New Law on Information Security (2025)
The new Law on Information Security, which was adopted on October 23, 2025, aims to improve the regulatory and institutional conditions for protection against security risks in information and communication systems (ICT) and, at the same time, to harmonize with the new regulatory framework of the European Union in this area, Directive (EU) 2022/2555 on measures for a high common level of cyber security across the Union (NIS 2 directive)[1]. Until now, the field of information security has been regulated by the Law on Information Security (“Official Gazette of the RS”, no. 6/16, 94/17 and 77/19) and by-laws adopted on the basis of that law.
The accelerated development of the digital market in the Republic of Serbia, the constant increase in the use of ICT in everyday life, as well as the increase in the number of services offered to citizens electronically, require also update the appropriate regulatory framework with the aim of improving ICT systems and networks, enabling safe and uninterrupted data storage and provision of services, as well as the development of other processes. Also, the successful inclusion of the Republic of Serbia in the single European digital market depends on the harmonization with international standards in this area and ensuring appropriate cybersecurity conditions.
Cybercrime is certainly the most prevalent form of malicious activity in cyberspace, and it has a trend of constant evolution. Examples of adaptation are: abuse of unsafe RDP protocols (eng. Remote Desktop Protocol) and earlier VPN connections (eng. virtual private network), abuse of online shopping and use of mobile banking for the implementation of malware or theft of credentials and personal data, but also the increasing and advanced use of social engineering methods. The number of malicious software and potentially unwanted applications is constantly increasing. According to the report of the European Network and Information Security Agency (ENISA)[2], from mid-2023 to mid-2024, there was a significant escalation of cyber attacks, which set new benchmarks both in the variety and number of incidents, as well as in their consequences. More than 11,000 incidents directed at organizations in various sectors were registered, among which the sectors of public administration, transport and finance were the most affected. Categories of Denial-of-service attack (DoS/DDoS/RDoS) and ransomware remained the most frequently reported forms of attack and accounted for more than half of registered events, followed by data breaches. The Internet Crime Complaint Center (IC3) of US Federal Bureau of Investigation received 859,532 complaints in 2024, with damage estimated at $16.6 billion.[3]
Threats to information security in Serbia show similar trends[4], so they require an active approach by all participants in the digital market. In this sense, the new law represents a necessary update and improvement of regulatory and institutional frameworks, in order to create conditions for the most effective protection against security risks. In the following, we will present the most significant novelties of the adopted Law.
The information and communication system (ICT system), in terms of this law, is defined somewhat more broadly than the previous law, as a technological-organizational unit that includes:
(1) not only electronic communication networks, but also services in the sense of the law governing electronic communications;
(2) devices or groups of interconnected devices, such that within the arrangement, that is, within at least one of the arrangement groups, automatic data processing is performed using a computer program;
(3) data that is maintained, stored, processed, requested or transmitted using the means from subsections (1) and (2), and for the purpose of their operation, use, protection or maintenance;
(4) the organizational structure through which the ICT system is managed;
(5) all types of system and application software and software development tools.
Also, the circle of subjects considered as operators of the ICT system has been expanded, so that natural persons in the capacity of a registered subject are also included, in addition to the legal entities, bodies or organizational units of bodies that use the ICT system within the scope of performing their activities, i.e. tasks within their competence.
SECURITY OF ICT SYSTEMS OF SPECIAL IMPORTANCE
In accordance with the provisions of the NIS2 directive, the Law redefined the approach to information security, primarily in the sense of identifying ICT system operators of special importance and distinguishing them into priority and important ones.
ICT systems of special importance are defined as systems that are of key importance for the maintenance of critical social and economic activities and whose interruption or disruption in service provision would or could have a significant impact on public safety, public health, the functioning of other sectors or would create or could create a significant systemic risk. ICT systems of special importance include priority ICT systems and important ICT systems.
Operators of priority ICT systems are:
1) legal entities and natural persons in the capacity of a registered entity, which perform tasks and activities in the following areas:
– energy and mining, transport, banking and financial markets, healthcare, drinking water, waste water, digital infrastructure, management of ICT services provided to operators of priority ICT systems,
– as well as other heterogeneous areas: management of nuclear facilities; provision of qualified trust services, provision of DNS services and management of the registry of top-level domains, with the exception of operators of root name servers; provision of content delivery network services; performance of electronic communications activities; Internet traffic exchange point; publication of the Official Gazette of the Republic of Serbia and management of the Legal Information System of the Republic of Serbia; areas in which there is only one service provider in the Republic of Serbia and which is necessary for performing critical social and economic activities;
2) public authorities;
3) entities designated as operators of critical infrastructure in accordance with the regulations governing critical infrastructure.
Operators of important ICT systems are:
1) legal entities and natural persons in the capacity of a registered entity, which
perform tasks and activities in the following areas: postal services; waste and packaging waste management; production and supply of chemicals; production, processing and distribution of food; production of computers, electronic and optical products; production of electrical equipment; production of machines and devices; production of motor vehicles, trailers, semi-trailers and other transport equipment; production of medical devices and production of in vitro diagnostic medical devices; information society services in terms of the law on electronic commerce; production, trade and transportation of weapons and military equipment;
2) scientific research institutions;
3) legal and natural persons in the capacity of a registered subject in the areas of priority ICT systems and authorities, which do not belong to these systems according to the criteria for determining the operator.
At the same time, these legal solutions expanded the circle of operators of ICT systems of special importance, that is, the scope of areas covered by the law, as criteria.
Thus, from now on, some new operators are also included in the framework of priority ICT systems (e.g. entities that perform tasks and activities of providing qualified trusted services), while the framework of important ICT systems has been significantly expanded (entities that perform tasks and activities in the fields of food production, processing and distribution; production of computers, electronic and optical products; electrical equipment; machines and devices; motor vehicles, trailers, semi-trailers and other transport equipment; medical devices and in vitro diagnostic medical devices).
-
- Operators of ICT systems of special importance, which are determined by the Law on Information Security (“Official Gazette of the RS”, no. 6/16, 94/17 and 77/19) continue to act in accordance with the obligations established in Art. 6a-11b of that law until December 31, 2025.
The operator of ICT systems of special importance has the obligation to:
1) submit an application for registration in the records of ICT system of special importance;
2) take appropriate technical, operational, organizational and physical measures to protect ICT systems of particular importance, risk management and prevention and reduction of adverse consequences of incidents;
3) carry out a risk assessment and adopt an act on risk assessment;
4) adopt an act on the security of ICT systems of special importance;
5) checks the compliance of ICT system protection measures implemented by the ICT system security act at least once a year;
6) regulate the relationship with third parties in a way that ensures the taking ICT system protection measures in accordance with the law, if it entrusts activities related to the ICT system of special importance to third parties;
7) submit notifications, without delay, about any incident that significantly disrupts the security of ICT systems of particular importance;
8) report avoided incidents that represent a serious threat in accordance with this law;
9) submits statistical data on incidents and incidents avoided in ICT systems.
The ICT system operator of special importance is responsible for the security of the ICT system and for taking ICT system protection measures. The law prescribes a number of protection measures, which ensure the prevention of incidents, that is, the prevention and reduction of damage from incidents that threaten the exercise of competence and the performance of activities, especially within the scope of providing services to other persons.
A special novelty in relation to the existing legal regime is the obligation of operators to perform a risk assessment of ICT systems and adopt an Act on the security of the ICT systems they manage. In this way, the level of awareness of the dangers that can threaten information security is raised, as well as of the protection measures of the appropriate level in relation to the potential risk.
-
- Operators of ICT systems of special importance are obliged to adopt the Act on risk assessment for the ICT systems they manage within 18 months from the date of entry into force of this law.-
- The authority, i.e. the organization in which the activities of the National CERT are carried out, is obliged to, within nine months from the date of entry into force of this law, adopt a general methodology for assessing risks in ICT systems of special importance from Article 11, paragraph 4 of this law.
- The operator of ICT systems of special importance is obliged to adopt the Act on the security of ICT systems within 18 months from the date of entry into force of this law.-
The new law contains significant novelties in terms of procedures in the event of incidents that significantly threaten information security in the Republic of Serbia. In this sense, the obligations of operators of ICT systems have been expanded, so that in addition to the obligation to notify of any incident that significantly impairs the security of ICT systems of particular importance, they also have a new obligation to report avoided incidents that pose a serious threat in accordance with this law. The law emphasizes that the operators of ICT systems of special importance are obliged to submit a notification about this incident without delay, at the latest within 24 hours of learning about the incident. The law further establishes the procedures in the case of incidents that significantly threaten information security, the classification of incidents according to the level of danger (low, medium, high, very high), as well as the actions of competent authorities depending on the level of danger.
Procedures in the event of an information security crisis are also prescribed, which is defined as an event or condition that endangers, hinders or disables the operation of ICT systems of particular importance and thereby causes risks, threats or consequences for the population, material goods or the environment of an extremely large scale and intensity that cannot be prevented or eliminated by the regular action of competent authorities and services, and the response to such an event or condition requires the participation of several competent authorities, as well as the application of appropriate measures.
AUTHORITIES COMPETENT FOR PREVENTION AND PROTECTION AGAINST SECURITY RISKS IN ICT SYSTEMS
In addition to the competent Ministry that performs information security activities, the previous Law also provided for the establishment of a Body responsible for the coordination of information security activities.
The new law establishes the Office for Information Security, as a special organization in the sense of the law regulating the position of the state administration, whose competence includes activities of coordinating and managing the response to incidents in ICT systems of special importance, as well as activities of prevention and protection against security risks at the national level (tasks of the national CERT).
The novelty is the competence of the Office to carry out the certification of ICT systems, ICT products, ICT processes and ICT services. The method of performing this certification will be regulated in more detail by a sub-legal act of the Government.
-
- The Office for Information Security is established and begins to perform tasks within its competence prescribed by this law from January 1, 2027.
- Until this date, the activities of the National CERT are performed by the Regulatory Body for Electronic Communications and Postal Services (RATEL).
Activities of prevention and protection against security risks in ICT systems within a specific legal entity, group of legal entities, business area, etc. are performed by a special center for the prevention of security risks in ICT systems (special CERT). A special CERT is a legal entity or an organizational unit within a legal entity with headquarters in the territory of the Republic of Serbia, which is registered in the records of special CERTs maintained by the authority, that is, the organization responsible for the affairs of the National CERT.
CRYPTO SECURITY AND PROTECTION AGAINST COMPROMISING ELECTROMAGNETIC RADIATION
The law also regulates crypto-security and protection against compromising electromagnetic radiation (KEMZ). As in the previous legal regime, the Ministry responsible for defense affairs performs information security tasks related to the approval of cryptographic products used to protect the transmission and storage of data designated as secret, the distribution of cryptomaterials and protection against compromising electromagnetic radiation.
SUPERVISION OF LAW ENFORCEMENT AND PENALTY PROVISIONS
Inspection supervision of the enforcement of this law and the activities of operators of ICT systems of particular importance is carried out by the Inspection for Information Security. The law expanded, i.e. gave new powers to the information security inspector, which relate to the requirements to ICT system operators of special importance, in order to determine possible security vulnerabilities, and in accordance with the risk assessment; orders to make information available to the public regarding non-compliance with the provisions of this law, as well as appointing a person with the authority to supervise and monitor compliance with the provisions of this law and the ordered measures.
The law also prescribes sanctions for non-compliance with prescribed obligations, namely fines for legal entities in the range from 50,000.00 to 2,000,000.00 dinars, depending on the classification of the operator, and for natural persons in the capacity of a registered entity in the range from 10,000.00 to 500,000.00 dinars.