The new Law on Information Security (“Official Gazette of the Republic of Serbia”, No. 91/2025) introduces a modernized framework for the protection of information and communication systems and provides a clearer definition of the roles, responsibilities, and obligations of all entities that manage information and communication systems. The Law becomes applicable as of 1 January 2027, upon which date the existing Law on Information Security (“Official Gazette of RS”, Nos. 6/16, 94/17 and 77/19) ceases to apply.
Operators of ICT systems may be:
- a legal entity,
- a natural person acting as a registered business entity,
- a public authority or an organisational unit of a public authority using ICT systems in the performance of its duties.
The Law establishes two categories of ICT systems of special importance:
Priority ICT systems – operators in sectors such as energy and mining, transport, banking and financial markets, healthcare, and digital infrastructure, as well as other entities whose service interruption could have a significant impact on security, public health or systemic stability.
Important ICT systems – operators in sectors such as postal services, waste management, chemical and food industries, production of electronics, machinery and vehicles, IT services, production and transport of weapons, space services, research institutions, and other sectors of relevance.
Key obligations of operators of ICT systems of special importance:
- Registration in the official register
All operators of ICT systems of special importance are required to apply for entry into the official register of ICT systems of special importance.
- Implementation of security measures
Operators must implement technical, organisational, operational and physical security measures, including risk management, incident prevention, and mitigation of incident consequences.
- Risk Assessment Act
Operators must prepare a Risk Assessment Act in accordance with the methodology issued by the National CERT, with a mandatory annual revision, unless an existing internal act already meets all prescribed criteria.
- ICT System Security Act
This act defines the rules, measures, and procedures necessary to ensure an adequate level of security, must be aligned with the risk assessment, and must be reviewed at least once a year.
- Cooperation with third parties
Where external partners are engaged to perform part of an ICT system, contractual arrangements must include provisions ensuring the implementation of security measures in accordance with the Law.
- Incident reporting
Operators are required to:
- report any incident that may compromise security without delay and no later than 24 hours,
- report serious but prevented (avoided) incidents,
- inform users if the incident affects the provision of services.
- Reporting during and after an incident
- reporting every 3 days for incidents of medium risk,
- reporting every 24 hours for incidents of high and very high risk,
- submitting a final report within 15 days following the resolution of the incident.
- Annual statistical reporting
By 28 February each year, operators must submit to the National CERT statistical data on all reported and avoided incidents.
Incident classification
Incidents are classified into four risk levels: low, medium, high, and very high. The level of risk determines the scope of reporting obligations and the involvement of competent authorities in crisis management.
Office for Information Security
The new Office for Information Security will commence operations on 1 January 2027, assume the role of the National CERT, and will be responsible for: providing support to operators, coordinating incident response, preparing recommendations and protective measures, preparing analyses and final incident reports.
Until its establishment, the duties are performed by the Office for IT and eGovernment (except for the competence of the National CERT, which is temporarily carried out by the Regulatory Authority for Electronic Communications and Postal Services).
For additional information or consultations, the Tasić & Partners team is at your disposal.