BDK Advokati held a seminar on 9 October 2024 on the draft cybersecurity law in Serbia and the European Union NIS2 Directive. The participants included representatives of leading companies active in Serbia’s energy, health, postal service, food production, and scientific research sectors.
Senior Partner Bogdan Ivanišević provided a context of the draft law by drawing comparisons with Serbia’s existing Information Security Act (2016) and the NIS2 Directive. In relation to the existing law, the draft law comprises a wider range of entities that are subject to the law and introduces new obligations, concerning risk assessment, frequency of compliance checks, introduction of additional mandatory protection measures, and incident reporting. Compared to NIS2, the draft law has stricter formal requirements, but the enforcer’s hand is significantly lighter than under the EU Directive.
Consultant Pablo Perez Laya explained the distinction between two relevant categories of the operators of information and communications technology (ICT) systems – “essential” and “important” entities – that fall within the scope of the draft law. Pablo concluded that the distinction under the draft law is less consequential than under the NIS2 Directive.
Bogdan and Pablo devoted a major part of the seminar to explaining the main obligations under the draft law. While the obligation to register does not raise major issues, it might take time for the contours of the remaining obligations to take a defined shape.
- Protection measures: BDK’s presenters pointed to the specific feature of the Serbian law which sets forth 34 organisational, people, technological, and physical controls. NIS2 Directive and the recent laws in the member-states that have implemented the Directive (Croatia, Belgium, Latvia, and Italy specifically) include a far lower number of measures and formulates them at a higher level of generality.
- Internal acts and compliance checks: The draft law stipulates that the government will enact bylaws to specify the methodology of risk assessment and detail the contents of the security act and the compliance check reports. The draft law requires more frequent compliance checks than the NIS2 Directive and the implementing laws adopted so far in the EU member states.
- Incident handling: The draft law introduces major changes, compared to the existing Information Security Act, about the reporting of cybersecurity incidents to the competent authorities and users of the services. A dozen provisions in the draft law put high demands before the operators of ICT systems. In particular, even the early incident notification needs to be detailed, and the intermediate reports are mandatory and frequent. Regarding the assessment of when an entity became aware of the incident and the deadline for submitting the notification began, BDK’s presenters pointed to the criteria articulated in 2023 by the European Data Protection Board in relation to the obligation to notify a breach of personal data, as a useful benchmark.
- Supply chain security: Although the draft law, similar to NIS2 Directive, contains only a handful of short provisions about supply chain security, the presenters and the attendees addressed the issue in detail in light of its significance. Based on the existing best practices and a draft Implementing Regulation by the European Commission, BDK’s presenters suggested practical steps to comply with the draft law’s obligations to regulate the relationship with third parties in a manner that ensures effective implementation of protective measures.
In the concluding part of the seminar, BDK Advokati offered some practical tips on how essential and important entities can prepare for the law once it has been enacted.
For more information on cybersecurity law related matters, please contact Bogdan Ivanišević (Bogdan.Ivanisevic@bdkadvokati.com) or Pablo Perez Laya (pablo.laya@bdkadvokati.com).
