Information Security Law

Other IT Law areas of expertise:

Information security has become a strategic issue for every organization—from banks and telecoms, through e-commerce and logistics, to the public sector and critical infrastructure.

Pressure comes from all sides: the rising number and severity of incidents, stricter risk-management rules, tighter incident-reporting deadlines, as well as the expectation from partners and regulators that security be embedded into every process and technology.

In 2025, Serbia broadly aligned its course with European cybersecurity law by proposing a new Information Security Act that follows the logic of NIS2, introduces new categories of obliged entities, shorter reporting deadlines, and higher penalties.

Zunic Law helps companies turn information risks into an advantage—through legal-operational design, clear policies, practical contracts, and procedures that actually work in practice (not just on paper).

Our approach is pragmatic: we map regulatory obligations and risks, tailor them to your business model and technologies, and deliver sustainable solutions that withstand supervision, audits, and real incidents.

Why Zunic Law for Information Security Law?

Regulation in focus 2025+: we prepare you for obligations under the new Serbian information-security framework (aligned with NIS2 logic), including a redefinition of obliged entities, stricter deadlines, and expanded supervisory powers.
EU horizon: we explain how European rules (NIS2) translate into local obligations, what the difference between “essential” and “important” entities means, and how that affects supervision, reporting, and penalties.
Sector-specific expertise: for finance, we connect cybersecurity obligations with the DORA regime (effective from 17 January 2025), including ICT risk management, incident reporting, and TPRM/outsourcing.
End-to-end delivery: from gap analysis and policies to training, incident-response playbooks, and supplier contracts (cloud, SOC, MSSP, forensics).
Operational embedding: we work with security, IT, and legal teams—as well as product and data teams—so security becomes part of processes: development, change, testing, contract exit (exit, portability), continuity, and recovery.

What’s changing in information-security regulations in 2025?

New Information Security Act (draft, 27 February 2025) – expands the range of covered entities, introduces a split between priority and important operators of ICT systems of special significance, announces the Office for Information Security to take over the role of the national CERT, requires incident reports within 24 hours, mandates incident categorization, and raises fines for non-compliance.

NIS2 (Directive (EU) 2022/2555) – sets a common cybersecurity framework in the EU, broadens scope to 18 critical sectors, introduces mandatory risk management, tighter incident reporting, and stronger supervision and enforcement. Although Serbia is not an EU member, the new domestic framework follows NIS2 logic to ensure compatibility with the single digital market.

DORA (for the financial sector) – an EU regulation applicable from 17 January 2025; harmonizes ICT risk management, incident reporting, resilience testing, and oversight of critical ICT third parties (e.g., cloud). For Serbian entities operating in the EU or with EU groups, DORA affects contracts, processes, and technical-organizational controls.

Who do information-security rules apply to?

In practice, more and more companies fall under information-security regimes—even if they are not typical “critical infrastructure.” The draft law separates obliged entities into priority and important operators of ICT systems of special significance, with an expanded list of sectors (e.g., water supply, postal services, certain manufacturing, information-society services, providers of qualified trust services, DNS and TLD registry). This classification entails different control regimes, inspection frequency, and penalty levels.

What does this mean for companies?

First, your status (priority/important) is a legal and operational trigger: it affects the pace and depth of risk assessments, frequency of inspections, reporting deadlines, and expectations for your supplier contracts (cloud, SOC, data centers, integrators).

If you are also a data controller (GDPR/Serbian DP Act), incidents involving personal data simultaneously trigger the 72-hour data-breach notification rules—so you need a unified mechanism for assessment and dual reporting (cyber + privacy).

Key obligations: from policies to reporting

1) Risk management and policies

Risk assessment and a formal Risk Assessment Act (regularly reviewed; draft requires at least annually).
Control framework: information classification, access control, hardening, logging and monitoring, vulnerability management, network segmentation, cryptography, backups, BCM/DRP.
Supply-chain security: supplier assessment, technical and contractual mechanisms (SLA/OLA, audit rights, audit trails, incident-notification duties, exit and portability).
Documentation: policies and procedures, testing reports, training records, third-party and contract registers.
The Serbian regulatory basis follows NIS2 logic (broader scope and risk management) with domestic implementation and a new supervisory model.

2) Incident and threat reporting

24-hour deadline from becoming aware of a significant incident; a precisely defined set of information must be reported and updates are mandatory. (The draft also requires reporting of serious threats, not just events.)
Incident categorization (low/medium/high/very high) – obligations differ by severity and will be detailed in secondary legislation.
National CERT: operational channel for reports and advisory support (publicly available incident-reporting forms).
Parallel GDPR reporting: if personal data are involved, report to the Commissioner / competent EU authority within 72 hours (dual-track reporting).

3) Authorities, supervision, and penalties

Establishment of an Office for Information Security as regulator with expanded powers (taking over the national CERT role, coordinating response, certification of ICT systems/products/processes/services, etc.).
Inspectors gain broader powers (e.g., orders to publicly disclose information on non-compliance where there is a justified public interest; mandatory appointment of a responsible person to oversee remediation).
Penalties: higher fines with differentiation by entity status (priority/important).

Specifics for the financial sector (DORA)

If you are a bank, insurer, investment firm, or payment service provider operating in the EU, DORA is already a reality. From 17 January 2025 it applies and brings:

An ICT risk framework with clear requirements (management accountability, risk policy, classification and registers of ICT services, continuous improvement),
ICT incident reporting with harmonized criteria and formats,
TPRM and outsourcing: contracts with ICT third parties (especially cloud) must contain minimum mandatory clauses,
Resilience testing (TIBER-like logic in more mature organizations),
Oversight of critical ICT third parties at EU level (the ESAs).

For groups that include Serbian entities, the DORA standard becomes a de facto minimum for group policies, contracts, and processes—even where local rules do not yet require the same level of detail.

Zunic Law services

1) Information-security strategy and governance

Designing governance models (board/management responsibilities, lines of defense, security committees, risk and compliance).
Policies and procedures (control framework, incident management, BCM/DRP, vulnerability management, key management, log and access records).

2) Risk assessments and technical-legal hardening

Risk assessments per ICT systems and business processes; formal Risk Assessment Act.
Data mapping, classification and access control; encryption at rest and in transit; SIEM/SOC and logging policy.
Risk-reduction plan with clear priorities and deadlines.

3) Incident response and notifications

IR playbooks and RACI matrices; war-room procedures, evidence, and post-incident reviews.
Incident reporting to the National CERT and competent authorities; coordination with comms and legal teams.
If personal data are involved—preparation and submission of data-breach notifications within 72 hours, with documented risk assessment for the rights and freedoms of individuals.

4) Supplier and cloud contracts (TPRM/outsourcing)

“Skin-in-the-game” clauses: availability, RTO/RPO, incident notifications, audit rights, penalties, exit and portability, processing locations, and subprocessors.
Alignment with group standards (e.g., DORA for EU entities) and local rules.

5) Resilience testing and compliance checks

Pre-audit and audit readiness, guidance through supervision/inspection.
Coordination of technical testing (internal/external) and forensic preparedness.

6) Training and exercises

Role-based trainings (management, IT/security, DevOps, product, legal, marketing),
Table-top incident exercises and purple-team simulations,
Employee awareness programs (phishing simulations, password hygiene, BYOD, remote work).

7) Documentation and records

Registers of ICT services and suppliers, incident and vulnerability registers, DLP events, SIEM/SOC reports.
Templates for incident and data-breach notifications, communication plans, customer/partner statements.

What do you gain?

A compliant, auditable, and sustainable information-security framework, with a clear decision trail and control measures.
Faster, safer decision-making in incidents and changes (change management).
Reduced contractual risk in the supply chain (TPRM): clear rights, obligations, and consequences (penalties, termination, migration).
Readiness for supervision – “audit-ready” documentation, processes, and teams.
Trust from users and partners, directly impacting revenue and sales velocity (shorter security questionnaires, easier vendor assessments).

Who we advise

Critical infrastructure and public sector: energy, utilities, water, healthcare, government.
Finance: banks, payment processors, insurance, investment firms, fintech, and infrastructure players (with a DORA focus).
Commerce and logistics: e-commerce, marketplaces, fulfillment, and courier services.
Tech companies and service providers: cloud/SaaS, data centers, integrators, SOC/MSSP.
Manufacturing and telco: especially where digital systems affect production continuity and networks.

Tijana Žunić Marić

Nemanja Žunić

Frequently Asked Questions (FAQ)

1. Are we an “obliged entity” under the new legislative framework?

It depends on your sector and role. The draft law introduces priority and important operators of ICT systems of special significance; the list of sectors is expanded (e.g., water, post, information-society services, qualified trust services, DNS/registry). A formal status mapping is needed—this is how we start every project.

2. What are the key novelties in incident reporting?

Shorter deadlines (24 hours for significant incidents), mandatory updates to the initial report, and a more precise information set.

The draft also introduces reporting of serious threats. We recommend a single process that simultaneously covers GDPR/Serbian DP Act obligations (72 hours).

3. Do we have to report incidents to the National CERT?

Yes – the National CERT is the operational point for reporting and coordination; public forms and guidelines exist. Its role includes early warning, advice, and incident records.

4. How does NIS2 affect us if we operate only in Serbia?

The new Serbian framework is designed to follow NIS2 logic, so you will see similar mechanisms (broader scope, risk management, incident reporting, supervision, penalties).

This simplifies cooperation with EU partners and boosts compatibility for cross-border deliveries.

5. We have EU presence in finance—do we need DORA?

Yes. DORA has been applied since 17 January 2025 and requires harmonized ICT risk processes, reporting, testing, and strong contracts with ICT third parties (especially cloud).

If you are part of an EU group, the DORA standard becomes the mandatory baseline for contracts and policies.

6. What if an incident involves personal data?

In addition to the cyber report, the GDPR/Serbian DP Act 72-hour regime applies to the competent authority (and notification of individuals if there is a high risk).

That’s why the IR team and the DPO must work in an integrated manner – Zunic Law sets a unified decision-making and documentation flow.