Information security deals with ensuring the reliable, confidential and trustworthy operation of information systems and preserving the availability and reliability of data, and its framework and content are increasingly regulated by law. Research consistently shows that the number of attacks on information systems as well as data breaches is rising. Information security practices are no longer only a matter of recognized industrial self-regulation standards but are instead increasingly in the focus of legislators in the European Union as well as in comparative law. In the last five years, the regulation of information security in the European Union has undergone significant changes and expansion through numerous regulations, directives and legislative proposals that are still under development. This paper provides an overview and basic analysis of the current positive legal framework for information security in the European Union and the Republic of Croatia from the substantive and institutional aspects. Specific regulations containing provisions in the field of information security are listed chronologically and de lege ferenda proposals are also considered.