The new Law on Information Security (“Official Gazette of the Republic of Serbia”, No. 91/2025, hereinafter referred to as the “New Law”) entered into force on 31 October 2025, replacing the previous Law on Information Security (“Official Gazette of the Republic of Serbia”, No. 6/2016, 94/2017, 77/2019), except for Articles 6a–11b and Articles 30 and 31, which will remain in force until 31 December 2025, which provisions regulate the obligations of operators of information and communication technology systems (“ICT Systems”) of special importance, incident notification procedures, and penal provisions.

The most significant objectives of adopting the New Law are to align it with Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (“NIS2 Directive”), in order to establish a regulatory framework that corresponds to modern development trends across Europe and fulfilling obligations under the Stabilization and Association Agreement and the EU accession process of the Republic of Serbia. Additionally, the existing solutions are enhanced based on the experience acquired through previous practice.

The most important new legislative solutions relate to:

• Defining priority and important ICT Systems of special importance – by expanding the sectors to which the law applies, it will now cover a significantly larger number of companies that will be subject to increased inspection oversight;
• Specifying the activities that ICT Systems of special importance must undertake to ensure the security of their ICT Systems (protective measures, risk assessments, security acts);
• Establishing the Office for Information Security;
• Introducing incident management and reporting procedures for incidents that significantly jeopardize information security;
• Expanding inspection authorities;
• Introducing a new penalty system.

1) Defining Priority and Important ICT Systems of Special Importance

A key novelty introduced by the New Law is the expansion of its scope to sectors previously considered not in need of such protection. In this regard, ICT Systems of special importance have been redefined as ICT Systems that are crucial for maintaining critical social and economic activities, and whose disruption would significantly affect public safety, public health, the functioning of other sectors, or create a significant systemic risk. A distinction has been made between priority and important ICT Systems of special importance.

In addition to state authorities, critical infrastructure operators, and entities whose disruption or malfunction of ICT Systems could significantly affect security, public health, or cause systemic risk, priority ICT System operators of special importance are also legal entities that perform key activities in certain sectors. These sectors have been expanded and defined in greater detail compared to those covered by operators of ICT Systems of special importance under the previous regulation. In addition to the energy sector, the mining sector has also been included; drinking water and wastewater have been identified as separate areas; activities within the digital infrastructure sector have been significantly expanded; and a new area has been added: management of ICT services provided to operators of priority ICT Systems.

On the other hand, important ICT System operators of special importance include, among others, sectors such as postal services, manufacturing of computers, electronic and optical products, electrical equipment, machinery, motor vehicles, medical devices, and providers of information society services within the meaning of the Law on Electronic Commerce.

For business entities, this means that they need to assess whether their systems qualify as priority or important ICT Systems of special importance, since they accordingly have additional obligations to comply with under the New Law.

The Government has a one-year deadline from the date of entry into force of the New Law to adopt subsidiary legislation that will further specify the criteria for classifying ICT System operators into priority and important categories.

2) Obligations of ICT Systems of Special Importance to Ensure Security of ICT Systems

Given the necessity for uninterrupted operation and protection of the integrity of data and services they provide, ICT Systems of special importance must be protected through various security measures.

A major novelty compared to the previous framework is the mandatory risk assessment of ICT Systems and the adoption of an ICT System Risk Assessment Act. The obligation of adopting an ICT System Security Act still exists, and, the obligation to verify compliance of applied protection measures with the ICT System Security Act at least once a year is introduced. An additional obligation is the reporting of avoided incidents that pose a serious threat, in accordance with the law (and not only those that have actually occurred, as was previously stipulated).

3) Establishment of the Office for Information Security

The New Law provides for the establishment of the Office for Information Security, which will begin its operations on 1 June 2027. As a government agency, the Office will carry out tasks of prevention and protection against security risks at the national level (tasks of the National CERT), take preventive and reactive measures to protect the Unified Information and Communication Network of e-Government (CERT of government authorities), cooperate at the national and international level, and perform the functions of a single point of contact.

Until its formation, the tasks will be performed by the Office for Information Technology and e-Government and the Regulatory Authority for Electronic Communications and Postal Services, that performs the functions of the National CERT.

4) Procedures in the Event of Incidents Significantly Jeopardizing Information Security of ICT Systems

 The New Law imposes an obligation on ICT System operators to report incidents that significantly endanger information security, as well as near-miss incidents that pose a serious threat, within 24 hours of becoming aware of the incident. Incidents are classified according to their level of severity as low, medium, high, and very high, and the response of competent authorities depends on the level the incident is classified as.

The New Law sets high standards for operators, including detailed initial reports and mandatory follow-up updates throughout the incident handling process.

5) Expanded Inspection Authorities

The New Law broadens the powers of information security inspectors. In addition to its previous powers to order the remedy of identified irregularities and to prohibit the use of procedures and technical means that endanger or compromise information security, inspectors may, order a supervised entity to test systems for vulnerabilities, publish information on legal violations, appoint a compliance officer, propose the suspension or revocation of certificates due to irregularities, and initiate a temporary ban on managerial positions for individuals who obstruct the enforcement of the law.

6) New Penalty System

 The New Law introduces a differentiated system of monetary penalties, depending on the category of the ICT System operator of special importance:

• Priority ICT System operators may be fined from 50,000 to 2,000,000 RSD (approx. EUR 430 to 17,000);
• Important ICT System operators may be fined from 50,000 to 1,000,000 RSD (approx. EUR 430 to 8,500).

Penalties apply, among other cases, when an operator fails to adopt a risk assessment or security act, does not implement prescribed protection measures, fails to report incidents within the legal deadline, or disregards orders issued by information security inspectors.

Conclusion

In practice, the implementation of the new Law on Information Security means that a broader range of legal entities, including sectors previously not covered, are now required to establish precise procedures, technical and organizational protection measures, and incident response plans.

Given the scope and complexity of the new obligations, entities are advised to timely analyze their ICT Systems, align their internal acts and procedures with the law, and secure professional support to maintain business continuity and avoid potential sanctions.