The recent hacker attack on the judicial information system of the Republic of Serbia caused serious disruptions in the functioning of public administration. The work of the real estate cadastre services was particularly affected, resulting in the impossibility of registering new owners, recording encumbrances, or obtaining updated property sheets.
The question arises: Who is liable for the damage?
According to the general rules of the Law on Obligations, the state or another holder of public authority is liable for damage caused by unlawful or improper actions of officials or public authorities — in other words, the entity obliged to ensure the proper functioning of the system.
Court practice in Serbia generally recognizes that the Republic of Serbia is liable for damage caused by unlawful or improper actions of state authorities. However, courts are very restrictive in accepting claims in such situations, and in each specific case it is crucial to prove actual, concrete damage.
When it comes to cyberattacks or system breakdowns, case law most often relies on the concept of force majeure. The key argument for the defendant – the Republic of Serbia – in such cases is that the attack was insurmountable, unforeseeable, and not a result of the omission of a state authority. This means that if the state authority proves it had adequate protection measures in place, the court usually accepts that there is no liability. On the other hand, if it is established that the system was insufficiently secured or that organizational and maintenance failures contributed to the damage, then the court may award compensation at the expense of the Republic of Serbia.
The Government of the Republic of Serbia has adopted the Draft Law on Information Security, which is currently in parliamentary procedure. The Draft Law introduces precise procedures for dealing with incidents that could seriously threaten information security in the Republic of Serbia. It also envisages the establishment of the Office for Information Security, scheduled to begin operation on January 1, 2027. Its role will be to consolidate existing resources in this field and thereby enable a more efficient and coordinated state response to modern cyber challenges. The Office will also be obliged to conduct expert supervision over the implementation of this Law and the operation of the information and communication technology (ICT) system, respond promptly, and actively participate in addressing incidents that may jeopardize the security of ICT systems of particular importance, as well as threaten the functioning of the state, economy, and citizens.
For additional information or consultations, the Tasić & Partners team is at your disposal.