1. GOVERNING TEXTS
The Law on Information Security (Official Gazette of the Republic of Serbia, No. 6/2016, 94/2017, 52/2021) (only available in Serbian here) ('the Law') is the general law which addresses cybersecurity in the Republic of Serbia. The Law has been in force since 5 February 2016 and the latest amended version of the Law came into force on 8 November 2019 when it was further aligned with the Directive on Security Network and Information Systems (Directive (EU) 2016/1148) ('the NIS Directive').
However, please note that the Directive on Measures for a High Common Level of Cybersecurity across the Union (Directive (EU) 2022/2555) ('NIS 2 Directive') was published in the Official Gazette of the European Union on 27 December 2022 and became effective as of 16 January 2023. Pursuant to Article 41 of the NIS 2 Directive, by 17 October 2024, Member States must transpose the NIS 2 Directive into their national legislation, and the transposition laws shall apply from 18 October 2024. On the same date, the NIS Directive will be repealed. For further information please see our Insight article on the NIS Directive here.
The Law regulates measures for protection against security risks in information and communication systems, allocates responsibilities of legal entities in the management and use of information and communication systems, and determines the competent authorities for the implementation of protection measures, coordination between protection factors, and monitoring the proper implementation of prescribed protection measures.
'Information security' is defined as a set of measures that enable the data handled by the ICT system to be protected from unauthorised access, as well as to protect the integrity, availability, authenticity, and integrity of that data, in order for that system to function as intended, when provided and under control of authorised persons.
The Law on Protection of Personal Data (Official Gazette of the Republic of Serbia, No. 87/2018) (only available in Serbian here) is the general law on protection of personal data in the Republic of Serbia. The law has been in force since 21 November 2018, applicable since 21 August 2019, and is fully aligned with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').
Apart from the Law, there are sectoral laws which regulate information security such as:
- The Law on Electronic Communications (Official Gazette of the Republic of Serbia No. 44/2010, No. 60/2013, No. 62/2014, and No. 95/2018) (only available in Serbian here) where in order to ensure the safety and integrity of public electronic communications networks and services, the secrecy of communications, as well as the protection of personal data, traffic, and location, the operator is obliged to apply adequate technical and organisational measures appropriate to the existing risks, in particular measures for the prevention and minimisation of impact of security incidents for users and interconnected networks, as well as measures to ensure the continuity of public communications networks and services;
- The Law on Electronic Government (Official Gazette of the Republic of Serbia No. 27/2018) (only available in Serbian here) according to which information systems, electronic communications networks, and equipment used for performing electronic administrative procedures must meet the requirements and standards of information security, in accordance with regulations such as the Law;
- The Law on Electronic Document, Electronic Identification and Trust Services in Electronic Business (Official Gazette of the Republic of Serbia No. 94/2017) (only available in Serbian here) based on the Regulation (EU) No 910/2014 of 23 July 2014 on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market and Repealing Directive 1999/93/EC, which states that trust service providers, including qualified trust service providers, must take the necessary technical and organisational measures to manage the risks that threaten the reliable and secure provision of such trust services;
- The Criminal Code (Official Gazette of the Republic of Serbia No. 85/2005, 88/2005, 107/2005, 72/2009, 111/2009, 121/2012, 104/2013, 108/2014, 94/2016, 35/2019) (only available in Serbian here) contains a section on criminal acts against the security of computer data which includes damaging of computer data and programs, computer sabotage, creating and introducing computer viruses, computer fraud, unauthorised access to protected computer, computer network and electronic processing of data, preventing and limiting access to a public computer network, unauthorised use of a computer or a computer network, creating, acquiring or providing tools for committing criminal acts against the security of computer data; and
- The Law on Critical Infrastructure (Official Gazette of the Republic of Serbia No. 87/2018) (only available in Serbian here) ('the Law on Critical Infrastructure') which defines telecommunication and information technologies as one of the sectors in which identification and determination of critical infrastructure must be performed; critical infrastructure operators are required to develop an operator's risk management plan which defines risk mitigation measures, defines responsibilities and assigns duties, and establishes a framework for action to eliminate or reduce the consequences of security threats identified in the risk analysis.
1.2. Regulatory authority
The main regulatory authority in the Republic of Serbia is the state administration body in charge of ICT security. Currently, this is the ministry responsible for information security, which is the Ministry of Trade, Tourism, and Telecommunications ('the Ministry'). Within the Ministry, the sector in charge is the Sector for Information Society and within it the section for information security and electronic business ('the Section').
The Section performs tasks related to:
- data protection and information security;
- preventive action and carrying out inspection supervision by inspectors who work for the relevant ministry and evaluate compliance of the implementation of laws and other regulations governing information security, electronic document, electronic identification and trust services in electronic commerce, and taking prescribed administrative and criminal measures in conducting inspection supervision in relation to the assessed risk, in accordance with the relevant laws governing the inspection supervision; and
- overseeing the work of the National Computer Emergency Response Team ('National CERT'), receiving notification of incidents in ICT systems of particular importance that can have a significant impact on the disruption of information security, facilitating international cooperation in the field of ICT systems, and keeping registers in accordance with the law governing electronic document, electronic identification, and trust services in e-commerce.
In addition to the Ministry as the supervising body, the Law prescribes the National CERT, which performs the activities of coordination of prevention and protection against security risks in ICT systems in the Republic of Serbia at the national level. This includes collecting and exchanging information on ICT security risks, as well as events that threaten the security of ICT systems, and in this regard informing, supporting, alerting, and advising persons managing ICT systems in the Republic of Serbia, as well as the public. Finally, the National CERT promotes the adoption and use of prescribed and standardised procedures for managing and remedying risks and incidents as well as for the classification of information on risks and incidents. The activities of the National CERT are the responsibility of the Regulatory Agency for Electronic Communications and Postal Services ('RATEL').
Furthermore, the Law defines a specific CERT as a legal entity or organisational unit within a legal entity established in the territory of the Republic of Serbia, which is registered in the records of specific CERTs maintained by the National CERT and is specific to legal persons, groups of business types. A Specific CERT performs the activities of prevention and protection against security risks in ICT systems within a certain legal entity, group of legal entities, business area, and the like.
In addition, there is a CERT of state authorities, the Information and Communications Technologies Department, which performs tasks related to protection against incidents in the ICT systems of state authorities, except for the ICT systems of independent operators. Independent ICT system operators are required to set up their own ICT security centres to manage incidents in their systems. Such independent operators include the Ministry of Defence, Ministry of Interior ('MUP'), and the Ministry of Foreign Affairs.
The National CERT has issued the following guidance:
- general guidance on cybersecurity (only available in Serbian here) which describes the most frequent types of cyberattacks together with the recommendations on how to prevent them;
- a brief guide on the prevention and protection of small and medium-sized businesses from cyber attacks (only available in Serbian here); and
- guide on incident reporting for ICT system operators of particular importance (only available in Serbian here).
2. SCOPE OF APPLICATION
An 'ICT system' is a technological and organisational unit which includes (Article 2 of the Law):
- electronic communications networks within the meaning of the law governing electronic communications;
- devices or groups of interconnected devices, such that automatic processing of data is performed within a device, or within at least one of a group of devices, using a computer program;
- data that is maintained, stored, processed, retrieved, or transmitted by means of electronic communications networks and devices or groups of interconnected devices for the purpose of their operation, use, protection, or maintenance;
- the organisational structure through which the ICT system is managed; and
- all types of system and application software and software development tools.
- Critical infrastructure operators are public authorities, autonomous provincial authorities, local self-government bodies, public enterprises, companies, or other legal entities managing systems, networks, facilities, or parts thereof designated as critical infrastructure.
- Critical infrastructure is systems, networks, facilities, or parts thereof whose interruption of operation or interruption of delivery of goods or services can have serious consequences on national security, health and lives of people, property, environment, security of citizens, economic stability, or endanger the functioning of the Republic of Serbia.
An ICT system operator is a legal entity, authority, or organisational unit of a government body that uses an ICT system in the course of carrying out its activity or activities within its competence.
ICT systems of particular importance are systems used:
- in the performance of tasks in the authorities;
- for the processing of special types of personal data, in the sense of the law governing the protection of personal data; and
- performing activities of general interest and other activities in the following areas:
- exploration, production, processing, transportation, and distribution of natural and liquid gas;
- exploration, production, refining, transportation, and distribution of oil and trade in oil and petroleum products;
- coal production and processing;
- generation, transmission, and distribution of electricity;
- rail, postal, water, and air transport;
- health care:
- health protection;
- banking and financial markets:
- affairs of financial institutions;
- keeping a register of data on liabilities of natural and legal persons to financial institutions;
- management, or activities related to the functioning of the regulated market;
- digital infrastructure:
- internet traffic exchange;
- managing the National Internet Domain Registry and online naming system;
- goods of general interest:
- use, management, protection, and promotion of goods of general interest (water, roads, mineral resources, forests, navigable rivers, lakes, coasts, spas, game, protected areas);
- information society services:
- information society services (remotely provided service, as a rule for a fee via electronic data processing and storage equipment, at the personal request of service users, in particular internet commerce, data provision and online advertising, electronic search engines, and the provision of data and services search transmitted over an electronic network, providing access to the network or storing data of service users);
- other areas:
- electronic communications;
- publishing of the official gazette of the Republic of Serbia;
- management of nuclear facilities;
- production, transport, and transportation of arms and military equipment;
- waste management;
- production and supply of chemicals;
- in legal entities and institutions established by the Republic of Serbia, an autonomous province or a unit of local self-government.
The information society service provider is a legal or natural person. The provision of information society services for commercial purposes may be performed by a legal or natural person who is registered to perform a particular activity in accordance with the Law.
An ICT system operator of particular importance is responsible for the security of the ICT system and for taking measures to protect the ICT system.
ICT security measures are technical and organisational measures for managing the security risks of ICT systems:
- establishment of an organisational structure, with defined jobs and responsibilities of employees, which achieves information security management within the ICT system operator;
- achieving the safety of remote work and use of mobile devices;
- ensuring that persons using the ICT system or managing the ICT system are empowered for the work they do and understand their responsibility;
- protection against risks arising from changes of jobs or termination of employment of persons employed by ICT system operators;
- identification of information assets and determining responsibility for their protection;
- classification of data so that the level of their protection corresponds to the importance of data in accordance with the principle of risk management;
- protection of data carriers;
- limitation of access to data and data processing facilities;
- granting authorised access and preventing unauthorised access to the ICT system and services provided by the ICT system;
- determining the responsibility of users for protecting their own authentication assets;
- predicting the proper use of cryptographic protection to protect the secrecy, authenticity and integrity of the data;
- physical protection of facilities, premises, premises or zones in which the resources and documents of the ICT system are located, and data is processed in the ICT system;
- protection against loss, damage, theft, or other threat to the security of the assets that make up the ICT system;
- ensuring the correct and safe functioning of data processing facilities;
- data protection and data processing tools against malware;
- protection against data loss;
- storage of event data that may be relevant for the security of ICT systems;
- ensuring the integrity of software and operating systems;
- protection against misuse of technical security weaknesses of ICT systems;
- ensuring that activities on the audit of ICT systems have as little impact on the functioning of the system;
- data protection in communications networks including devices and lines;
- security of data transmitted within ICT system operators, as well as between ICT system operators and persons outside the ICT system operator;
- fulfilment of requirements for information security within the management of all phases of the life cycle of the ICT system or parts of the system;
- protection of data used for the purposes of testing ICT systems or parts of systems;
- safeguarding the resources of ICT system operators available to service providers;
- maintaining the agreed level of information security and the services provided in accordance with the conditions agreed with the service provider;
- prevention and response to security incidents, which implies adequate exchange of information on security weaknesses of ICT systems, incidents and threats; and
- measures ensuring continuity of work in extraordinary circumstances.
ICT system operators of particular importance must notify in writing an incident in ICT systems that may have a significant impact on the disruption of information security through the Ministry's website or the National CERT without delay. This is to be notified in a single incident notification system maintained by the Ministry, no later than the next business day from the day of the occurrence of the incident. However, the exceptions to this are financial institutions and electronic communications operators. In particular, financial institutions should notify the National Bank of Serbia and electronic communications operators should notify RATEL.
An ICT system operator of particular importance is required to report the following incidents that may have a significant impact on the disruption of information security:
- incidents that lead to the interruption of the continuity of the performance of activities and the provision of services; that is, significant difficulties in the performance of activities and the provision of services;
- incidents that affect a large number of service users or last for a long period of time;
- incidents that lead to interruption of continuity; that is, difficulties in performing activities and providing services, which affect the performance of activities and the performance of services of other ICT system operators of particular importance or affect public safety;
- incidents that lead to interruption of continuity; that is, difficulties in performing activities and providing services and affecting most of the territory of the Republic of Serbia;
- incidents that lead to unauthorised access to protected information whose disclosure may jeopardise the rights and interests of the data subject; and
- incidents resulting from an incident in the ICT system for information society services, when the ICT system of particular importance in its business uses the ICT system for information society services.
An operator of an ICT system of particular importance must also report incidents that have led to a significant increase in the risk of the consequences referred to above.
The incident notification must contain the type and description of the incident, the time and duration of the incident, the consequences it caused, the actions taken to mitigate the consequences of the incident, and, where appropriate, other relevant information.
Following the reporting of an incident, if the incident is still ongoing, ICT system operators of particular importance must submit notifications of important events related to the incident and the activities they undertake until the termination of the incident, to the body to which they have reported the incident in accordance with the Law.
ICT system operators of particular importance must submit a final incident report to the body notified in accordance with the Law about the incident within 15 days from the date of termination of the incident, which must contain the type and description of the incident, the time and duration of the incident, the consequences of the incident, actions taken to remedy the incident and, where appropriate, other relevant information.
If the incident is of public interest, the Ministry or other body to whom incident notifications are sent may publish information about the incident, after consulting the ICT system operator of particular importance in which the incident occurred.
The Ministry must establish and maintain records of ICT systems of particular importance, which shall include (Article 6b of the Law):
- the name and seat of the ICT system operator of particular importance;
- first and last name, official email address and official contact telephone number of the administrator of the ICT system of particular importance;
- first and last name, official email address and official contact telephone of the responsible person of the ICT system of particular importance; and
- information on the type of ICT system of particular importance.
An operator of an ICT system of particular importance must be obliged to register the ICT system of particular importance which he manages.
An operator of an ICT system of particular importance must submit to the Ministry the information no later than 90 days from the date of establishment of the ICT system of particular importance.
- In accordance with the Law, an operator of an ICT system of particular importance must appoint the administrator of the ICT system of particular importance and the responsible person of the ICT system of particular importance.
- Under the Law on Critical Infrastructure, critical infrastructure operators must have a liaison officer; that is, a contact person between the operator and the MUP which ensures constant control of risks and threats, notifies changes in relation to critical infrastructure, notifies the MUP of risk, threat and vulnerability evaluation, coordinates the security plan for the risk management, performs tests through exercises and other activities provided for in the plan, and performs other critical infrastructure-related tasks. The liaison officer is appointed by the MUP on the proposal of the critical infrastructure operator from among the employees. The critical infrastructure operator must submit to the MUP a proposal for the appointment of liaison officers not later than three months after designation of systems, networks, facilities or parts thereof for critical infrastructure. The proposed person must be licensed as a liaison officer.
An ICT system operator of particular importance in accordance with the Law is also obliged to:
- adopt the ICT security act, a document which defines protection measures, and in particular the principles, methods and procedures for achieving and maintaining an adequate level of system security, as well as the powers and responsibilities regarding the security and resources of ICT systems of particular importance;
- check the compliance of applied measures of protection of ICT systems with the ICT security act, at least once a year;
- regulate the relationship with third parties in a way that ensures that the measures for security of the ICT system are undertaken in accordance with the Law, if it entrusts activities related to the ICT system of particular importance to third parties; and
- provide accurate statistics on incidents in the ICT system.
4. SECTOR-SPECIFIC REQUIREMENTS
Cybersecurity in the health sector
Cybersecurity in the financial sector
The Decision on Minimum Standards for Financial Institution Information System Management regulates, among other things, the security of such information systems in the sector.
Cybersecurity practices for employees
Cybersecurity in the education sector
The Information Security inspector is authorised, in the process of conducting supervision, in addition to imposing measures for which the inspector is authorised in the process of carrying out inspection supervision established by the Law:
- order the elimination of identified irregularities and set a deadline; and
- prohibit the use of procedures and technical means that endanger or impair information security and set a deadline for this.
A monetary fine in the amount of RSD 50,000 (approx. €425) to RSD 2,000,000 (approx. €17,008) will be imposed on the ICT system operator of particular importance if it:
- fails to register itself within the required time limit;
- fails to adopt the ICT security act;
- fails to apply the security measures specified in the ICT security act;
- fails to check the compliance of the applied measures;
- fails to submit the statistical data; and
- fails to act on the order of the information security inspector within the given time limit.
For a misdemeanour above, a responsible person in an ICT system operator of particular importance will also be fined in the amount of RSD 5,000 (approx. €42) to RSD 50,000.
Finally, a monetary fine in the amount of RSD 50,000 to RSD 500,000 (approx. €4,252) will be imposed on the ICT system operator of particular importance if it:
- fails to notify the authorities of the incidents in the ICT system;
- fails to submit notifications on important events related to the incident and related activities;
- fails to submit the final incident report within the time limit.
For a misdemeanour violation as above, a responsible person in an ICT system operator of particular importance will also be fined in the amount of RSD 5,000 to RSD 50,000.
6. OTHER AREAS OF INTEREST
Alex Petrović Senior Partner [email protected] JSP, Belgrade