The new Serbian Information Security Act, based on the NIS2 Directive, entered into force today. The previous information security law in Serbia was enacted in January 2016, half a year before the adoption of Directive (EU) 2016/1148 (NIS1 Directive). Compared to the 2016 legislation, the newly adopted Information Security Act subjects a wider range of entities to its application and introduces new obligations concerning risk assessment, frequency of compliance checks, mandatory protection measures, and incident reporting.
The new Information Security Act distinguishes – as does the NIS2 Directive – between two relevant categories of the operators of information and communications technology (ICT) systems: “essential” and “important” entities. However, the Act attaches much less significance to the distinction between essential and important entities than does the NIS2 Directive. In particular, the Act does not submit the essential entities to more proactive and intrusive supervision by the cybersecurity authorities compared to important entities. The only distinction the Act makes regarding the treatment of two categories of entities is that essential entities can be fined for certain violations of the law with a fine in the amount of RSD 2 million (approximately EUR 17,000), whereas the maximum fine for violations by the important entities is half of that amount. Earlier drafts of the Information Security Act contained provisions requiring more frequent compliance checks for the essential entities compared to those for important entities, but those have been removed from the bill in the final stage of the parliamentary review. As a result, the adopted text requires both types of entities to carry out compliance checks once a year.
It is nevertheless to be expected that the implementing bylaws that the Government of Serbia must enact in the next 12 months will impose a more demanding compliance regime for essential entities than the regime for important entities. For example, the decree specifying risk-management measures will likely require more numerous and more rigorous measures for essential entities. Also, the inspectorate in charge of verifying compliance is likely to prioritize the monitoring of essential entities over the important ones.
The new Information Security Act introduces the obligation for essential and important entities to formalize in a written document the results of the mandatory risk assessment, which is to serve as the basis for the selection and prioritization of risk-management measures to be implemented by the entity.
A dozen provisions in the new law put high demands on the operators of ICT systems. According to the law, even the early incident notification needs to be detailed, and intermediate reports are mandatory and frequent. This differs from the lighter approach under the NIS2 Directive, which requires the entities to gradually expand the range of information to include in the notices to the authorities, from the very limited in the early warning to comprehensive in the final report. Although the Serbian law imposes a rigorous regime, it is unlikely that the difference compared to NIS2 will matter much in practice. The authorities in Serbia are not likely to take any punitive steps where the entities simply cannot feed their early notices with the information not known to them.
The Information Security Act sets forth 37 organizational, personnel, technological, and physical controls to protect ICT systems. Most EU member states have opted for the enumeration of a limited number of cybersecurity risk-management measures, the ones listed in the NIS2 Directive (Article 21), leaving it to implementing regulations to further specify the measures.
So far, most organizations have simply copied into their internal regulations the risk-management measures specified in the previous cybersecurity law (28 measures), with little or no follow-through on the actual implementation. Monitoring by the competent ministry of telecommunications has been modest. Under the new law, both the ministry and the National Center for Prevention of Security Risks in ICT Systems (CERT) will have monitoring powers allowing them to verify whether the internal regulations are only a paper tiger or genuinely serve as a basis for actual implementation of risk-management measures.
The risk-management measures included in the new law are taken from the ISO 27001 standard. This was the case under the previous legislation as well. During the public debates concerning the draft new law and the presentations held in the immediate aftermath of the adoption of the law, the government representatives have clarified that ISO 27001 certification of an entity is not, in and of itself, proof that the entity complies with the law.
The Information Security Act, as adopted, somewhat narrowed down, the difference that existed between the draft law, on the one hand, and the NIS2 Directive, on the other, in relation to sanctions for failure to meet the law’s requirements. Under the directive, the competent authorities of the EU member states may temporarily prohibit individuals at the chief executive officer or legal representative level in the essential entity from exercising managerial functions in the entity. That measure was not included either in the draft law in Serbia or in the subsequent bill introduced in the parliament. However, under the adopted version of the law, the cybersecurity inspectorate acting under the aegis of the Ministry of Telecommunications is entitled to initiate proceedings before a competent court or other competent authority to impose a prohibition of the performance of management functions on an individual at a managerial position whose actions prevented compliance with the law or obstructed the implementation of remedial measures prescribed by the inspectorate.
On the other hand, as stated above, the maximum fines for violations of the new Information Security Act are negligible (EUR 17,000 for essential entities and half of that amount for important entities) compared to those under the NIS2 Directive (the higher of a maximum of at least EUR 10 million or a maximum of at least 2% of the total worldwide annual turnover in the preceding financial year of the undertaking to which the essential entity belongs, and EUR 7 million or 1.4% respectively in the case of important entities).
The violations of the law are classified as infractions (petty offenses). Representatives of the government have cited in public that the penalties under the Information Security Act cannot be higher because the general Infractions Act imposes a EUR 17,000 higher limit. This explanation, however, is not convincing. The Competition Act, enacted in 2017, evaded the penalty limitations by choosing a different concept altogether: instead of “infraction penalties”, the sanctions under that law are called “administrative measures”. The Commission for Protection of Competition has been able to impose penalties in amounts far exceeding the non-deterring ones from the Infractions Act and the now-adopted Information Security Act. There is no reason of principle that would prevent the lawmakers from taking in other areas, including cybersecurity, the approach taken in the completion law field.
Deadlines for registration in a registry and enactment of internal acts:
- The government plans to enact by 31 December 2025 the implementing acts defining the criteria for the size of economic entities as the factor determining the status of essential or important entity, as well as regulating the procedure for registration of the entities in the official registry. Within 90 days from the enactment of the by-law on the registration procedure, the entities falling under the application of the law must apply for registration.
- The government must enact a series of other implementing acts within 12 months from 31 October 2025 (today). The entities will have to enact internal documents on risk assessment and risk-management measures within 18 months from today. In practice, this means that entities will have at least six months during which they will be able to work on internal documents using the acts issued by the government as guidelines.
