What Does the New Law on Information Security Bring?

With the adoption of the new Law on Information Security, the Republic of Serbia has established a comprehensive legal framework for the protection of critical infrastructure and for responding to incidents of varying levels of risk.

The past month was marked by the adoption of the new Law on Information Security, which introduces comprehensive obligations for both the public and private sectors and sets clear rules for the protection of critical infrastructure in the Republic of Serbia. The Law precisely defines who is required to implement advanced security measures—covering sectors such as energy, telecommunications, finance and transport, as well as healthcare, digital infrastructure, and water supply. All organizations classified as ICT systems of special importance are required to register in the official Register of Priority and Important ICT Systems maintained by the Ministry of Information and Telecommunications. They must also submit data on their system administrators, IP ranges, system locations, and other relevant elements, while the Register itself is treated as classified information. Each operator of an ICT system of special importance is obliged to adopt a Risk Assessment Act, which must be reviewed at least once a year, as well as an ICT System Security Act, based on the Risk Assessment Act.

The Law places particular emphasis on the obligation to establish a robust security system, encompassing technical, organizational, operational, and physical measures. This includes risk management, access control, encryption, malware protection, network and device security, regular data backups, vulnerability monitoring, and the establishment of business continuity procedures. The Law also prescribes nine new measures, among which the obligation to collect data on information security threats is particularly significant. This requirement poses a challenge for operators that do not have their own Security Information and Event Management (SIEM) solutions.

A central element of the Law is the establishment of the Office for Information Security as a separate state administration body. Among its responsibilities are professional supervision, management of the vulnerability database, and the tasks of the National CERT, the Government Authorities’ CERT, certification of ICT products and services, prescribing minimum security measures for public authorities, national coordination, and international cooperation. The Office assumes a strategic role in threat monitoring, issuing alerts, incident response, and managing the national vulnerability database. However, until the new Office becomes operational on 1 January 2027, its responsibilities will be temporarily performed by the Office for Information Technologies and Electronic Government, except for the tasks of the National CERT, which will be carried out by the Regulatory Authority for Electronic Communications and Postal Services (RATEL).

Incidents are classified according to their level of risk as low, medium, high, and very high, with corresponding response plans defined for each level. The Law mandates the reporting of all high and very high-level incidents within 24 hours of becoming aware of them. In addition, it introduces the obligation to report not only incidents that occurred, but also prevented incidents—situations in which an attack was thwarted but could have caused serious consequences. Reporting by operators of ICT systems of special importance is conducted through a unified incident notification system, while for certain sectors notifications are submitted to authorities such as the National Bank of Serbia (NBS) or RATEL, which then forward the data to the central registry. Amendments to Article 5 expand the powers of the NBS to adopt secondary legislation for the financial sector. As the competent supervisory authority for operators of priority ICT systems of special importance in the fields of banking and financial markets, the NBS regulates ICT system security measures, risk assessment, security acts, incident classification and handling, as well as reporting and data submission obligations. Financial institutions will continue to apply sector-specific regulations as lex specialis, while the Law on Information Security primarily applies to the reporting of incidents that have the characteristics of an information security crisis. Operators are also required to inform their users if an incident affects service delivery and to provide information on measures that can mitigate damage.

In addition, the Law introduces the possibility of proactive network scanning by the state to detect vulnerabilities, mandatory multi-factor authentication, standardization of secure communications in emergency situations, and specific rules and measures for the use of cloud services. Independent operators such as the Ministry of Interior, the Ministry of Defence, or the National Bank of Serbia have an additional obligation to establish their own CERTs and internal control mechanisms.

The eGovernment Alliance played a significant role in the preparation of the Law, recognizing the importance of this topic. Full implementation of the Law is expected from 2027, following the adoption of accompanying secondary legislation. The adoption of the first by-laws, which will regulate criteria for ICT system operators and coordinated vulnerability disclosure, is expected by the end of this year, in line with Serbia’s Reform Agenda, after which the methodology for risk assessment will be adopted. We invite all members to continue contributing to the drafting of secondary legislation, thereby supporting the further improvement of information security at both the national and local levels.