In an era when over 11 000 publicly reported cyber-incidents rattled organisations across the EU[1] in a single year — with DDoS attacks vaulting into first place and ransomware still haunting nearly half of all critical breaches — Serbia’s newly proposed Law on Information Security lands at a pivotal moment. Meanwhile, across the Atlantic, Verizon’s DBIR[2] reveals that in 2023 alone, over 30 thousand security incidents and nearly 10 thousand confirmed breaches exposed vulnerabilities in every sector. And the price tag keeps climbing: the average cost of a data breach jumped to $4.88 million in 2024[3].
For businesses, these eye-opening figures make one thing clear: information security can no longer be an afterthought.
On 27 February, 2025, the Serbian Government adopted the proposal of the new Law on Information Security, which represents a key step in improving the protection of information, infrastructure, and digital systems in the Republic of Serbia.
Given the importance of digital transformation and the increasing threats in cyberspace that can lead to immeasurable consequences, updating the legal framework in this area was necessary in order to enhance the security and resistance of information systems.
Additionally, with the adoption of the NIS2 Directive, further alignment of Serbian legislation with EU regulations became necessary. This directive introduces significant updates compared to its predecessor, the NIS Directive, notably expanding its scope and setting new standards for cybersecurity.
At the same time, the rapid rise of artificial intelligence (AI) has introduced new complexities in cybersecurity and data protection. AI-driven systems are increasingly being used to detect and respond to cyber threats, but they also present new vulnerabilities that must be addressed within the legal framework. As AI continues to shape the digital landscape, ensuring a robust and adaptive regulatory approach becomes even more critical to safeguarding sensitive information and maintaining trust in digital ecosystems.
1. The current Law on Information Security and NIS Directive
Still valid Law on Information Security[4] (hereinafter: the “Law“), was adopted in 2016 (with amendments in 2017 and 2019) and sets basic guidelines for the protection of information systems, as well as for securing the entire infrastructure related to information technologies. This Law also initiates obligations related to securing systems from cyber-attacks, obligations to report security incidents, as well as to build national capacities for crisis management, and aims to provide conditions for the prevention of cyber-attacks and other threats that may be related to information systems and infrastructure.
The Law relies on the NIS1 Directive[5], which was adopted in 2016, and sets out basic requirements for the security of information systems and networks within the European Union, as well as for securing the entire infrastructure related to information technologies.
2. New Law on Information Security in the light of the adoption of the NIS2 Directive
As cyber threats evolve and technologies change rapidly, there is always a need to improve existing legislation to ensure that Serbia remains compliant with the latest international standards and to follow the development of regulatory trends in this area in a timely manner. In the process of fulfilling the conditions for full membership in the European Union, the Republic of Serbia is obliged to harmonize its legislation with the legal acquis of the European Union in the field of information security.
The European Union completed and revised its regulatory framework by adopting the Cybersecurity Act [6] in 2019 and adopting the new NIS2 Directive [7] in 2022, which is the part of the wider efforts of the European Union to increase the level of protection of critical sectors and services across the European Union, in light of increasing threats from cyber-attacks.
The proposal of the new Law on Information Security (hereinafter: the “the New Lawon Information Security “), which aims to comply with the NIS2 Directive, seeks to expand and improve existing provisions in order to adequately respond to increasingly complex challenges in cyberspace.
In order for the Republic of Serbia to successfully join the single European digital market, it is necessary to provide regulatory and institutional conditions for the accelerated development of the electronic communications market in the Republic of Serbia, as well as to ensure that this development takes place in safe conditions both for individuals and for companies.
3. What are the most important updates in the New Law on Information Security?
Below are just some of the many changes that the New Law on Information Security brings to the table.
The new requirements now encompass businesses in industries that were previously outside the scope: food production, automotive manufacturing, healthcare, and more. There will be heightened scrutiny on systems whose reliable operation is critical to the public good, particularly healthcare, postal services, waste-management services, and the like. A breach of any of these vital infrastructures could not only halt essential services but also endanger the safety of individual citizens.
1. Re-identification of key subjects
The New Law on Information Security identifies the operators of ICT systems[8] of special importance and introduces their differentiation into priority and important ones (together: the “Operators“).
Operators of priority ICT systems of special importance, who took over the role of previous ICT systems of special importance, are now expanding to the sectors of drinking water, waste water, management of ICT services provided to operators of priority ICT systems of special importance, as well as to the providing qualified trust services, DNS services, and managing the registry of top-level domains, with the exception of root name server operators.
Example:A Belgrade-based IT services firm that provides qualified trust services, namely digital certificates, time-stamping, and electronic seal solutions to enterprises across Serbia and the wider region. Under the New Law on Information Security, PKI (Public Key Infrastructure) platform is now classified as a priority ICT system of special importance, and the company must comply with the expanded regulatory requirements..
On the other hand, operators of important ICT systems of special importance got, among others, sectors of postal services, the sector of production of computers, electronic and optical products, electrical equipment, machines and devices, motor vehicles, medical devices, as well as information society services within the meaning of the law on electronic commerce, etc.
Example: A major e-commerce platform’s shopping website, seller-integration APIs and payment-gateway services are now deemed important ICT systems of special importance under the expanded scope of “information-society services.” The company owning the platform must comply with the New Law on Information Security.
2. New obligations for Operators
In addition to all obligations from the current Law, Operators will now have an additional set of obligations, such as:
- Mandatory performance of a risk assessment and adoption of the risk assessment act (revised at least once a year),
- Obligation to submit not only notifications about incidents (as before), but also about serious threats to the ICT system of special importance,
- For operators of a priority ICT system of special importance, the verification of the compliance of protection measures of the ICT system is increased to twice a year.
3. Introducing the New Supervisory Authority
The Office for Information Security (hereinafter: the “Office”) is introduced, which will take over the duties of the national CERT[9].
Chartered as a standalone agency, its mission will be to coordinate and manage incident response across the country, bolster national readiness, and ensure rapid intervention and remediation whenever a security event occurs.
4. Strict deadline for reporting incidents
The Operators are now obliged to submit notification of an incident that may have a significant impact on information security without delay, and no later than 24 hours from becoming aware of the incident, following the strict formal incident updating procedure. In addition, the information that the Operators are required to provide when reporting an incident is now strictly listed.
This obligation closely aligns with data breach notification requirements under both the GDPR and the Serbian Law on Personal Data Protection (LPDP). Under these laws, data controllers must notify the competent authority – such as the Commissioner in Serbia or a Data Protection Authority (DPA) in the EU – within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to individuals’ rights and freedoms.
Similarly, just as Operators under the new cybersecurity framework must follow a structured notification process, data controllers under GDPR and LPDP must provide a specific set of details about the breach, including its nature, scope, potential consequences, and mitigation measures taken.
The alignment of these incident reporting requirements under cybersecurity and data protection laws underscores the increasing regulatory emphasis on timely and transparent responses to security threats, ensuring both the resilience of information systems and the protection of individuals’ data.
5. Introduction of incident categorization
Incidents in ICT systems of particular importance that may have a significant impact on information security are classified according to the level of danger, taking into account the consequences of the incident, into the following levels:
- low,
- medium,
- high, and
- very high.
Depending on the incident categorization, which will be regulated by a separate by-law, the Operators have different obligations imposed on them.
6. Extension of the information security inspector’s powers
The information security inspectors have now been given additional powers, which allow them to order the supervised entity to make available to the public information concerning non-compliance with the provisions of the law, for which there is a justified interest of the public in a determined manner, as well as to order the designation of a person with precisely determined powers within the supervised entity who will supervise and monitor compliance with the provisions of the law and with the imposed measures in a determined period of time.
7. Introduction of the certification
One of the competencies of the Office is to perform certification for ICT systems, ICT products, ICT processes, and ICT services, with the exception of systems, products, processes, and services for defense and security purposes. This certification will not only contribute to improving security standards but will also increase the trust of clients and the competitive advantage for companies that opt for certification.
8. The new penalty system
The amounts of fines depend on whether the operator of the ICT system of special importance is priority or important. Namely, fines are higher for operators of priority ICT systems of special importance than for operators of important ICT systems of special importance, and the fines go up to 2,000,000.00 RSD (cca 17,000.00 EUR) for operators of priority ICT systems of special importance, and up to 1,000,000.00 RSD (cca 8,500.00 EUR) for operators of important ICT systems of special importance.
4. Impact of the New Law on Information Security and NIS2 Directive on companies in Serbia
1. The biggest challenges
- Sector expansion within the Operators: The Proposal of the new Law on Information Security, by expanding sectors to which it applies, will include a much larger number of companies in the spotlight from the law point of view, which will impose new obligations, force them to actively engage in this area, and affect their day-to-day operations, from data security to operational strategies in the event of incidents.
- Increased costs of compliance: Compliance with the new regulations will bring increased costs for companies in the Republic of Serbia, as they will have to invest in a stronger infrastructure of information systems, implement new protection systems, hire additional experts, and train staff in order to meet the requirements of the New Law on Information Security. It is expected that local companies, especially those in critical sectors, will have to invest in more sophisticated protection systems in order to ensure business continuity in the event of an incident.
2. Benefits
- Increasing user and investor confidence: Compliance with modern regulations and at the same time international standards can lead to greater security of user data, which can positively affect the company’s reputation, increase users’ and investors’ confidence, and build trust in company business. Whether you’re undergoing a vendor assessment, evaluating merger-and-acquisition opportunities, or courting new investors, demonstrable compliance signals sound governance and instills confidence in stakeholders at every stage.
- Reduction of risks and challenges in business: Improving the security of data and infrastructure and the implementation and maintenance of security systems affects the reduction of incidents and risks to business operations. Strengthening the security criteria reduces the risk of incidents, damage to systems, and data leaks.
- Higher interaction with EU partners: As the Republic of Serbia is heading toward harmonization with the EU standards, local companies will be able to collaborate more easily with companies in the European Union, as they will have harmonized security standards. This will reduce the risk of potential problems in international trade and business. Also, by aligning with the NIS2 Directive, companies in the Republic of Serbia can become more competitive on the EU market and the international scene and thereby increase the number of clients, consumers, and users.
5. Keeping up with the new cybersecurity trends on time
With the constant increase in the use of ICT in everyday life, as well as with the increase in the number of services offered to citizens electronically, it is necessary to respond to cybersecurity challenges in a timely manner. Also, constant monitoring of the regulatory news and development of this dynamic sector is crucial in order to stay competitive in the market.
Compliance with the new Law on Information Security and indirectly with the NIS2 Directive and its requirements will represent a serious challenge for companies, but also a significant step towards greater security in the digital environment. It will ensure the safer use of digital services, reduce the risk of incidents, and create conditions for attracting investments in the ICT sector.
Although companies in the Republic of Serbia will have to invest additional resources and fulfill new legal obligations, which will require adequate guidance, this process will contribute to their competitiveness, as well as to consumer and user confidence, which is essential for integration into the European economic area.
