Information Security Between Regulation and Operationalization

By adopting the new Law on Information Security, Serbia has taken an important step toward aligning with European regulations and standards in this field. However, the real challenge begins afterward, when the regulatory framework must be transformed into a functional and sustainable system for protecting critical infrastructure in practice.

This analysis addresses precisely that challenge by examining the operationalization of the Office for Information Security based on best practices from the United States. Drawing on international models for organizing institutions responsible for information security, while remaining fully adapted to the local context, constraints, and opportunities, the document provides an overview of potential approaches to organizing and structuring the new Office for Information Security, which is expected to commence operations on January 1, 2027. The proposed models and recommendations are not intended as finalized institutional solutions, but rather as a contribution to the professional discussion on possible directions for developing the system in accordance with Serbia’s capacities and needs.

In addition to reviewing international practices, the analysis includes proposals for a possible organizational model of the Office, broad recommendations for capacity development, and considerations regarding the structure and phased staffing of specialized positions during subsequent stages of the institution’s development. Particular emphasis is placed on the need to build the system gradually and sustainably, with clearly defined priorities and the rational use of existing, limited resources.

Through a comparative analysis of models from the United States and European countries, and particularly through the experiences and limitations of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the analysis highlights the importance of centralized coordination and clearly defined responsibilities. It emphasizes the importance of cooperation between the public and private sectors, given that modern cybersecurity increasingly depends on the exchange of information, resources, and expertise among stakeholders. One of the key conclusions is that information security does not rely solely on the internal capacities of the state, but also on carefully developed networks of cooperation with academia, private companies, and professional organizations.

In this context, the analysis considers the possibility of developing a centralized yet “hybrid” model for the Office for Information Security. Such an approach would allow the state to retain responsibility for coordination, incident management, strategic oversight, and the coordination of all competencies prescribed by law, while certain highly specialized technical activities, as well as capacity-building efforts, could be carried out in cooperation with external partners under controlled conditions. This approach becomes particularly relevant in light of the global and domestic shortage of cybersecurity professionals, as well as the need for rapid adaptation to increasingly sophisticated cyber threats.

An examination of contemporary trends and practices points to the importance of developing real-time threat information-sharing systems, enhancing interinstitutional cooperation, and continuously investing in human capital. Key recommendations include the development of training programs, exercise scenarios, mechanisms for preserving institutional knowledge, and stronger cooperation with the academic and IT communities.

Information security should not be viewed solely as a technical issue, but rather as an integral component of broader societal resilience, given the growing dependence of public services, the economy, and citizens on digital infrastructure. In this regard, international experience can serve as a valuable framework for considering possible models for the development of Serbia’s national system, while adapting them to the local institutional, regulatory, and market conditions of the Republic of Serbia.