Effective 1 January 2026, the Republic of North Macedonia began applying the Security of Network and Information Systems Аct (Official Gazette no. 135, 04.07.2025), which harmonizes national legislation with EU Directive 2022/2555 (NIS2 Directive). This Act introduces, for the first time, a comprehensive and unified legal framework for cybersecurity in the country.
Until now, cybersecurity was only partially regulated through several legal acts, including the Electronic Management and Electronic Services Act, the Electronic Documents, Electronic Identification and Trust Services Act, the Electronic Communications Act, and the Crisis Management Act. These acts must be aligned with the new Act within two years in order to ensure legislative consistency and systematic harmonization.
This Act establishes the classification of the entities into essential and important, both of which are subject to clearly defined obligations. Essential entities include state institutions such as the Assembly, Government, Ministries, and other administrative bodies, large-sized operators providing services in essential sectors such as energy, banking, and postal services, providers of qualified trust services, operators of public electronic communications networks that own critical infrastructure, and any other entity designated as essential by law or on the basis of risk assessment. Important entities are the medium-sized entities in essential sectors (energy etc.) as well as other types of entities as will be determined separately by the Government, upon proposal of the Ministry of Digital Transformation (Ministry). As prescribed in the Act, the Government will prepare detailed lists of essential and important entities within twelve months of the Act’s entry into force, i.e.by mid-July 2026. If the Government fails to identify a particular entity as either essential or important, even though the conditions for inclusion in the list are met, that entity must notify the competent authority of the fulfillment of the conditions, under threat of a sanction of 10,000 euros.
A key systemic novelty is the establishment of specialized structures for incident response. A Computer Incident Response Team (MKD-GOV-CSIRT) responsible for executive branch institutions will be formed within the Ministry and it shall begin operating within twelve months of the Act’s entry into force, while a National Computer Incident Response Centre (MKD-CIRT) is established as a separate organizational unit within the Agency for Electronic Communications and is responsible for all other entities. Additionally, a Coordination Team for Large-Scale Incidents and Crisis Situations will operate within the Crisis Management Centre or, in the absence of a declared crisis, within the Ministry.
Essential entities within the executive and legislative branches are required to appoint one or more cybersecurity officers from among their administrative staff with higher education in ICT, telecommunications, security, or law. Other essential entities may engage cybersecurity officers externally. The provisions on the position and tasks of the cybersecurity officers are analogous to the provisions on the position and tasks of the data protection officers in the GDPR and GDPR-based laws such as the Data Protection Act of the Republic of North Macedonia (2020). Furthermore, the Cybersecurity Act establishes the function of National Coordinator for the Security of Network and Information Systems, responsible for coordinating the national and international exchange of cybersecurity information and facilitating cooperation with international organizations.
Essential and important entities are required to conduct a risk assessment at least annually, update and supervise the implementation of cybersecurity risk-management measures, and adopt proportionate technical, operational, and organizational measures aligned with current technological developments to manage risks, prevent incidents, and minimize impacts on service users and interconnected services.
Additionally, the Ministry will be required to demand that essential and important entities use ICT services, ICT systems, and ICT products that are certified based on European and international cybersecurity certification schemes, and it will regularly monitor whether this obligation is being respected.
The Cybersecurity Act introduces strict reporting obligations. It imports from the NIS2 Directive (Article 23) the deadlines for the early warning (24 hours), an update and the initial assessment (72 hours), intermediate updates (upon request from the competent authority), and a final notification (one month). However, the law also requires from essential and important entities to notify the competent incident-response team immediately, and no later than three hours after becoming aware of an incident or cyber threat. It appears that this particularly short deadline differs from the deadline for early warning (24 hours) insomuch as the notification within the first three hours only needs to include all information that will enable the competent computer incident response team to determine the cross-border impact of the incident, whereas in the early warning the essential/important entity itself must state whether it suspects that the significant incident may have cross-border impact, and whether the incident was caused by unlawful or malicious action.
The law lists ten categories of cybersecurity risk-management measures identical to those in Article 21 of the NIS2 Directive. Those measures are formulated at a high level of generality. The law prescribes that the National Computer Security Incident Response Center (MKD-CIRT), or a competent authority for the relevant economic sector, will provide in more detail the technical and methodological requirements of the cybersecurity risk management measures.
Finally, the Act provides for substantial penalties and other sanctions in cases of non-compliance, taken over from the NIS2 Directive. Essential entities may be fined up to 2% of their total annual revenue from the previous year, while important entities may be fined up to 1.4% of their total annual revenue from the previous business year. Importantly, the law introduces the possibility of prohibiting the responsible natural person or the legal representative of the essential or important entity performing a profession, activity, or duty.
