Serbia: New Law on Information Security (Part I)

The Serbian Parliament adopted the new Law on Information Security on October 22, 2025. The adoption of the new Law on Information Security is a step forward in aligning Serbian legislation with the acquis in the field of information security. The new law provides for clearer definitions of terms, introduces new terms, increases the number of ICT systems operators, and imposes stricter obligations on ICT systems operators. ICT system Operators are left 18 months to comply with their ICT systems with the new law.

I Definitions of terms

The new Law on Information Security (“the New Law”) provides for clear definitions of basic terms.

The risk is defined as the possibility of loss or disruption caused by an incident and is expressed as a combination of the magnitude of such loss or disruption and the likelihood of the incident occurring. This novelty introduces causality in the definition of the risk, implying that both the probability of loss or disruption and the probability of incident or risk event shall be assessed in risk assessment.

Further, the definition of risk management covers all integrative and subsequent phases in the risk management in its entirety - identification, analysis, assessment, and establishment of a risk mitigation control system that covers the planning, organization, and direction of protective measures to ensure that risks are avoided, mitigated, or remain within prescribed and acceptable limits.

The definitions of the risk and the risk management in the previous Law on Information Security (“the Previous Law”) were vague and abstract, leaving space for different interpretations. Only the most prominent experts with a strong academic background were able to interpret the definitions in the Previous Law properly, while, on the other side, such definitions left enormous space for (un)intentional misinterpretations, resulting in avoidance of fulfillment of obligations to assess and treat the risk and legal uncertainty.

The New Law introduces definitions of new terms using formulations from NIS Directive 2 (“NIS 2”). This concept enables the creation of an improved legal framework for response to new cybersecurity threats and imposing new or stricter obligations on (new) operators in the growing digital economy. For example, the new Law introduces definitions of “cloud computing service”, “data centre service”, “managed service provider”, “managed security service provider”, “domain name system (DNS)”, “DNS service provider“, etc. The position of these entities from an information security aspect was completely undefined in the national legislation, and the compliance of ICT systems of these entities was left to vague policies and accreditation procedures with no sanctions or control.

The New Law provides for inaccurate definitions of some terms. For example, the ICT process is defined as a set of activities carried out for the purpose of creating, developing, using, and maintaining ICT products or ICT services. The proper definition would be a set of procedures containing activities…, as the absence of procedures defining activities could result in improvisation, resulting in the absence of clear rules for creating, developing, using, and maintaining ICT products or ICT services.

Further, the New Law introduces obligations for research organisations, as these organizations can play important tasks for the development of new products and services in the digital economy.

II New obligations for (new) operators

The New Law follows methodology established by the NIS 2 and provides a definition of special importance ICT systems operators, whereby these operators are further divided into priority ICT systems operators and essential ICT systems operators.

The priority ICT systems operators manage ICT systems in the following sectors: energy, traffic, banking and finance, health, drinking water and waste water management, digital infrastructure, nuclear energy, trust services, content management services, DNS services, electronic communications, state bodies, managed service providers, managed security service providers, internet exchange point, operators of critical infrastructure, etc.

Having in mind that the New Law imposes obligations for most of the business segments of the said sectors, and for this reason, operators from these sectors shall pay special attention to the fact whether their activity is subject to the New Law.

Further, the New Law authorises the ministry competent for information security to enact a by - law to determine entities as priority ICT systems operators in cases where an interruption in the operation of ICT systems or a disruption in the functioning of ICT systems: i) may have a significant impact on public safety, national security, or public health; ii) may cause significant systemic risk, particularly in sectors where a disruption may have cross-border effects.

The essential ICT systems operators manage ICT operators in the following sectors: postal services, waste management, package waste management, production of supply of chemicals, production, processing, and distribution of food in the wholesale and industrial production and processing segment, production of computers, electronic and optical products, production of electrical equipment, production of machinery and equipment, production of motor vehicles, trailers, and semi-trailers, and production of other transport equipment, production of medical devices and production of in vitro diagnostic medical products, information society services as defined by the Electronic Commerce Law, production, trade, and transport of weapons and military equipment, space services that rely on ground infrastructure, particularly activities involving the management of control centers, tracking and communication facilities, and the provision of launch services, research institutions, etc.

Legal and natural persons who do not fall under the priority ICT systems operators according to the criteria for determining the priority ICT system operators fall under of essential ICT systems operators.

The ministry competent for information security possesses the same authorisation with respect to rendering by a by-law defining additional essential ICT systems operators using the same criteria applied to the priority ICT systems operators.

The New Law imposes substantial new obligations for all ICT systems of special importance operators (besides the existing ones according to the Previous Law):

to render the risk assessment act;
to render the Security Act, based on the Risk Assessment Act;
to provide notifications to CERT, without delay, about any incident that significantly undermines the security of ICT systems;
to report near misses that pose a serious threat.

A risk assessment is carried out, taking into account the level of exposure to risk, the size and importance of the operator, the likelihood of an incident occurring and its severity, as well as its potential social and economic impact.

The risk assessment report is to be prepared in accordance with the general methodology for risk assessment in priority and essential ICT systems of special importance, which is to be adopted by the authority or organization where the activities of the National CERT are carried out.

The key new security measures to be applied to all ICT systems of special importance are as follows:

collection of data on new trends for ICT systems;
application of adequate measures for the prevention of leakage of information;
application of adequate measures in the field of provision of cloud services;
monitoring ICT systems, including testing of the system for vulnerabilities to identify vulnerabilities and potential threats that may use such vulnerabilities;
restriction of access to web pages that could potentially compromise the security of ICT systems;
regular creation of backups of data, software, and systems through appropriate data exchange means;
measures that ensure the continuity of business operations in emergency situations, as defined by the strategy of the Business Continuity Plan;
adoption of documents defining procedures for verifying the adequacy of protection measures;
the use of multi-factor authentication or continuous authentication solutions, for the protection of voice, video, and text communications, as well as secure communication systems in emergencies within ICT system operators.

The implementation of ICT system protection measures shall be carried out in accordance with assessed risks to ensure adequate system protection and minimize the impact of potential incidents.

The Government shall render a law defining the protection measures for priority and essential ICT systems.

III Reporting obligations

The New Law provides for the obligation of the ICT systems of special importance to notify competent regulators of incidents.

Further, in the event of an incident that may cause or is causing a harmful impact on the provision and use of services. ICT operators are obliged to promptly inform users to whom they provide services about an incident through appropriate communication channels, as well as about measures that users can take and use to mitigate or eliminate the harmful consequences of the incident.

IV Deadline for compliance

The ICT systems of special importance operators are obliged to render the Risk Assessment Act and the Information Security Act within 18 months upon the day of entering the New Law into force.

V Sanctions

Information security inspectors may: i) impose the measure of ban of use of procedures and technical means that endanger or compromise information security within defined deadline; ii) initiate proceedings before the competent court or other competent authority to determine a temporary measure of ban to a person who performs managerial duties on behalf of the supervised entity to hold executive positions, if their actions have prevented compliance with the New Law and the imposed measures or procedure for imposing misdemeanour fines.

The Information Security Office performs expert supervision and controls: i) the adequacy of assessed risks considering the degree of risk exposure, the size of the operator, the likelihood of an incident occurring and its severity, as well as its potential social and economic impact; ii) the level of security of technological procedures and technical means used by an ICT system operator of special importance for the implementation of protective measures; iii) proper implementation of the process of verifying the compliance of applied ICT system measures with the security act; iv) the application of recommendations and measures in case of incidents that significantly threaten information security.

The Information Security Office instructs the supervised entity to act in accordance with its findings within 8 days. If the supervised entity does not comply with the findings, the Information Security Office notifies the relevant inspectors.

Register now for your free, tailored, daily legal newsfeed service.

Serbia: New Law on Information Security (Part I)

Filed under

Topics

Popular articles from this firm

OFAC Sanctions on NIS Now in Full Effect: Who’s Impacted and What Are the Ripple Effects? *

Buying or licensing software end-user dilemma *

Impact of OFAC Sanctions on NIS AD Novi Sad and Options for their Removal *

E- Sick Leave - Employer *

The Legality of SKY ECC Evidence A Controversy Over Privacy and Fair Trials *

Professional development

Related practical resources PRO

Related research hubs

Digital economy

Serbia

IT & Data Protection