When discussing the IT industry, as well as other business sectors that increasingly rely on digital services and systems (healthcare, telecommunications, etc.), the issue of cybersecurity inevitably arises as a key topic.
This issue has been further highlighted by the most recent cyberattack on the well-known music streaming platform Spotify, in which hackers reportedly managed to steal and publicly release metadata for 256 million songs and 86 million audio files, representing virtually the platform’s entire music catalog. Nearly 300 terabytes of stolen data became available on networks and servers accessible to anyone with even minimal technical knowledge, enabling the creation of private music libraries.
Among domestic cases, notable attacks include those on Air Serbia, the Electric Power Industry of Serbia (EPS), and the Republic Geodetic Authority. As an interesting international example, the outdated security systems of the Louvre Museum were exposed following a burglary in mid-October of 2025. After the theft, and in an effort to prevent similar incidents in the future, a review of passwords and security systems revealed that updates and improvements had not been carried out since 2003 and that the security code was extremely rudimentary.
All of these examples demonstrate the importance of cybersecurity across all areas of business, especially in light of the development of artificial intelligence and AI-based technologies. Estimates indicate that global end-user spending on information security will reach USD 213 billion in 2025, which clearly illustrates the importance of this field—not only for the IT sector, but also for small businesses.
Aware of the importance of this issue and of the risks arising from breaches and hacking of vital systems essential for the functioning of society, particularly in the context of accelerated digitalization, the European Union adopted the NIS2 Directive in 2022 as part of its efforts to protect key sectors and services across the EU.
The Republic of Serbia has likewise recognized the significance of this area. However, the adoption of the NIS2 Directive required alignment of Serbian legislation with the Directive, resulting in the adoption of a new Law on Information Security, which entered into force on 31 October 2025.
The Law introduces numerous novelties and expands its scope of application. Below are some of the most significant changes.
Key Innovations Introduced by the Law
The first major novelty is the introduction of priority and important information and communication technology (ICT) systems.
This change encompasses far more business sectors than before. Previously, only systems of special importance existed, covering primarily the energy, banking, and telecommunications sectors—essentially public systems of state interest. Under the new Law, additional categories are now included, such as postal and courier services, waste management, healthcare, food production, and IT companies (particularly those providing hosting services, cloud data storage, data centers, digital certificates, and software platforms).
To clearly distinguish between priority and important ICT systems, the following definitions apply:
- Priority ICT systems – systems of general societal importance whose failure or collapse could have serious consequences for the state and society as a whole. Examples include healthcare, payment systems (i.e., banking and finance), wastewater management, and the provision of qualified trust services. These systems are subject to a stricter legal regime of security obligations.
- Important ICT systems – systems that are significant for the economy and everyday life, but whose failure would not have consequences comparable to those of priority ICT systems. Examples include postal and courier services, companies operating e-commerce platforms, IT companies, and manufacturers of electronic devices. These systems are subject to a more lenient legal regime.
It should be noted that private companies (primarily IT firms) providing support services to entities considered operators of priority ICT systems are themselves subject to the regime applicable to operators of priority ICT systems.
In any event, the Government of the Republic of Serbia has a deadline of one year from the entry into force of the Law to adopt secondary legislation defining clear criteria for categorizing ICT systems as priority or important.
Obligations of ICT System Operators
Based on the above classification, operators of ICT systems of special importance (i.e., both priority and important ICT systems) are subject to the following obligations:
- to appoint a responsible person for information security;
- to conduct a risk assessment and adopt a risk assessment act, which must be reviewed at least once per year;
- to submit notifications, without delay, of any incident that significantly compromises system security;
- to submit statistical data on incidents and prevented incidents in ICT systems;
- to monitor risks and report incidents within 24 hours of becoming aware of them (i.e., to report not only incidents, as before, but also risks or serious threats to the system);
- to implement appropriate technical measures for data protection and regularly test such measures;
- to adopt an ICT system security act based on, and consistent with, the risk assessment act (this obligation will be particularly emphasized in practice for operators of priority ICT systems), which must also be reviewed at least once per year.
These are only some of the prescribed obligations; operators face a broad set of new duties and responsibilities that must be implemented going forward.
To clearly reflect the stricter regime applicable to priority systems, additional obligations apply to such systems, including the requirement to adopt and maintain incident response plans, cooperate with national cybersecurity authorities, and submit to stricter supervision and more frequent mandatory reporting in the event of incidents.
One of the key innovations is the exceptionally short deadline for reporting incidents: ICT system operators are now required to report, without delay and no later than 24 hours from becoming aware, any incident that may have a significant impact on information security.
The Law even provides examples of incidents that may be considered serious, including:
- incidents resulting in disruption of business continuity or service provision, or causing significant difficulties in operations or service delivery;
- incidents affecting a large number of service users or lasting for an extended period;
- incidents involving unauthorized access to data, the disclosure of which may endanger the rights and interests of the persons concerned.
The obligation to report incidents as prescribed is also important from the perspective of compliance with the EU General Data Protection Regulation (GDPR) and the Serbian Law on Personal Data Protection.
In this way, personal data protection is further strengthened, providing additional security for individuals who share such data for the purpose of using digital services and systems. Companies must now report any incident that could endanger personal data within 24 hours of becoming aware, with the aim of protecting citizens and minimizing potential harm.
New Authorities and Institutional Framework
The Law introduces new authorities and reallocates responsibilities among existing ones. Two authorities now exist:
- the Office for Information Security (which assumes the responsibilities of the National CERT);
- an Internal/Special CERT.
CERT stands for Computer Emergency Response Team and refers to a team (or, in smaller systems, an individual) activated in the event of computer security risks and/or incidents.
The Office for Information Security will perform numerous tasks previously assigned to the National CERT, including coordination of incident and security risk responses at the national level, cooperation in the field of information security, and certification of ICT systems, ICT products, ICT processes, and ICT services—except those intended for defense and security purposes and ICT systems handling classified information.
An Internal/Special CERT is a team established by a company that qualifies as an operator of a priority or important ICT system. Such a team may be formed internally (or, in smaller companies, consist of a single person) or outsourced to an IT company specializing in cybersecurity services. These teams are generally authorized and required to communicate with the Office for Information Security and coordinate their actions when necessary.
Risk Categorization
Another significant novelty is the categorization of risks into:
- low,
- medium,
- high, and
- very high.
Depending on the level and severity of an incident, the Office for Information Security will be obliged to prepare recommendations and measures for incident resolution that ICT system operators must implement.
The Law also provides for the adoption of additional secondary legislation defining procedures and steps to be taken for each risk level.
Practical Impact of the New Law on Businesses
Although still in the process of implementation, the new Law will almost certainly impose additional financial burdens on companies—not only large enterprises, but also medium-sized and small companies, as well as entrepreneurs.
The new obligations necessitate additional investments in IT infrastructure, employee training for crisis response, and engagement of cybersecurity experts, among other measures.
On the other hand, from a long-term perspective, the benefits are significantly greater. Compliance with the new regulations can enhance a company’s reputation and trustworthiness, as data will be strongly protected, sending a positive signal to potential investors. Such compliance reduces operational risks and incidents and strengthens international credibility, particularly with EU-based companies, facilitating cross-border cooperation due to aligned security frameworks. Ultimately, domestic companies become more competitive in international markets, especially within the EU, enabling access to new clients.
The Law also introduces a significant penalty regime, with fines ranging from RSD 50,000 to RSD 2,000,000, depending on the severity of the offense and the type of system. Violations may include failure to adopt a security act, failure to implement measures or report incidents, or failure to appoint a responsible person. The penalty framework underscores the seriousness and societal importance of information security in the digital age.
Small retailers and smaller companies are not required to immediately implement all obligations under the Law (although doing so is advisable). For example, a small retail chain or online store will not automatically qualify as an ICT system of special importance. However, even such entities use IT tools and systems such as cash registers, cloud services, and online stores.
This does not necessarily mean they must establish specialized teams or adopt all formal acts, but if they collect and store customer data or use digital infrastructure such as online payments, they must have incident response plans and mechanisms for protecting their platforms and systems (usually provided by IT service providers), and they must report incidents in accordance with the Law.
In any case, the Law still awaits further elaboration through secondary legislation and practical implementation. At this stage, the most important step for businesses is to begin planning the gradual protection of their operations and customer data. As an initial measure, it is sufficient to review existing systems, security procedures, and data storage locations to enable more efficient and effective future planning.