NO PE** (per OECD Model Art. 5 commentary and 2017 BEPS update) 5. **Employees working remotely** in Croatia for Norwegian company — ⚠️ **GREY AREA**: - If employee is **sales agent** with contract authority → may create PE - If employee is **technical support / developer** without contract authority → generally NO PE (per Art. 5(4) preparatory/auxiliary exception) **Safe Harbors (Art. 5(4) — Activities NOT Creating PE):** - Storage, display, or delivery of goods - Purchasing goods/merchandise - Information gathering - Preparatory or auxiliary activities (e.g., R&D, customer support) **Outcome for ALAI Holding AS:** - ✅ SaaS delivery from Norway (no Croatian office, no staff) → **NO PE** - ⚠️ If future: hire Croatian sales agent with contract authority → **MAY create PE** → Croatian CIT applies to PE profits - ⚠️ If future: open Croatian office → **YES creates PE** → Croatian CIT applies **Recommendation:** Monitor PE risk if hiring Croatian sales/business development staff. Consult Croatian tax advisor before hiring first Croatian employee. --- ## Question 5: e-Račun HR-FISK 2.0 Obligation for Foreign Provider **HR-FISK = Croatian Fiscalization System for Electronic Invoices** (mandatory since January 1, 2026 for B2B, B2G, B2C invoices) **Legal Basis:** - Zakon o fiskalizaciji (Fiscalization Act), NN 115/16 and amendments - Zakon o PDV-u (VAT Act) — Art. 40 (invoice requirements) - Pravilnik o fiskalizaciji (Fiscalization Regulation), NN 37/21 --- ### 5.1 Does HR-FISK Apply to Foreign SaaS Provider? **Answer:** ⚠️ **UNCLEAR — LEGAL GREY AREA** **Arguments FOR Obligation (Foreign Provider Must Comply):** 1. Croatian VAT Act Art. 40 requires **all invoices issued to Croatian customers** (VAT-registered or not) to contain prescribed elements 2. Fiscalization Act Art. 3 defines "taxable person" broadly — if foreign provider serves Croatian market, may be considered taxable person for fiscalization purposes (even if not VAT-registered) 3. HR-FISK penalties (up to €500,000) apply to "anyone issuing invoice to Croatian customer without fiscalization" (Fiscalization Act Art. 30) — does NOT explicitly exempt foreign providers 4. Croatian Tax Administration guidance (2025-2026) suggests **all B2B invoices to Croatian VAT-registered customers should be transmitted via HR-FISK** — but guidance is ambiguous on foreign providers **Arguments AGAINST Obligation (Foreign Provider Exempt):** 1. HR-FISK Regulation Art. 2 applies to "taxable persons **established in Croatia**" — foreign provider from Norway is NOT established in Croatia → arguably exempt 2. EU cross-border e-invoicing rules (Directive 2014/55/EU for B2G) allow **Peppol network** as alternative to national systems — HR-FISK is Peppol-compatible → foreign provider could send via Peppol instead of direct HR-FISK 3. Fiscalization Act Art. 5 exempts "export invoices" (zero-rated supplies) — B2B reverse charge to Croatian customer is similar to export (no Croatian VAT charged) → arguably exempt 4. Practical enforcement: Croatian Tax Administration lacks jurisdiction to penalize foreign provider with no Croatian entity/PE — enforcement would require Norwegian-Croatian tax treaty cooperation (unlikely for pure civil penalty) **FINA Certificate Requirement:** - HR-FISK requires **FINA certificate** (digital certificate issued by FINA for fiscalization) - To obtain FINA certificate, provider must be **registered in Croatian Court Registry** (Trgovački sud) OR have Croatian OIB as legal entity - **Foreign provider without Croatian entity CANNOT obtain FINA certificate** (per FINA website: https://www.fina.hr/certifikati — only Croatian-registered entities eligible) **Outcome:** ⚠️ **UNRESOLVED — TWO SCENARIOS:** **Scenario A (Conservative / Risk-Averse):** - Assume HR-FISK applies to foreign providers → **MUST register Croatian entity** (d.o.o. or branch) to obtain FINA certificate → issue all invoices via HR-FISK - **COST:** €2,630 capital + €8K-€15K annual overhead (d.o.o.) **Scenario B (Pragmatic / Test-Market):** - Assume foreign provider exempt OR use **Peppol alternative** → issue invoices from Norway (PDF or structured XML) → send via Peppol network (Croatia is Peppol member) → Croatian customer receives invoice via Peppol → compliant with EU cross-border e-invoicing - **COST:** €0 (use Norwegian invoicing system with Peppol integration) - **RISK:** If Croatian Tax Administration later clarifies foreign providers must use HR-FISK directly → must pivot to Scenario A (register Croatian entity) OR stop selling to Croatia --- ### 5.2 Peppol as Alternative Path **Peppol = Pan-European Public Procurement Online** (international e-invoicing network) **Croatia Status:** - ✅ Croatia is **Peppol member** (since 2020) - ✅ HR-FISK is **Peppol-compatible** (can receive Peppol invoices) - ✅ EU Directive 2014/55/EU requires public sector (B2G) to accept Peppol invoices **Can ALAI Holding AS Send Invoices via Peppol from Norway?** - ✅ **YES** — Norway is Peppol founding member - ✅ ALAI can register as **Peppol Participant** via Norwegian Peppol Access Point provider (e.g., Basware, Pagero, Visma) - ✅ Send invoices to Croatian customers via Peppol network → Croatian customer's accounting system (or HR-FISK if customer is Peppol-connected) receives invoice automatically **B2B Peppol Acceptance (Not Just B2G):** - ⚠️ **VOLUNTARY for B2B** (not mandated by Croatian law for private sector) - If Croatian customer is Peppol-enabled → can receive Peppol invoice from ALAI - If Croatian customer is NOT Peppol-enabled → must use alternative (PDF email, paper) **Outcome:** ✅ **Peppol is viable alternative** for B2B invoicing IF Croatian customer accepts Peppol invoices. For B2C (Croatian consumers), Peppol less common (most consumers expect PDF or paper invoice). --- ### 5.3 Recommendation for HR-FISK Compliance **Phase 1 (0-50 clients, <€300K revenue):** 1. **Issue invoices from Norway** (PDF or XML) via email 2. **Include reverse charge statement** (for B2B VAT-registered customers) 3. **Monitor Croatian Tax Administration guidance** (watch for clarification on foreign provider obligations) 4. **If Croatian customer requests HR-FISK invoice:** Offer Peppol alternative OR explain that foreign provider without Croatian entity cannot access HR-FISK (customer may accept PDF invoice) 5. **Legal opinion:** Consult Croatian tax lawyer by Q3 2026 for definitive ruling on foreign provider obligation **Trigger for Croatian Entity (for HR-FISK):** - If Croatian Tax Administration issues guidance **requiring foreign providers to use HR-FISK** → register d.o.o. (or j.d.o.o.) to obtain FINA certificate - If >20% of prospects reject due to lack of HR-FISK compliance → consider d.o.o. registration for market access **Outcome:** ⚠️ **HR-FISK compliance = OPEN LEGAL QUESTION** — recommend pragmatic approach (test market without Croatian entity, monitor regulatory developments, pivot if needed) --- ## Risk Flags — Require Local Croatian Legal/Tax Advisor The following issues are **NOT definitively resolved** by this research memo and require confirmation by licensed Croatian attorney and/or tax advisor: 1. **HR-FISK Obligation for Foreign Provider** - Does Fiscalization Act Art. 3 "taxable person" include Norwegian SaaS provider? - Can Peppol invoices substitute for HR-FISK for B2B sales to Croatia? - Penalty risk if foreign provider does not fiscalize (€500,000 fine — but enforceable against Norwegian entity?) 2. **Permanent Establishment (PE) Risk — Future Hiring** - If ALAI hires Croatian employee (sales, customer support) working remotely from Croatia → does this create PE? - If ALAI hires Croatian independent contractor (not employee) → PE risk? - Threshold: how many Croatian-based staff trigger PE under Norway-Croatia treaty Art. 5? 3. **j.d.o.o. Foreign Founder Eligibility** - Can Norwegian company (ALAI Holding AS) be founder of j.d.o.o.? OR only natural person (CEO Alem)? - Some sources say j.d.o.o. founder must be natural person; others say foreign legal entity allowed if representative appointed 4. **OSS vs Direct VAT Registration — Which is Better?** - If B2C sales >€10K, is Non-Union OSS always better than direct Croatian VAT registration? - Cost-benefit: OSS quarterly filing (€0 fee but Norway admin) vs Croatian VAT monthly filing (potential local accountant €200/month) 5. **Obrt/Paušalni Obrt Foreign Ownership — 2026 Update** - Has Croatian law changed post-2023 to allow EEA citizens (including Norway via EEA Agreement) to register obrt without residency? - Current research suggests NO, but legal update possible (verify with Ministry of Economy or HITRO.HR) 6. **FINA Certificate for Branch (Podružnica)** - Can Norwegian company branch obtain FINA certificate? OR only Croatian d.o.o.? - Some sources suggest branch eligible, but FINA website ambiguous **Recommendation:** Engage Croatian law firm specializing in foreign investment + tax advisory firm for 2-hour consultation (estimated cost: €500-€1,000). Provide this memo as background; ask for definitive answers on items 1-6 above. --- ## Next Steps — Actionable Roadmap ### Immediate (Q2 2026 — Before First Croatian Customer) 1. ✅ **Decide Entity Strategy:** - If revenue forecast <€300K/year in Croatia → **No Croatian entity** (direct sale from Norway) - If revenue forecast >€300K OR HR-FISK mandatory for foreign providers → **d.o.o. or j.d.o.o.** 2. ✅ **OIB Decision:** - If registering Croatian entity → CEO Alem obtains OIB (via Croatian embassy in Oslo) - If no Croatian entity → defer OIB (not needed for initial sales) 3. ✅ **VAT Compliance Setup:** - Implement **reverse charge invoicing** for B2B customers (validate customer VAT ID via VIES) - Monitor B2C sales; register for **Non-Union OSS** if approaching €10K threshold (via Norwegian Skatteetaten) 4. ✅ **Legal Opinion (HR-FISK):** - Engage Croatian tax lawyer by **June 30, 2026** for written opinion on HR-FISK obligation for foreign provider - Cost: ~€500-€1,000 (2 hours consultation + written memo) - Recommended firms: - Divjak, Topic & Bahtijarevic (DTB) — Zagreb (EU/tax specialists) - Croatian Law Firm (CLF) — Zagreb (foreign investment focus) - Contact via email with this research memo attached 5. ✅ **Peppol Registration (If No Croatian Entity):** - Register ALAI Holding AS as Peppol Participant via Norwegian Access Point provider - Recommended: **Pagero Norway** (https://www.pagero.com/no/) or **Visma AutoInvoice** (https://www.visma.no/autoinvoice/) - Cost: ~€50-€200/month (volume-based) - Timeline: 1-2 weeks --- ### Short-Term (Q3 2026 — After First 10-20 Customers) 6. ✅ **Monitor Sales Mix:** - Track B2B vs B2C ratio - Track total EU B2C sales (for OSS €10K threshold) - Track customer feedback on invoice format (do they request HR-FISK?) 7. ✅ **Evaluate d.o.o. Registration:** - If >20% prospects require local entity OR HR-FISK mandatory → prepare d.o.o. registration - CEO Alem decides: j.d.o.o. (€1 capital, personal founder) vs d.o.o. (€2,630 capital, company founder) - Engage Croatian corporate lawyer for registration (cost: ~€1,000-€2,000 including court fees) 8. ✅ **Croatian Bank Account (If d.o.o. Registered):** - Open business account with Croatian bank (recommend: Zagrebačka banka or Privredna banka Zagreb — foreigner-friendly) - Requires: OIB, d.o.o. registration, founder ID, proof of business activity (Bilko website, contracts) --- ### Medium-Term (Q4 2026-Q1 2027 — Scale-Up Phase) 9. ✅ **Hire Croatian Accountant (If d.o.o.):** - Engage Croatian accounting firm for monthly bookkeeping + annual FINA filing - Cost: ~€500-€1,000/month (depending on transaction volume) - Recommended: firms with foreign SMB clients (English-speaking) 10. ✅ **Permanent Establishment Review:** - If hiring Croatian employees/contractors → consult Norwegian + Croatian tax advisor on PE risk - Document: employee role (sales vs support), contract authority, work location - Goal: avoid accidental PE creation (triggers Croatian CIT on attributable profits) 11. ✅ **Annual Compliance (If d.o.o.):** - File annual financial statements with FINA by **April 30** each year - File Croatian CIT return (if d.o.o. profitable) by **April 30** - Pay Croatian CIT: 10% (if revenue <€1M) or 18% (if >€1M) - Transfer profits to Norwegian parent (10% WHT on dividends, creditable in Norway per treaty) --- ## Sources Cited This research memo is based on the following Croatian and Norwegian legal sources: ### Croatian Legal Framework 1. **Zakon o trgovačkim društvima** (Companies Act), Narodne novine (NN) 111/93, consolidated with amendments through NN 40/19 URL: https://www.zakon.hr/z/546/Zakon-o-trgova%C4%8Dkim-dru%C5%A1tvima 2. **Zakon o porezu na dodanu vrijednost** (VAT Act), NN 73/13, consolidated with amendments through NN 138/21 URL: https://www.zakon.hr/z/392/Zakon-o-porezu-na-dodanu-vrijednost 3. **Zakon o porezu na dobit** (Corporate Income Tax Act), NN 177/04, consolidated with amendments through NN 138/21 URL: https://www.zakon.hr/z/85/Zakon-o-porezu-na-dobit 4. **Zakon o obrtu** (Crafts Act), NN 143/13, consolidated with amendments through NN 127/19 URL: https://www.zakon.hr/z/418/Zakon-o-obrtu 5. **Zakon o fiskalizaciji** (Fiscalization Act), NN 115/16 URL: https://narodne-novine.nn.hr/clanci/sluzbeni/2016_11_115_2516.html 6. **Zakon o osobnom identifikacijskom broju** (Personal Identification Number Act), NN 60/08 URL: https://www.zakon.hr/z/320/Zakon-o-osobnom-identifikacijskom-broju 7. **Croatian Tax Administration (Porezna uprava)** — VAT and fiscalization guidance URL: https://porezna-uprava.gov.hr/ 8. **FINA (Financial Agency)** — HR-FISK 2.0 documentation URL: https://www.fina.hr/ and https://hr-fisk.fina.hr/ 9. **HITRO.HR** — Croatian company registration portal URL: https://hitro.hr/ 10. **Pravilnik o fiskalizaciji** (Fiscalization Regulation), NN 37/21 URL: https://narodne-novine.nn.hr/clanci/sluzbeni/2021_04_37_713.html --- ### Norway-Croatia Tax Treaty 11. **Convention between the Kingdom of Norway and the Republic of Croatia for the Avoidance of Double Taxation** (November 14, 2013, in force December 30, 2014) Norwegian text: https://lovdata.no/dokument/TRAK/traktat/2013-11-14-4 Croatian publication: NN-MU 1/2015 --- ### EU/International Framework 12. **EU VAT Directive 2006/112/EC** (place of supply rules, Arts. 44, 58) URL: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32006L0112 13. **EU Directive 2014/55/EU** (electronic invoicing in public procurement — Peppol) URL: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32014L0055 14. **OECD Model Tax Convention on Income and on Capital** (2017 version, Art. 5 PE, Art. 7 Business Profits, Art. 12 Royalties) URL: https://www.oecd.org/tax/treaties/ 15. **OECD BEPS Action 1** (2015/2017) — Addressing the Tax Challenges of the Digital Economy URL: https://www.oecd.org/tax/beps/beps-actions/action1/ 16. **EU VIES System** (VAT Information Exchange System) — Croatian VAT ID verification URL: https://ec.europa.eu/taxation_customs/vies/ 17. **Peppol Network Documentation** — Croatia as Peppol Authority URL: https://peppol.org/ and https://www.fina.hr/peppol --- ### Norwegian Framework 18. **Norwegian Tax Administration (Skatteetaten)** — Non-Union OSS registration URL: https://www.skatteetaten.no/en/business-and-organisation/vat-and-duties/vat/foreign-businesses/oss/ 19. **Norwegian Companies Register (Brønnøysundregistrene)** — ALAI Holding AS registration URL: https://www.brreg.no/ (Org.nr 932 516 136) --- ## Evidence Count **Total sources cited:** 19 (10 Croatian legal acts, 1 bilateral treaty, 6 EU/OECD instruments, 2 Norwegian regulatory sources) **Primary legal acts analyzed:** 6 (Companies Act, VAT Act, CIT Act, Crafts Act, Fiscalization Act, OIB Act) **Unresolved legal questions flagged:** 6 (see Risk Flags section) **Recommendation:** Engage licensed Croatian attorney for definitive legal opinion (estimated cost €500-€1,000, 2-4 hour consultation). --- ## Document Status **Version:** 1.0 **Date:** 2026-05-28 **Author:** Lexicon (ALAI Legal/Compliance Subagent) **Reviewer:** Pending (requires CEO Alem Basic + Croatian legal counsel review) **Next Review:** Q3 2026 (after Croatian Tax Administration clarifies foreign provider HR-FISK obligations) **Disclaimer:** This document is an internal research memo for ALAI Holding AS management. It does NOT constitute legal advice. Final decisions on entity structure, tax compliance, and HR-FISK obligations MUST be confirmed by licensed Croatian attorney and tax advisor before implementation. --- **END OF MEMO** # 03 — Bank Integration Plan — PSD2 / Tok / QWAC # Croatia (HR) Bank Integration Plan — Bilko via Tok Platform **Author:** Markos Zachariadis (Finverge) **Date:** 2026-05-28 **Version:** 1.0 **Status:** DOCUMENT-ONLY (no code, no deploy) **MC Task:** #102423 --- ## TL;DR — Recommended Path 1. **EEA passporting via Finanstilsynet** (NO → HR) is the ONLY viable path for Q3 2026 HR launch. Direct HANFA authorization takes 6+ months plus €125K capital. 2. **QWAC from DigiCert or GlobalSign** after Finanstilsynet AISP approval — 5-15 days, ~€300-800/year. 3. **Top 4 banks = 73% market coverage:** Zagrebačka banka (UniCredit), Privredna banka Zagreb (Intesa), Erste Bank HR, OTP Banka HR — all have Berlin Group NextGenPSD2 v1.3.x developer portals with sandbox access. 4. **Tok coverage gap:** NO Croatian banks currently integrated. Priority P0: 4 banks above. P1: Raiffeisen, Addiko, HPB. 5. **Risk flag:** 90-day consent re-authentication UX is CRITICAL — without it, ALL users disconnect simultaneously after 90 days. --- ## 1. Per-Bank PSD2 NextGenPSD2 Readiness Matrix ### Croatian Banking Market Context **Source:** Croatian National Bank (HNB) Banking Sector Report 2024 (https://www.hnb.hr/en/statistics/statistical-data/credit-institutions) Croatia has ~17 credit institutions offering PSD2 APIs via the Croatian API Hub (HUB). The hub mandates Berlin Group NextGenPSD2 minimum v1.3.8 (current framework v1.3.16). **Top 7 banks by SMB market share** (estimated from HNB Q4 2025 data): | Rank | Bank | Market Share (SMB deposits) | Parent Group | |------|------|----------------------------|-------------| | 1 | Zagrebačka banka (Zaba) | ~28% | UniCredit (IT) | | 2 | Privredna banka Zagreb (PBZ) | ~24% | Intesa Sanpaolo (IT) | | 3 | Erste Bank Croatia | ~12% | Erste Group (AT) | | 4 | OTP Banka Hrvatska | ~9% | OTP Group (HU) | | 5 | Raiffeisenbank Austria d.d. (RBA) | ~7% | Raiffeisen Bank International (AT) | | 6 | Addiko Bank d.d. | ~4% | Addiko Group (AT) | | 7 | Hrvatska poštanska banka (HPB) | ~3% | Croatian Post (state-owned) | | — | **TOTAL (Top 7)** | **~87%** | — | **Cumulative coverage:** - **Top 4 banks = ~73%** of SMB market - **Top 7 banks = ~87%** of SMB market --- ### Bank-by-Bank Readiness Matrix | Bank | Developer Portal URL | NGPSD2 Version | Sandbox Status | Production Status | AISP Support | PISP Support | SCA Type | Blockers / Known Issues | |------|---------------------|----------------|---------------|------------------|------------|------------|----------|------------------------| | **Zagrebačka banka (Zaba)** | https://developer.unicredit.eu | Berlin Group v1.3.12 | ✅ Active — public sandbox, test PSU credentials provided | ✅ Active — requires AISP NCA registration | ✅ Accounts, Balances, Transactions | ✅ SEPA CT, SEPA Instant | Redirect (OAuth 2.0) | None known. UniCredit Group has mature PSD2 infrastructure (live since 2019). | | **Privredna banka Zagreb (PBZ)** | https://apiportal.pbz.hr | Berlin Group v1.3.8 (HUB minimum) | ✅ Active — requires developer registration | ✅ Active — requires AISP NCA registration + QWAC | ✅ Accounts, Balances, Transactions | ✅ SEPA CT | Redirect (OAuth 2.0) | PBZ portal documentation is Croatian-only (no English version). API responses are standard Berlin Group (English). | | **Erste Bank Croatia** | https://developers.erstegroup.com | Berlin Group v1.3.10 | ✅ Active — shared Erste Group sandbox, requires developer account | ✅ Active — requires AISP NCA registration + QWAC | ✅ Accounts, Balances, Transactions | ✅ SEPA CT, SEPA Instant | Redirect (OAuth 2.0) | Erste Group sandbox covers HR, CZ, SK, AT. Croatian-specific endpoints documented separately. | | **OTP Banka Hrvatska** | https://apiportal.sandbox.otpbanka.hr (sandbox)
https://api.otpbanka.hr (production) | Berlin Group v1.3.8 | ✅ Active — public sandbox | ✅ Active — requires AISP NCA registration + QWAC | ✅ Accounts, Balances, Transactions | ⚠️ Limited — SEPA CT only (no Instant confirmed) | Redirect (OAuth 2.0) | OTP Group has PSD2 infrastructure but less mature than UniCredit/Erste. Sandbox availability is a positive signal. | | **Raiffeisenbank Austria d.d. (RBA)** | https://api.rbinternational.com
(RBI Group portal) | Berlin Group v1.3.12 | ✅ Active — shared RBI Group sandbox | ✅ Active — requires AISP NCA registration + QWAC | ✅ Accounts, Balances, Transactions | ✅ SEPA CT, SEPA Instant | Redirect (OAuth 2.0) | RBI Group portal covers AT, CZ, SK, HR, RS. Croatian RBA endpoints are explicitly documented. | | **Addiko Bank d.d.** | https://oapideveloper.addiko.hr | Berlin Group v1.3.6 | ✅ Active — public sandbox | ⚠️ Production availability unclear — portal does not explicitly state production readiness. Direct outreach recommended. | ✅ Accounts, Balances, Transactions | ❓ Not documented | Redirect (OAuth 2.0) | Addiko Group has active PSD2 portals in AT, SI, BA, RS, ME. Croatian portal exists but production status needs verification with Addiko digital team. | | **Hrvatska poštanska banka (HPB)** | https://openbanking.hpb.hr | Berlin Group v1.3.8 | ✅ Active — sandbox available | ⚠️ Production status unclear — portal exists but no explicit production documentation | ✅ Accounts, Balances, Transactions (documented) | ❓ Not documented | Redirect (OAuth 2.0) | HPB is state-owned (Croatian Post). Portal exists but maturity is unclear. Recommend direct contact: openbanking@hpb.hr | **Sources cited:** - UniCredit Developer Portal: https://developer.unicredit.eu/apis - PBZ API Portal: https://apiportal.pbz.hr - Erste Developers Portal: https://developers.erstegroup.com - OTP Sandbox Portal: https://apiportal.sandbox.otpbanka.hr - RBI API Portal: https://api.rbinternational.com/developer-portal - Addiko Developer Portal: https://oapideveloper.addiko.hr - HPB Open Banking Portal: https://openbanking.hpb.hr - Croatian API HUB specifications: https://hub.hr/en/psd2-open-api (Berlin Group v1.3.8 minimum mandate confirmed) --- ### Implementation Priority (Slice Plan) #### P0 — MUST-HAVE for HR launch (Q3 2026) **Target: 73% SMB market coverage** | Bank | Justification | Estimated Integration Effort | |------|--------------|----------------------------| | Zagrebačka banka (Zaba) | 28% market share + mature UniCredit infrastructure + English documentation + active sandbox | 3 weeks (BerlinGroupAdapter already designed per Tok docs) | | Privredna banka Zagreb (PBZ) | 24% market share + Intesa Group infrastructure + active production API | 3 weeks (Croatian-only docs add 2-3 days translation/verification overhead) | | Erste Bank Croatia | 12% market share + Erste Group mature PSD2 infrastructure | 2 weeks (Erste Group has best-in-class API documentation) | | OTP Banka Hrvatska | 9% market share + public sandbox availability | 3 weeks (less mature than UniCredit/Erste, additional testing buffer) | **Total P0 effort:** ~11 weeks (parallelizable to ~4-5 weeks with 3 concurrent integrations) --- #### P1 — POST-LAUNCH (Q4 2026) **Target: +14% SMB market coverage (cumulative 87%)** | Bank | Justification | Estimated Effort | |------|--------------|-----------------| | Raiffeisenbank Austria d.d. | 7% market share + RBI Group infrastructure | 2 weeks | | Addiko Bank d.d. | 4% market share + group infrastructure BUT production status needs verification | 3 weeks (includes direct outreach + verification) | | Hrvatska poštanska banka (HPB) | 3% market share + state-owned (government contracts potential) | 3 weeks (portal exists but maturity unclear) | **Total P1 effort:** ~8 weeks (parallelizable to ~3 weeks) --- #### P2 — NICE-TO-HAVE (Q1 2027+) Remaining ~10 smaller banks (each <2% market share). Examples: - Istarska kreditna banka Umag - Karlovačka banka - Slatina Banka - Partner banka - Kentbank **Assessment:** Diminishing returns. Total coverage from these banks <13%. Recommend on-demand integration only if specific Bilko customer requests justify effort. --- ## 2. eIDAS QWAC/QSeal Certificate Plan ### Croatian Qualified Trust Service Providers (QTSP) **Source:** EU Trusted List (https://eidas.ec.europa.eu/efts/tl-browser, Croatia section) Croatia has **3 QTSPs** on the EU Trusted List: | QTSP Name | Services Offered | Website | QWAC for PSD2 | Notes | |-----------|-----------------|---------|--------------|-------| | **FINA — Financijska agencija** | Qualified certificates (eID, eSignature, eSeal) | https://www.fina.hr | ❌ NOT OFFERED | FINA is primarily a state agency for financial reporting/registry services. Does NOT issue QWAC for PSD2 use cases. | | **AKD d.o.o.** | Qualified certificates (eSignature, eSeal, Timestamp) | https://www.akd.hr | ❌ NOT CONFIRMED | AKD offers qualified e-signatures but does NOT explicitly list PSD2 QWAC on their website (checked 2026-05-28). Recommend direct inquiry: info@akd.hr, +385 1 6311 833. | | **T-Com (T-Hrvatski Telekom)** | Qualified certificates (eID, eSignature) | https://www.t.ht.hr | ❌ NOT CONFIRMED | T-Com issues eID certificates for Croatian citizens. No PSD2 QWAC offering documented. | **Conclusion:** **NO Croatian QTSP offers PSD2 QWAC for TPPs.** This is a common gap in smaller EU markets. Croatian banks accept QWAC from ANY EU/EEA QTSP per eIDAS regulation. --- ### EEA QTSP Options for ALAI Holding AS (NO company) **Key constraint:** ALAI Holding AS is registered in Norway (EEA but non-EU). eIDAS mutual recognition applies — Norwegian QTSP-issued QWAC is valid across EEA (including Croatia). #### Option A: Norwegian QTSP (NO) | Provider | Service | Price (estimated) | Timeline | Notes | |----------|---------|------------------|----------|-------| | **Buypass AS** | QWAC for PSD2 | ❌ DISCONTINUED (01.10.2025) | — | Buypass was Norway's primary PSD2 QTSP but exited the market. | | **Commfides** | Qualified certificates (eSignature, eSeal) | ❌ NO PSD2 QWAC OFFERING | — | Commfides (Norwegian QTSP) does NOT offer PSD2 QWAC as of 2026-05-28. Confirmed via https://www.commfides.com/en/products | **Conclusion:** **NO Norwegian QTSP currently offers PSD2 QWAC.** Norway's small PSD2 market (population 5.5M) makes this commercially non-viable for Norwegian QTSPs. --- #### Option B: International QTSP with EEA Coverage (RECOMMENDED) | Provider | Service | Price (annual) | Timeline | Notes | Contact | |----------|---------|---------------|----------|-------|---------| | **DigiCert (via QuoVadis)** | QWAC + QSeal for PSD2 | €300-600 (QWAC)
€400-800 (QWAC + QSeal bundle) | 5-10 business days after NCA authorization number | ✅ **RECOMMENDED.** DigiCert acquired QuoVadis (Bermuda QTSP, EU-qualified). Mature PSD2 offering. Used by 40+ European TPPs. English support. | https://www.digicert.com/psd2
psd2@digicert.com | | **GlobalSign** | QWAC for PSD2 | €400-800 | 7-15 business days after NCA authorization | ✅ **RECOMMENDED.** GlobalSign (BE/UK QTSP) has dedicated PSD2 team. Strong reputation. | https://www.globalsign.com/en/psd2
sales@globalsign.com | | **Sectigo (formerly Comodo)** | QWAC for PSD2 | €250-500 | 10-15 business days | ✅ VIABLE. UK-based QTSP. Lower price point but slower issuance. | https://sectigo.com/ssl-certificates-tls/psd2 | | **D-Trust (Bundesdruckerei)** | QWAC + QSeal for PSD2 | €500-900 | 7-14 business days | ✅ VIABLE. German QTSP (state-owned Bundesdruckerei subsidiary). Very high trust level but German-centric documentation. | https://www.d-trust.net/en/products/psd2 | **Recommendation:** **DigiCert (QuoVadis)** — best balance of price (€300-600), speed (5-10 days), English support, and proven PSD2 track record. --- ### Certificate Validity & Renewal - **QWAC validity:** Typically 1 year (per eIDAS) - **QSeal validity:** Typically 1-3 years - **Renewal process:** 3-5 business days (faster than initial issuance, no re-verification of NCA registration required) - **Auto-renewal:** DigiCert and GlobalSign offer automatic renewal reminders 30 days before expiry --- ### Can ALAI Holding AS (NO company) obtain QWAC from Croatian QTSP? **Answer:** **Theoretically YES (eIDAS mutual recognition), but PRACTICALLY NO** because Croatian QTSPs do not offer PSD2 QWAC services. **Legal basis:** - eIDAS Regulation (EU) 910/2014 Article 13: Qualified certificates issued in one member state are recognized in all member states. - Norway is EEA (European Economic Area) via EEA Agreement Annex XI — eIDAS applies to Norway. **Practical reality:** - FINA does not issue QWAC for PSD2. - AKD and T-Com do not explicitly offer PSD2 QWAC (and their websites show no PSD2-specific products). **Conclusion:** ALAI must use an international QTSP (DigiCert/GlobalSign/Sectigo/D-Trust). --- ### Cross-Border QWAC Recognition (NO → HR) **Question:** Does a Norwegian-entity-issued QWAC from an EEA QTSP work with Croatian banks? **Answer:** **YES — guaranteed by eIDAS regulation.** **Legal basis:** - eIDAS Regulation (EU) 910/2014 Article 14: Qualified trust services provided in one member state are recognized in all member states. - Croatian Zakon o elektroničkoj identifikaciji i uslugama od povjerenja (NN 51/2016) transposes eIDAS into Croatian law. - Croatian banks MUST accept QWAC from ANY QTSP on the EU Trusted List (https://eidas.ec.europa.eu/efts/tl-browser). **Practical confirmation:** - All Berlin Group NextGenPSD2-compliant banks (including all Croatian HUB banks) are required to accept QWAC from any EU/EEA QTSP. - UniCredit, Intesa, Erste, OTP, RBI documentation explicitly states "QWAC from any EU/EEA QTSP." **No additional Croatian-specific QWAC required.** --- ## 3. TPP Regulatory Decision Matrix ### Regulatory Requirement for HR Bank Access To access Croatian bank APIs under PSD2, Tok platform must be a **registered AISP (Account Information Service Provider)** recognized by Croatian National Bank (HNB). **Source:** Zakon o platnom prometu (NN 66/2018, transposing PSD2 Directive 2015/2366), Article 48 (Usluge pružanja informacija o računu). --- ### Option A: Direct HANFA/HNB Authorization (Croatian AISP license) | Criterion | Detail | |-----------|--------| | **Regulator** | HNB (Hrvatska narodna banka) | | **Application Process** | Submit to HNB licensing department: program of operations, business plan, IT security documentation, fit & proper declarations, AML/KYC policies | | **Capital Requirement** | €125,000 initial capital (per Zakon o platnom prometu, NN 66/2018, Article 56) | | **Timeline** | 3-6 months (statutory 3 months but realistic 4-6 months per HNB processing time) | | **Annual Cost** | €125K locked capital + €5,000-10,000 regulatory fees + ongoing compliance (MLRO, audits, reporting) = **€15,000-20,000/year operational cost** | | **Pros** | Direct relationship with HNB; no dependency on home regulator | | **Cons** | **BLOCKER for Q3 2026 launch:** €125K capital requirement + 4-6 month timeline makes this infeasible for MVP. ALAI Holding AS would need to inject €125K into Croatian subsidiary. | | **Verdict** | ❌ **NOT VIABLE for Q3 2026 launch.** Only consider if EEA passporting fails or for long-term strategic reasons (e.g., expanding to non-EEA Balkan markets). | **Sources:** - Zakon o platnom prometu (NN 66/2018): https://narodne-novine.nn.hr/clanci/sluzbeni/2018_06_66_1334.html - HNB Licensing Page: https://www.hnb.hr/en/core-functions/payment-system/licensing --- ### Option B: EEA Passporting from Finanstilsynet (NO → HR) — RECOMMENDED | Criterion | Detail | |-----------|--------| | **Regulator** | Finanstilsynet (Norway) — home regulator
HNB (Croatia) — host regulator (receives notification) | | **Application Process** | 1. Apply for AISP registration (opplysningsfullmektig) at Finanstilsynet
2. Submit: programme of operations, business plan, IT security documentation, PII insurance (€50K minimum), fit & proper declarations
3. Finanstilsynet approves → notifies HNB under PSD2 Article 28 passporting
4. Service can commence 30-60 days after notification (confirm exact timeline with Finanstilsynet) | | **Capital Requirement** | **€0** (AISP registration requires NO capital in Norway, only PII insurance) | | **PII Insurance** | €50,000 minimum aggregate annual coverage (EBA/GL/2017/08 floor for new AISPs without 12-month operational history)
Provider: Nordic Guarantee (nordicguarantee.com) or Howden Norway (howdengroup.com/no-en)
Cost: €800-2,500/year | | **Timeline** | 2-3 months (Finanstilsynet AISP registration) + 1 month (passporting notification to HNB) = **3-4 months total** | | **Annual Cost** | NOK 5,000-30,000 Finanstilsynet fee (one-time or annual per §6-13(3), confirm with Finanstilsynet) + €800-2,500 PII insurance + €300-800 QWAC = **€2,000-4,000/year operational cost** | | **Pros** | ✅ NO capital requirement
✅ Fastest path (3-4 months)
✅ Covers ALL EEA countries (not just Croatia) — includes Austria, Germany, Netherlands, etc. for future expansion
✅ ALAI Holding AS already Norwegian entity — no subsidiary required | | **Cons** | Dependency on Finanstilsynet (but Norway has mature PSD2 regulatory framework and fast processing times) | | **Verdict** | ✅ **RECOMMENDED.** ONLY viable path for Q3 2026 HR launch. Capital efficiency (€0 vs €125K), timeline (3-4 months vs 4-6 months), and EEA-wide coverage make this the clear choice. | **PSD2 Legal Basis:** - PSD2 Directive 2015/2366, Article 28 (Freedom to provide services): Payment institutions authorized in one member state may provide services in other member states via passporting. - Finanstilsynet Regulation §6-13 (AISP registration): https://www.finanstilsynet.no/regelverk-og-tilsyn/lover-og-regler/finansforetaksloven/ - EBA/GL/2017/08 (PII Guidelines): https://www.eba.europa.eu/regulation-and-policy/payment-services-and-electronic-money/guidelines-on-professional-indemnity-insurance **HNB Confirmation:** - HNB Registered AISPs page explicitly lists EEA-passported providers: https://www.hnb.hr/en/core-functions/payment-system/licensing/registered-account-information-service-providers - Example: Tink AB (Sweden) and Plaid Financial Ltd (Ireland) are listed as passported AISPs operating in Croatia. --- ### Option C: Third-Party Licensed Aggregator (Sub-TPP Model) | Provider | Model | Cost | Pros | Cons | Verdict | |----------|-------|------|------|------|---------| | **Tink (Visa)** | Tok integrates with Tink API; Tink holds AISP license and bank connections | Likely €5,000-15,000/year + per-transaction fees | ✅ Fast (no AISP registration)
✅ Tink already has Croatian bank integrations | ❌ DATA CONTROL LOSS — Tink owns the bank relationship, not Tok
❌ VENDOR LOCK-IN — cannot migrate to direct bank connections without user re-consent
❌ COST SCALING — per-user or per-transaction fees scale poorly
❌ NO DIFFERENTIATION — Tok becomes a Tink reseller, not a platform | ❌ **NOT RECOMMENDED.** Defeats the purpose of Tok as an independent Open Banking platform. Only viable if ALAI abandons Tok platform strategy and Bilko uses Tink directly. | | **Yapily** | Same as Tink | Likely €8,000-20,000/year + usage fees | Same as Tink | Same as Tink | ❌ **NOT RECOMMENDED.** Same reasoning as Tink. | | **Salt Edge** | Same as Tink | Unknown (enterprise pricing) | Same as Tink | Same as Tink + Salt Edge primarily does bank-side compliance consulting, not TPP aggregation for Croatia | ❌ **NOT RECOMMENDED.** Salt Edge's Croatian presence is bank-side (e.g., Saga partnership), not TPP aggregation. | **Conclusion:** Sub-TPP model via Tink/Yapily/Salt Edge **undermines the strategic rationale for Tok platform.** If ALAI goes this route, Bilko should integrate directly with Tink/Yapily and abandon Tok platform development. --- ### Decision Matrix Summary | Criterion | Option A: Direct HANFA/HNB | Option B: EEA Passporting (Finanstilsynet) | Option C: Sub-TPP (Tink/Yapily) | |-----------|----------------------------|-------------------------------------------|-------------------------------| | **Time to Market** | 4-6 months | **3-4 months** ✅ | 1-2 months | | **Capital Requirement** | €125,000 | **€0** ✅ | €0 | | **Annual Cost** | €15,000-20,000 | **€2,000-4,000** ✅ | €5,000-15,000+ (scales with usage) | | **Data Control** | ✅ Full control | ✅ Full control | ❌ Vendor owns data | | **Strategic Fit** | ✅ Direct HR presence | ✅ EEA-wide coverage | ❌ Defeats Tok platform strategy | | **Feasibility for Q3 2026** | ❌ NO (capital + timeline) | ✅ **YES** | ✅ YES (but strategically wrong) | **RECOMMENDED PATH: Option B — EEA Passporting via Finanstilsynet.** --- ## 4. Tok Gap Analysis for HR Market ### Current Tok Platform Status **Source:** `~/business/ALAI-Holding-AS/products/Tok/docs/INDEX.md` (read 2026-05-28) | Component | Status (as of 2026-05-28) | |-----------|-------------------------| | **API Server (Kotlin/Ktor)** | Foundation built — Q2 2026 target | | **Croatian Bank Integration** | ❌ **NONE.** Architecture ready, sandbox pending — Q3 2026 target | | **AISP Registration (Finanstilsynet)** | ❌ **NOT STARTED.** Email to Finanstilsynet sent 24.02.2026 per Balkan Strategy doc. No follow-up documented. | | **QWAC Certificate** | ❌ **NOT OBTAINED.** Requires AISP authorization number from Finanstilsynet first. | | **Berlin Group Adapter** | ✅ Designed per `~/business/ALAI-Holding-AS/products/Tok/docs/architecture/BANK-API-INTEGRATION.md` but NOT implemented. | | **Consent Manager** | ⚠️ Designed but NOT implemented. 90-day re-authentication logic CRITICAL. | | **Transaction Sync Engine** | ⚠️ Designed (BullMQ + dedup) but NOT implemented. | | **Node.js SDK (`@tokapi/sdk`)** | ✅ Built per INDEX.md | | **Python SDK (`tokapi-sdk`)** | ✅ Built per INDEX.md | | **Webhooks** | ❌ Designed, NOT implemented — Q3 2026 target | | **PISP (Payment Initiation)** | ❌ Planned Q3 2026+ | --- ### Bank Coverage Gap | Bank | Market Share | Tok Status | Gap | |------|-------------|-----------|-----| | Zagrebačka banka (Zaba) | 28% | ❌ NOT INTEGRATED | **P0 BLOCKER** | | Privredna banka Zagreb (PBZ) | 24% | ❌ NOT INTEGRATED | **P0 BLOCKER** | | Erste Bank Croatia | 12% | ❌ NOT INTEGRATED | **P0 BLOCKER** | | OTP Banka Hrvatska | 9% | ❌ NOT INTEGRATED | **P0 BLOCKER** | | Raiffeisenbank Austria d.d. | 7% | ❌ NOT INTEGRATED | P1 | | Addiko Bank d.d. | 4% | ❌ NOT INTEGRATED | P1 | | HPB | 3% | ❌ NOT INTEGRATED | P1 | | **TOTAL Coverage** | **87%** | **0%** | **100% gap** | **Assessment:** Tok has ZERO Croatian bank coverage. All P0 banks (73% market coverage) are BLOCKING for Bilko HR launch. --- ### Functional Gap Analysis #### P0 — MUST-HAVE for Bilko HR Launch (Q3 2026) | Feature | Tok Design Status | Implementation Status | Bilko Dependency | Estimated Effort | |---------|------------------|---------------------|-----------------|-----------------| | **AISP Registration (Finanstilsynet)** | ✅ Process documented in `BALKAN-STRATEGY.md` | ❌ NOT STARTED | BLOCKER — cannot access ANY Croatian bank API without AISP + QWAC | 3-4 months (regulatory timeline) | | **QWAC Certificate (DigiCert/GlobalSign)** | ✅ Process documented | ❌ NOT OBTAINED | BLOCKER — Berlin Group API requires QWAC mTLS | 5-10 days after AISP authorization | | **Berlin Group Adapter (BerlinGroupAdapter)** | ✅ Designed (`BANK-API-INTEGRATION.md`) | ❌ NOT IMPLEMENTED | BLOCKER — no API calls possible without adapter | 2 weeks (code) + 2 weeks (testing) = 4 weeks | | **Consent Manager (90-day lifecycle)** | ✅ Designed | ❌ NOT IMPLEMENTED | BLOCKER — without 90-day re-auth UX, ALL users disconnect simultaneously after 90 days | 3 weeks (consent creation + OAuth flow + 90-day expiry tracking + re-auth UI/email reminders) | | **Transaction Sync Engine (BullMQ + dedup)** | ✅ Designed | ❌ NOT IMPLEMENTED | BLOCKER — no automatic bank feed without sync engine | 3 weeks (sync scheduling + API calls + dedup + error handling) | | **Bank Integration: Zagrebačka banka** | ⚠️ Sandbox account NOT created | ❌ NOT INTEGRATED | P0 — 28% market share | 3 weeks (sandbox testing + production verification) | | **Bank Integration: PBZ** | ⚠️ Sandbox account NOT created | ❌ NOT INTEGRATED | P0 — 24% market share | 3 weeks | | **Bank Integration: Erste Bank HR** | ⚠️ Sandbox account NOT created | ❌ NOT INTEGRATED | P0 — 12% market share | 2 weeks (Erste has best docs) | | **Bank Integration: OTP Banka HR** | ⚠️ Sandbox account NOT created | ❌ NOT INTEGRATED | P0 — 9% market share | 3 weeks | | **Database Schema (BankConnection, BankTransaction extensions)** | ✅ Designed (`BALKAN-STRATEGY.md`) | ❌ NOT IMPLEMENTED | BLOCKER — no data model to store consent + tokens + transactions | 1 week (Prisma schema + migration) | | **Token Encryption (AES-256-GCM + GCP Cloud KMS)** | ✅ Specified | ❌ NOT IMPLEMENTED | P0 — PSD2 compliance requirement + GDPR | 2 weeks (KMS integration + encryption/decryption helpers) | **Total P0 Effort (excluding regulatory timeline):** - Core engine: 4 weeks (adapter) + 3 weeks (consent mgr) + 3 weeks (sync engine) + 1 week (DB schema) + 2 weeks (encryption) = **13 weeks** - Bank integrations: 3+3+2+3 = **11 weeks** (parallelizable to 3-4 weeks with concurrent integration work) - **Critical path: ~16-17 weeks** (assuming parallel work) - **Plus regulatory: +12-16 weeks** (AISP registration 3-4 months) - **TOTAL: ~28-33 weeks (7-8 months) from start to Bilko HR launch-ready Tok** **Realistic Q3 2026 Launch Assessment:** - If AISP application starts **THIS WEEK (late May 2026)**, AISP approval = **August/September 2026**. - If Tok core engine + bank integration work starts in **parallel with AISP application**, technical readiness = **August/September 2026**. - **Q3 2026 launch is THEORETICALLY FEASIBLE but HIGH RISK.** Any regulatory delay → Q4 2026 slip. --- #### P1 — POST-LAUNCH Enhancement (Q4 2026) | Feature | Bilko Benefit | Estimated Effort | |---------|--------------|-----------------| | **Bank Integration: Raiffeisenbank** | +7% market coverage | 2 weeks | | **Bank Integration: Addiko Bank** | +4% market coverage | 3 weeks (includes production verification outreach) | | **Bank Integration: HPB** | +3% market coverage + government contract potential | 3 weeks | | **Auto-Match Engine (invoice ↔ transaction matching)** | Reduces manual reconciliation time for Bilko users by 60-80% (estimated) | 4 weeks (PIB/OIB extraction + amount/date/reference fuzzy matching + confidence scoring) | | **Webhooks (transaction notifications)** | Enables real-time bank feed updates (vs. polling every 4 hours) | 3 weeks (webhook design already documented) | | **Reconciliation Module (UI for manual review)** | Handles low-confidence auto-matches | 3 weeks (frontend + backend endpoints) | **Total P1 Effort:** ~18 weeks (parallelizable to ~6-8 weeks) --- #### P2 — NICE-TO-HAVE (Q1 2027+) | Feature | Bilko Benefit | Estimated Effort | |---------|--------------|-----------------| | **PISP (Payment Initiation)** | Pay invoices directly from Bilko (no manual bank login) | 8 weeks (requires PISP authorization upgrade at Finanstilsynet — regulatory timeline 2-3 months, capital requirement €50K for Serbia only, €0 for EEA) | | **Smaller banks (P2 bank list)** | +13% market coverage (but diminishing returns) | 2-3 weeks per bank × 10 banks = 20-30 weeks | | **Serbian bank integration** | Opens Serbian market for Bilko | Per `BALKAN-STRATEGY.md`, requires ALAI Tech d.o.o. NBS registration — Q4 2026 earliest | | **BiH bank integration** | Opens BiH market for Bilko | Bilateral agreements — Q1 2027 earliest | --- ### Slice Plan — Recommended Delivery Sequence #### Slice 0: Regulatory Foundation (PARALLEL with Slice 1) **Timeline:** Start immediately (late May 2026) → Complete August/September 2026 | Task | Owner | Effort | Blocking? | |------|-------|--------|----------| | Submit AISP application to Finanstilsynet | John (orchestrator) | 2 weeks (document prep + submission) | ✅ BLOCKER for all bank API access | | Procure PII insurance (Nordic Guarantee/Howden) | John → Finverge | 1 week (quote + contract) | ✅ Required for AISP application | | Await Finanstilsynet AISP approval | — | 12-16 weeks (regulatory timeline) | ✅ BLOCKER for QWAC | | Obtain QWAC from DigiCert | John → Finverge | 1 week (after AISP approval) | ✅ BLOCKER for production bank API | --- #### Slice 1: Tok Core Engine MVP (PARALLEL with Slice 0) **Timeline:** Start immediately (late May 2026) → Complete August 2026 (12-13 weeks) | Task | Owner | Effort | |------|-------|--------| | Database schema: BankConnection + BankSyncLog + BankTransaction extensions | CodeCraft (Kotlin/backend) | 1 week | | Token encryption: AES-256-GCM + GCP Cloud KMS integration | Securion (security) + CodeCraft | 2 weeks | | Berlin Group Adapter: Abstract BankAdapter + BerlinGroupAdapter implementation | CodeCraft | 4 weeks | | Consent Manager: Consent creation + OAuth flow + token storage | CodeCraft | 3 weeks | | Transaction Sync Engine: BullMQ job queue + dedup + sync scheduling | CodeCraft | 3 weeks | | 90-day re-authentication UX: Email reminders + UI banner + one-click re-connect | Vizu (frontend) + CodeCraft (backend) | 2 weeks | | **SLICE 1 TOTAL** | — | **13 weeks** | **Deliverables:** - Tok API can create PSD2 consents, handle OAuth SCA redirect, store encrypted tokens, sync transactions from ANY Berlin Group bank, handle 90-day expiry. - NOT YET: specific bank integrations (Slice 2), auto-match (Slice 3). --- #### Slice 2: P0 Bank Integrations (AFTER Slice 1 core + QWAC obtained) **Timeline:** September 2026 → Complete mid-October 2026 (4-5 weeks, parallelized) | Bank | Effort | Dependencies | |------|--------|-------------| | Zagrebačka banka (Zaba) | 3 weeks | Slice 1 core + QWAC | | Privredna banka Zagreb (PBZ) | 3 weeks | Slice 1 core + QWAC | | Erste Bank Croatia | 2 weeks | Slice 1 core + QWAC | | OTP Banka Hrvatska | 3 weeks | Slice 1 core + QWAC | **Parallel execution:** Assign 2-3 developers → complete all 4 banks in 4-5 weeks. **Deliverables:** - Tok Platform supports 73% of Croatian SMB market. - Bilko can offer "Connect bank" feature for top 4 Croatian banks. --- #### Slice 3: Bilko Integration + Launch (AFTER Slice 2) **Timeline:** Mid-October 2026 → Complete late October 2026 (2 weeks) | Task | Owner | Effort | |------|-------|--------| | Bilko integration with Tok API (via `@tokapi/sdk`) | CodeCraft (Bilko team) | 1 week | | Bilko UI: "Connect bank" flow + bank feed display + manual reconciliation UI | Vizu | 1 week | | End-to-end testing: Bilko → Tok → Croatian banks (sandbox + production) | Proveo | 3 days | | HR market launch announcement | Skybound (BA) | 2 days | **Deliverables:** - Bilko HR users can connect top 4 Croatian banks and automatically sync transactions. - **BILKO HR LAUNCH READY.** --- #### Slice 4: P1 Features (Q4 2026) | Task | Effort | Timeline | |------|--------|----------| | Bank integrations: Raiffeisenbank, Addiko, HPB | 8 weeks (parallelizable to 3 weeks) | October-November 2026 | | Auto-Match Engine (invoice ↔ transaction) | 4 weeks | November 2026 | | Webhooks for real-time notifications | 3 weeks | December 2026 | | Reconciliation Module (manual review UI) | 3 weeks | December 2026 | **Cumulative market coverage after Slice 4: 87%** --- ## 5. ISO 20022 + SEPA Instant Practical Specifications ### ISO 20022 in Croatian Banking **Source:** Croatian Banking Association ISO 20022 Migration Report 2024 (https://www.hub.hr/en/sepa-croatia) Croatia is a **full SEPA member** (since 2023, post-Euro adoption Jan 2024). All Croatian banks use ISO 20022 messaging for: - **SEPA Credit Transfer (SCT)** — pain.001.001.09 - **SEPA Instant Credit Transfer (SCT Inst)** — pain.001.001.09 (same schema, instant processing via TIPS) - **Account Statement** — camt.053.001.08 --- ### CAMT.053 (Account Statement) — Transaction Data Format **Which Croatian banks provide native CAMT.053?** | Bank | CAMT.053 Native Format | Proprietary Format | Notes | |------|----------------------|-------------------|-------| | Zagrebačka banka (Zaba) | ✅ YES (via UniCredit corporate banking portal) | ⚠️ Also supports CSV, MT940 (legacy SWIFT) | For PSD2 API: Berlin Group JSON (NOT CAMT.053 XML). CAMT.053 is available via corporate e-banking portal for bulk export. | | Privredna banka Zagreb (PBZ) | ✅ YES (via Intesa corporate banking) | ⚠️ Also supports CSV, MT940 | Same as Zaba: Berlin Group JSON for PSD2 API, CAMT.053 for e-banking bulk export. | | Erste Bank Croatia | ✅ YES (Erste Group standard) | ⚠️ Also supports CSV, MT940 | Berlin Group JSON for PSD2. CAMT.053 for corporate customers. | | OTP Banka Hrvatska | ⚠️ LIMITED — available for corporate clients only | CSV primary for SMB e-banking | Berlin Group JSON for PSD2. CAMT.053 not widely used for SMBs. | | Raiffeisenbank Austria d.d. | ✅ YES (RBI Group standard) | ⚠️ Also supports CSV, MT940 | Berlin Group JSON for PSD2. | | Addiko Bank d.d. | ⚠️ UNKNOWN | CSV likely primary | Berlin Group JSON for PSD2. CAMT.053 status unclear. | | HPB | ⚠️ UNKNOWN | Likely CSV | Berlin Group JSON for PSD2. | **Key Insight:** CAMT.053 is available for **corporate e-banking bulk exports** but **NOT used by PSD2 APIs**. All Croatian banks use **Berlin Group NextGenPSD2 JSON response format** for AISP transaction data. **Implication for Tok Platform:** Tok does NOT need CAMT.053 XML parsing. Berlin Group JSON → Tok internal format mapping (already designed in `BANK-API-INTEGRATION.md`) is sufficient. --- ### pain.001 (Payment Initiation) — PISP Future Scope **SEPA Instant (SCT Inst) Coverage in Croatia:** | Bank | SEPA Instant Support | Max Instant Amount | Processing Time | |------|---------------------|-------------------|----------------| | Zagrebačka banka | ✅ YES | €100,000 | < 10 seconds | | Privredna banka Zagreb | ✅ YES | €100,000 | < 10 seconds | | Erste Bank Croatia | ✅ YES | €100,000 | < 10 seconds | | OTP Banka Hrvatska | ✅ YES | €100,000 | < 10 seconds | | Raiffeisenbank Austria d.d. | ✅ YES | €100,000 | < 10 seconds | | Addiko Bank d.d. | ⚠️ LIKELY (Addiko Group supports SCT Inst in AT/SI) | €100,000 (estimated) | < 10 seconds | | HPB | ⚠️ UNKNOWN — verify with HPB | — | — | **Source:** European Payments Council SCT Inst Reachability Report Q4 2025 (https://www.europeanpaymentscouncil.eu/what-we-do/sepa-instant-credit-transfer) **All major Croatian banks support SEPA Instant.** This is CRITICAL for Bilko PISP future scope (pay invoices instantly from Bilko). --- ### Croatian CIUS (Country-Specific Extensions) for ISO 20022 **CIUS = Country Implementation User Specification** — national extensions/restrictions on top of ISO 20022 standard. **Croatia ISO 20022 CIUS Status:** | Standard | Croatian CIUS Exists? | Impact on Tok/Bilko | |----------|---------------------|-------------------| | CAMT.053 | ❌ NO — Croatia uses standard EPC SEPA CAMT.053.001.08 without national extensions | No special handling required. | | pain.001 | ❌ NO — Croatia uses standard EPC SEPA pain.001.001.09 | No special handling required (when PISP is implemented). | **Source:** HUB (Croatian API Hub) technical documentation (https://hub.hr/en/technical-documentation) — confirms standard EPC SEPA schemas with no Croatian-specific CIUS. **Implication:** Tok can use standard ISO 20022 parsers/generators. No Croatian-specific XML schema extensions required. --- ### Practical Data Flow: Croatian Bank → Tok → Bilko ``` ┌─────────────────────────────────────────────────────────────────┐ │ Croatian Bank (e.g., Zagrebačka banka) │ │ ├─ Internal system: ISO 20022 CAMT.053 XML (account statements) │ │ ├─ E-banking portal: CAMT.053 export (corporate bulk) │ │ └─ PSD2 API: Berlin Group NextGenPSD2 JSON │ └───────────────────────────┬─────────────────────────────────────┘ │ HTTPS + QWAC mTLS ▼ ┌─────────────────────────────────────────────────────────────────┐ │ Tok Platform (AISP) │ │ ├─ Berlin Group Adapter: Parses BG JSON → Tok internal format │ │ ├─ Transaction Sync Engine: Dedup + store in PostgreSQL │ │ └─ Tok REST API: Returns transactions in Tok JSON format │ └───────────────────────────┬─────────────────────────────────────┘ │ HTTPS + API key ▼ ┌─────────────────────────────────────────────────────────────────┐ │ Bilko (Kotlin/Ktor backend + Next.js frontend) │ │ ├─ Calls Tok API via @tokapi/sdk (Node.js SDK) │ │ ├─ Auto-Match Engine: Matches transactions to invoices │ │ └─ Bilko UI: Displays matched transactions + reconciliation │ └─────────────────────────────────────────────────────────────────┘ ``` **NO CAMT.053 XML parsing required in Tok.** Berlin Group JSON is the data format. --- ## 6. Risk Flags & Open Questions ### Risk Flags | # | Risk | Impact | Mitigation | |---|------|--------|-----------| | **R1** | **90-day consent re-authentication UX failure** | If users do not re-authenticate after 90 days, bank feed stops for ALL users simultaneously. Bilko becomes "broken" for HR market. | **CRITICAL UX:** 14-day advance email reminder + prominent UI banner + one-click re-connect (no full setup). Test with beta users before full launch. Monitor consent expiry dates daily. | | **R2** | **Finanstilsynet AISP application delay** | If AISP approval takes >4 months, Q3 2026 launch slips to Q4 2026 or Q1 2027. | Start AISP application THIS WEEK (late May 2026). Engage Finanstilsynet early with pre-application meeting. Have PII insurance quote ready before application. | | **R3** | **QWAC certificate delay** | If DigiCert/GlobalSign takes >15 days, production bank testing delayed. | Order QWAC immediately after AISP authorization number received. Use DigiCert (5-10 day turnaround) over Sectigo (10-15 day). | | **R4** | **PBZ Croatian-only documentation** | PBZ API portal has no English version. Increases integration overhead. | Allocate 2-3 extra days for translation/verification. PBZ API responses are standard Berlin Group (English), only portal docs are Croatian. | | **R5** | **Addiko/HPB production status unclear** | Addiko and HPB developer portals exist but production readiness is undocumented. | Treat as P1 (post-launch) to reduce launch risk. Direct outreach to openbanking@hpb.hr and Addiko digital team AFTER P0 banks are live. | | **R6** | **Bank API downtime** | If a major bank's PSD2 API has extended outage, Bilko users complain "bank feed broken." | Implement circuit breaker per `BANK-API-INTEGRATION.md` design. Show clear status in Bilko UI: "Last sync: 3 days ago (bank API unavailable)." Monitor bank status pages. | | **R7** | **Serbian market dependency on Tok** | Bilko Serbian launch (Q4 2026 per Balkan Strategy) requires Tok to have NBS AISP registration + Serbian bank integrations. Tok delay = Bilko Serbia delay. | Start NBS AISP application in parallel with Finanstilsynet (target: September 2026 submission). Serbian market is separate from Croatian launch — decouple timelines. | --- ### Open Questions (Require Follow-Up) | # | Question | Who to Contact | Priority | |---|----------|---------------|----------| | **Q1** | Exact Finanstilsynet processing time for AISP registration — is 2-3 months realistic or optimistic? | Finanstilsynet (finanstilsynet.no, +47 22 93 98 00, post@finanstilsynet.no) — request pre-application guidance meeting | **H** (blocks timeline certainty) | | **Q2** | Does Finanstilsynet require physical presence in Norway for AISP application, or can Alem (CEO) submit remotely from BiH/RS? | Same as Q1 | **H** | | **Q3** | Addiko Bank d.d. production API status — is `oapideveloper.addiko.hr` production-ready or sandbox-only? | Addiko digital team (openbanking@addiko.hr — email inferred from Addiko Group pattern, verify via website contact form at https://www.addiko.hr/kontakt/) | **M** (P1 bank, not launch-critical) | | **Q4** | HPB production API status — is `openbanking.hpb.hr` production-ready? | HPB Open Banking team (openbanking@hpb.hr — documented on HPB portal) | **M** (P1 bank, not launch-critical) | | **Q5** | PII insurance quote for ALAI Holding AS (NO entity, AISP-only, €50K coverage, EEA scope) — exact annual premium? | Nordic Guarantee (info@nordg.se, +46 8-34 06 60) OR Howden Norway (via website contact form at https://www.howdengroup.com/no-en/contact) | **H** (required for AISP application) | | **Q6** | DigiCert QWAC issuance timeline after NCA authorization number provided — is 5-10 days guaranteed or best-case? | DigiCert PSD2 team (psd2@digicert.com) | **M** (impacts production testing timeline) | | **Q7** | Croatian bank PSD2 API rate limits — what is the practical max sync frequency per user? (Berlin Group spec allows up to `frequencyPerDay: 4`, but do banks enforce lower limits?) | Test in sandbox for each P0 bank during integration | **M** (impacts sync engine design) | | **Q8** | HNB passporting notification timeline — PSD2 Article 28 says "1 month" but does HNB publish passported AISPs immediately or with delay? | HNB Open Banking team (moneterra@hnb.hr, +385 1 4702 181) | **L** (nice to know, doesn't block) | --- ## 7. Next Steps for John (Orchestrator) ### Immediate (This Week — Late May 2026) 1. **AISP Application Prep:** - Schedule pre-application meeting with Finanstilsynet (email post@finanstilsynet.no). - Request PII insurance quote from Nordic Guarantee (email info@nordg.se, +46 8-34 06 60) AND Howden Norway (https://www.howdengroup.com/no-en/contact). - Draft "Programme of Operations" document for AISP application (template: Finanstilsynet skjema for opplysningsfullmektig, available at https://www.finanstilsynet.no/konsesjon/opplysningsfullmektig/). 2. **Tok Core Engine Kickoff:** - Dispatch to CodeCraft (Petter Graff or Martin Kleppmann): "Tok Core Engine MVP — Slice 1" (13-week effort per gap analysis above). - Pre-requisite: Verify GCP Cloud KMS is provisioned for Tok project (required for token encryption). 3. **Croatian Bank Sandbox Accounts:** - Register developer accounts on: - https://developer.unicredit.eu (Zagrebačka banka) - https://apiportal.pbz.hr (PBZ) - https://developers.erstegroup.com (Erste Bank) - https://apiportal.sandbox.otpbanka.hr (OTP) - Document sandbox PSU credentials for testing. ### Short-Term (June-July 2026) 4. **Submit AISP Application:** - After pre-application meeting + PII insurance contract signed → submit full AISP application to Finanstilsynet. - Target: Early June 2026 submission → August/September 2026 approval. 5. **Parallel Tok Development:** - Monitor Slice 1 progress weekly (CodeCraft standups). - Ensure 90-day re-authentication UX is user-tested BEFORE production (critical per Risk R1). ### Mid-Term (August-September 2026) 6. **QWAC Procurement:** - Immediately after Finanstilsynet AISP authorization number received → order QWAC from DigiCert (email psd2@digicert.com). - Timeline: 5-10 days. 7. **P0 Bank Integrations (Slice 2):** - Dispatch to CodeCraft: "Tok P0 Croatian Banks — Slice 2" (4-5 weeks parallelized). - Pre-requisite: Slice 1 core engine complete + QWAC obtained. 8. **Bilko Integration (Slice 3):** - Dispatch to CodeCraft (Bilko team): "Bilko ↔ Tok Integration" (2 weeks). - Dispatch to Vizu (Brad Frost): "Bilko 'Connect Bank' UI" (1 week). ### Launch Readiness (Late September / Early October 2026) 9. **End-to-End Testing:** - Dispatch to Proveo (Angie Jones): "Bilko HR Bank Feed E2E Test — 4 Banks × 10 Test Scenarios" (3 days). - Test scenarios: consent creation, SCA redirect, token refresh, transaction sync, 90-day expiry UX, circuit breaker on bank API failure. 10. **HR Market Launch:** - Dispatch to Skybound (sentinel-ba): "Bilko HR Market Launch Announcement" (2 days). - Coordinate with Bilko marketing plan (if exists; otherwise create minimal launch page + email to waitlist). --- ## 8. Evidence & Source Summary **Total Sources Cited:** 31 ### Regulatory Sources (9) 1. Zakon o platnom prometu (NN 66/2018) — Croatian PSD2 transposition: https://narodne-novine.nn.hr/clanci/sluzbeni/2018_06_66_1334.html 2. HNB Banking Sector Report 2024: https://www.hnb.hr/en/statistics/statistical-data/credit-institutions 3. HNB Licensing Page (AISP registration): https://www.hnb.hr/en/core-functions/payment-system/licensing 4. HNB Registered AISPs (passported providers): https://www.hnb.hr/en/core-functions/payment-system/licensing/registered-account-information-service-providers 5. Croatian API HUB (PSD2 technical specs): https://hub.hr/en/psd2-open-api 6. PSD2 Directive 2015/2366 (Article 28 — passporting): Official Journal of the EU 7. EBA/GL/2017/08 (PII Guidelines): https://www.eba.europa.eu/regulation-and-policy/payment-services-and-electronic-money/guidelines-on-professional-indemnity-insurance 8. Finanstilsynet AISP Regulation (§6-13): https://www.finanstilsynet.no/konsesjon/opplysningsfullmektig/ 9. eIDAS Regulation (EU) 910/2014: Official Journal of the EU ### eIDAS / QWAC Sources (5) 10. EU Trusted List (eIDAS): https://eidas.ec.europa.eu/efts/tl-browser 11. DigiCert PSD2 QWAC: https://www.digicert.com/psd2 12. GlobalSign PSD2 QWAC: https://www.globalsign.com/en/psd2 13. Sectigo PSD2: https://sectigo.com/ssl-certificates-tls/psd2 14. D-Trust (Bundesdruckerei): https://www.d-trust.net/en/products/psd2 ### Bank Developer Portal Sources (7) 15. UniCredit Developer Portal: https://developer.unicredit.eu/apis 16. PBZ API Portal: https://apiportal.pbz.hr 17. Erste Developers Portal: https://developers.erstegroup.com 18. OTP Sandbox Portal: https://apiportal.sandbox.otpbanka.hr 19. RBI API Portal: https://api.rbinternational.com/developer-portal 20. Addiko Developer Portal: https://oapideveloper.addiko.hr 21. HPB Open Banking Portal: https://openbanking.hpb.hr ### Technical Standards Sources (4) 22. Berlin Group NextGenPSD2: https://www.berlin-group.org/nextgenpsd2-downloads 23. European Payments Council (EPC) SEPA Schemes: https://www.europeanpaymentscouncil.eu/what-we-do/sepa-credit-transfer 24. European Payments Council SCT Inst Reachability Report Q4 2025: https://www.europeanpaymentscouncil.eu/what-we-do/sepa-instant-credit-transfer 25. HUB Technical Documentation (ISO 20022 CIUS confirmation): https://hub.hr/en/technical-documentation ### Internal ALAI Sources (6) 26. `~/business/ALAI-Holding-AS/products/Tok/docs/INDEX.md` (Tok platform status) 27. `~/business/ALAI-Holding-AS/products/Tok/docs/architecture/BANK-API-INTEGRATION.md` (Berlin Group adapter design) 28. `~/business/ALAI-Holding-AS/products/Tok/docs/regulatory/BALKAN-STRATEGY.md` (AISP registration plan) 29. `~/business/ALAI-Holding-AS/products/Bilko/docs/INTEGRATION-WITH-TOK.md` (Bilko-Tok integration spec) 30. `~/business/ALAI-Holding-AS/products/Bilko/docs/regulatory/HR/README.md` (Croatian regulatory requirements) 31. MC Task #102423 (this task) --- ## FINVERGE REPORT **Status:** COMPLETE **Task:** Croatia (HR) Bank Integration Plan for Bilko via Tok Platform **Financial Domain:** Open Banking (PSD2 AISP), Bank Integration, Regulatory Compliance, Payment Infrastructure **Deliverables:** - `/Users/makinja/business/ALAI-Holding-AS/products/Bilko/docs/integrations/hr-bank-integration-plan.md` (this document, 12,500+ words) - Per-bank PSD2 readiness matrix (7 banks, 87% SMB market coverage) - TPP regulatory decision matrix (3 options analyzed, EEA passporting recommended) - QWAC/QSeal certificate plan (DigiCert recommended, €300-800/year) - Tok gap analysis (0% Croatian bank coverage, 28-33 week critical path to launch) - Slice plan (P0: 4 banks = 73% coverage, P1: +3 banks = 87% coverage) - ISO 20022 practical specifications (Berlin Group JSON, NOT CAMT.053 XML) - 7 risk flags + 8 open questions - 31 sources cited (regulatory, technical, bank portals, internal ALAI docs) **Compliance Notes:** - PSD2 Directive 2015/2366 Article 28 (EEA passporting) — legal basis for recommended path - EBA/GL/2017/08 (PII insurance) — €50K minimum aggregate for AISP-only - eIDAS Regulation (EU) 910/2014 — QWAC cross-border recognition guaranteed - Croatian Zakon o platnom prometu (NN 66/2018) — AISP registration requirement - Berlin Group NextGenPSD2 v1.3.8 minimum (Croatian HUB mandate) - GDPR/PDPL compliance required for bank transaction data processing **Security:** - QWAC certificate required (DigiCert/GlobalSign, €300-800/year) - PII insurance required (€50K minimum, Nordic Guarantee/Howden Norway, €800-2,500/year) - AES-256-GCM + GCP Cloud KMS for OAuth token encryption (per Tok design) - 90-day consent re-authentication UX is CRITICAL risk flag **Next:** - **For John (immediate):** Submit AISP application to Finanstilsynet THIS WEEK (late May 2026). Request PII insurance quote. Dispatch Tok Core Engine MVP (Slice 1) to CodeCraft. - **For Securion (parallel):** Review token encryption design (AES-256-GCM + GCP Cloud KMS) for PSD2 compliance. - **For Lexicon (post-launch):** Croatian language UI/legal docs for Bilko HR market (separate MC task). - **For Proveo (pre-launch):** End-to-end testing plan for Bilko ↔ Tok ↔ 4 Croatian banks (3 days, late September 2026). --- **Evidence Path:** `/Users/makinja/business/ALAI-Holding-AS/products/Bilko/docs/integrations/hr-bank-integration-plan.md` **Sources Cited:** 31 (9 regulatory, 5 eIDAS/QWAC, 7 bank portals, 4 technical standards, 6 internal ALAI) # 04 — Regulatory Reference — VAT/CIT/HR-FISK/SEPA # Bilko HR — Regulatory Reference — VAT/CIT/HR-FI **Last Updated:** 2026-05-28 **Status:** COMPLETE — regulatory reference consolidated **Source files:** - Regulatory HR README - HR-FISK integration spec --- ## Table of Contents 1. Croatia (HR) Regulatory Overview 2. VAT (PDV) 3. Corporate Income Tax (CIT) 4. E-Invoice (HR-FISK 2.0 / eRačun B2B) 5. Chart of Accounts 6. Financial Statement Filing 7. Bank Integration 8. HR-FISK Integration Spec — Technical Deep Dive --- ## Croatia (HR) Regulatory Overview - Country Code: HR - Currency: EUR (adopted January 2024, previously HRK) - EU Status: Member since 2013 - Open Banking: PSD2 full compliance (Berlin Group NextGenPSD2) - Payment System: SEPA (full member) --- ## VAT (PDV - Porez na dodanu vrijednost)
Rate TypeRateDescription
Standard25%General goods and services
Intermediate13%Certain foods, water supply, accommodation
Reduced5%Books, newspapers, baby food
Zero0%Exports, intra-EU supply
Registration Threshold: 60,000 EUR annual turnover Return Frequency: Monthly Filing Deadline: Last day of following month Portal: ePorezna (https://www.porezna-uprava.hr) --- ## Corporate Income Tax (CIT - Porez na dobit) - Standard Rate: 18% - Reduced Rate: 10% (if annual revenue less than 1M EUR) - Filing Deadline: April 30 (for previous fiscal year) - Payment: Annual (no advance payments for small entities) ### Withholding Tax (WHT)
TypeRate
Dividends10%
Interest12%
Royalties15%
### Small Business Regime (Pausalni obrt) - Threshold: less than 60,000 EUR annual turnover - Taxation: Simplified lump-sum based on activity - Benefits: Reduced compliance, simplified VAT rules --- ## E-Invoice (HR-FISK 2.0 / eRačun B2B) Platform: https://hr-fisk.fina.hr Status: Operational (launched January 2026) Mandatory Since: January 1, 2026 (B2B/B2G/B2C) Format: UBL 2.1 XML with HR-CIUS (Croatian Implementation User Specification) Protocol: AS4 Network: Peppol-compatible Certificate: FINA certificate required Penalties: Up to 500,000 EUR for non-compliance (SEVERE) Archive Requirement: 11 years ### Compliance Deadlines
Entity TypeObligationDate
VAT-registered taxpayersIssue AND receive B2B e-invoicesJanuary 1, 2026 (ACTIVE)
Non-VAT registered taxpayersRECEIVE e-invoicesJanuary 1, 2026 (ACTIVE)
Non-VAT registered taxpayersISSUE and fiscalize e-invoicesJanuary 1, 2027
All B2G suppliersIssue e-invoices to governmentJuly 1, 2019 (long active)
WARNING: Penalties for non-compliance: up to EUR 500,000 per violation. Bilko Croatian users MUST use eRačun — blocking Croatian invoicing until integration is complete is correct policy. --- ## HR-FISK Integration Spec — Technical Deep Dive Last Updated: 2026-03-03 Status: PLACEHOLDER — ZKI/JIR types defined, API call not implemented Regulatory Confidence: HIGH (Croatia is EU member, well-documented) ### Overview Croatia operates two parallel fiscalization systems since January 1, 2026: 1. Fiscalization 1.0 (B2C) — Real-time cash register fiscalization for consumer transactions 2. Fiscalization 2.0 (B2B) — Mandatory electronic invoicing for B2B transactions via the eRačun platform Bilko integration target is Fiscalization 2.0 — the B2B eRačun mandate. Regulatory Authority: Porezna uprava (Croatian Tax Administration) Platform Operator: FINA (Financijska agencija) — manages eRačun platform FINA Website: https://www.fina.hr Tax Authority Website: https://www.porezna-uprava.hr Legal Basis: New Fiscalization Act 2026 (amendments effective Jan 1, 2026) ### What Fiscalization 2.0 Requires All B2B invoices between Croatian VAT-registered taxpayers must: 1. Be structured in UBL 2.1 or CII format (EN 16931 compliant) 2. Be transmitted in real-time to the Croatian Tax Authority via the eRačun monitoring system 3. Carry a JIR (Jedinstveni Identifikator Računa — Unique Invoice Identifier) assigned by the Tax Authority 4. Carry a ZKI (Zaštitni Kod Izdavatelja — Issuer Security Code) generated by the taxpayer ### JIR — Unique Invoice Identifier - Format: UUID (e.g., a1b2c3d4-e5f6-7890-abcd-ef1234567890) - Assigned by: Croatian Tax Authority (Porezna uprava) upon successful fiscalization - Purpose: Proof that the invoice has been registered with the Tax Authority - Must appear on: Invoice document (as QR code or printed text) ### ZKI — Issuer Security Code - Format: 32-character hexadecimal MD5 hash - Generated by: The taxpayer (Bilko, on behalf of the company) - Algorithm: MD5 hash of OIB + IssueDateTime + InvoiceNumber + BusinessUnitCode + CashRegisterCode + TotalAmount (concatenated without separator, signed with private key from FINA certificate) - Purpose: Proves the invoice originated from the declared issuer - Note: ZKI generation requires FINA digital certificate (private key) ### FINA — Financijska Agencija Role: FINA is Croatia’s national financial agency responsible for: - Operating the eRačun B2G platform (since 2019) - Operating the eRačun B2B monitoring system (since 2026) - Issuing qualified digital certificates for business use - Processing annual financial statements FINA Certificate: FINA issues qualified digital certificates (X.509) required for: - Signing e-invoices (Fiscalization 2.0) - Signing B2G e-invoices - Accessing FINA services Certificate types: - Personal certificate (for natural persons) - Business certificate (poslovni certifikat) — for legal entities Obtaining a FINA certificate: 1. Apply at any FINA office (physical presence required for first issuance) 2. Provide business registration documents + OIB 3. Issued as .p12 / .pfx file with password 4. Valid for 5 years 5. Cost: TBD — check www.fina.hr/certifikati Requirements for Bilko: - Each Croatian organization in Bilko must upload their FINA certificate - Certificate stored encrypted (AES-256) in DB - Certificate password stored separately (encrypted, or in key vault) - Bilko loads certificate at invoice submission time to generate ZKI and sign ### API Overview
EnvironmentBase URL
Productionhttps://cis.porezna-uprava.hr/v2
Sandboxhttps://cistest.apis-it.hr:8449/FiskalizacijaServiceTest
Note on protocol: Fiscalization 1.0 used SOAP/WSDL. Fiscalization 2.0 (B2B eRačun) uses REST with UBL 2.1 XML. ### Authentication Authentication for Fiscalization 2.0 uses mutual TLS (mTLS) with FINA certificate: - Client presents FINA certificate in TLS handshake - No separate API key required — identity proven by certificate - Bilko must load .p12 certificate and configure TLS client cert in HTTP client ### Key API Operations
MethodPathDescription
POST/racunSubmit invoice for fiscalization
GET/racun/{jir}Get invoice status by JIR
POST/racun/{jir}/stornoCancel fiscalized invoice
### UBL 2.1 XML Format — HR-CIUS - EU Standard: EN 16931 (European e-invoice standard) - Croatian CIUS: HR-CIUS (Croatian Implementation User Specification) - CustomizationID: urn:cen.eu:en16931:2017#compliant#urn:fina.hr:croatian-cius:2025 - ProfileID: urn:fdc:peppol.eu:2017:poacc:billing:01:1.0 - InvoiceTypeCode: 380 (Commercial Invoice) - Currency: EUR (Croatia joined eurozone January 1, 2023) ### OIB (Osobni identifikacijski broj) Croatia uses OIB as the primary tax/company identifier: - Format: 11 digits - Validation: ISO 7064 MOD 11,10 check digit algorithm - Used for both VAT ID and company registration - In UBL: cbc:CompanyID = HR + OIB (e.g., HR12345678901) in PartyTaxScheme OIB Validation is already implemented in Bilko (packages/country-hr/src/fisk/index.ts). ### Required Invoice Fields
FieldXML ElementFormatNotes
Invoice numbercbc:IDStringSequential per business unit
Issue datecbc:IssueDateYYYY-MM-DD
Due datecbc:DueDateYYYY-MM-DD
Invoice type codecbc:InvoiceTypeCode380Commercial invoice
Currencycbc:DocumentCurrencyCodeEURSince Jan 1, 2023
Supplier namecac:AccountingSupplierPartyString
Supplier OIB (VAT)cac:PartyTaxScheme/cbc:CompanyIDHR + 11 digits
Buyer namecac:AccountingCustomerPartyString
Tax totalcac:TaxTotal/cbc:TaxAmountDecimal 2dp
### Croatian VAT Rates (PDV)
RateCategory CodeApplies To
25%SStandard rate — most goods and services
13%SFirst reduced rate — food, accommodation, utilities
5%SSecond reduced rate — books, medicines, newspapers
0%ZZero rate — intra-EU transport, international transport
### Integration Architecture — How Bilko Calls FISK Flow: 1. Bilko User creates invoice 2. Bilko Frontend sends to Bilko API 3. invoice.service.ts processes 4. FiskalizacijaService (TODO) validates OIB (IMPLEMENTED), generates ZKI (TODO), generates eRačun XML (IMPLEMENTED), signs XML (TODO), POSTs to FISK API (TODO) 5. JIR + ZKI returned from Porezna uprava 6. Embed JIR in invoice document 7. Store JIR, ZKI in Invoice.hrFiskData ### Bilko Code Location
ComponentFileStatus
FISK types + placeholderpackages/country-hr/src/fisk/index.tsPLACEHOLDER
OIB validationpackages/country-hr/src/fisk/index.tsIMPLEMENTED
eRačun UBL XML builderpackages/country-hr/src/filing/index.tsIMPLEMENTED
Fiscal year/filing rulespackages/country-hr/src/fiscal/index.tsIMPLEMENTED
ZKI generationNot yet implementedTODO
FINA cert loadingNot yet implementedTODO
FISK API clientNot yet implementedTODO
invoice.service.ts integrationNot yet implementedTODO
JIR storage in DBNot yet implementedTODO (DB migration)
### Implementation Status
FeatureStatusNotes
eRačun UBL 2.1 XML generationIMPLEMENTEDfiling/index.ts
OIB validationIMPLEMENTEDfisk/index.ts
JIR/ZKI type definitionsIMPLEMENTEDfisk/index.ts
ZKI generation algorithmNOT IMPLEMENTEDRequires FINA cert private key
FINA certificate loadingNOT IMPLEMENTED.p12 parsing needed
FISK API clientNOT IMPLEMENTEDPlaceholder throws error
Get invoice statusNOT IMPLEMENTEDPlaceholder throws error
invoice.service.ts integrationNOT IMPLEMENTEDService wiring pending
DB fields for JIR/ZKINOT IMPLEMENTEDPrisma migration needed
Settings UI for FINA cert uploadNOT IMPLEMENTEDFrontend task
Country gate (block without cert)IMPLEMENTEDpackages/core/src/country-gate.ts
### Next Steps (Full Production Implementation) Phase 1 — ZKI Generation (1 week): Implement generateZKI function, write unit tests Phase 2 — FISK API Client (1-2 weeks): Implement submitInvoiceToFISK, getInvoiceStatus, cancel/storno flow Phase 3 — Service Integration (1 week): Wire FiskalizacijaService into invoice.service.ts, add DB fields, Prisma migration, Settings UI for FINA cert upload Phase 4 — Compliance (ongoing): Obtain FINA test certificate, sandbox testing, production certificate, register with Porezna uprava, consult Croatian accounting advisor Phase 5 — B2G (Optional): eRačun B2G uses FINA eRačun za državu platform (separate endpoint, same UBL 2.1 format, already mandatory since 2019) --- ## Sources ### Regulatory Overview - Croatia Confirms Mandatory B2B E-Invoice 2026 | EDICOM - Croatia Fiscalization Law | Fintua - Mandatory e-Invoicing Croatia 2026 | Fiscal Solutions - Croatia eInvoicing B2B Mandate | VATit ### Technical Specifications - FINA — Financijska agencija (www.fina.hr) - Porezna uprava — Fiskalizacija (www.porezna-uprava.hr/HR\_Fiskalizacija/) - Croatia B2G e-invoicing 2019 | SEEBURGER - 2025 Croatia eInvoicing Country Sheet | European Commission --- Local source files: - /Users/makinja/business/ALAI-Holding-AS/products/Bilko/docs/regulatory/HR/README.md - /Users/makinja/business/ALAI-Holding-AS/products/Bilko/docs/integrations/hr-fisk-spec.md BookStack Canonical URL: https://docs.alai.no/books/bilko-hr-market-entry/page/04-regulatory-reference