Regulations on the implementation of the Cybersecurity Act in North Macedonia
The government of North Macedonia adopted in the recent weeks a series of regulations, further elaborating and operationalising the provisions of the Network and Information Systems Security Act of 4 July 2025 ("the Law"). With this development, the government has made significant progress in completing the national legal framework in the field of cybersecurity.
These regulations establish clear criteria for the identification and categorisation of entities subject to the obligations under the Law, as well as the conditions for establishing appropriate organisational structures for cybersecurity governance.
Classification of essential and important entities
On 18 June 2026, the Decree on the Method of Identifying Sectors, Sub-sectors, Types of Entities, as well as the Method for Identifying Essential and Important Entities ("Classification Methodology") was published in the Official Gazette No. 133/2026. Under the Decree, the classification of essential entities is based on three core criteria: the status of the entity, its size, and the services it provides.
On the basis of status, essential entities include public sector institutions.
On the basis of size, essential entities include large undertakings operating in highly critical sectors, such as energy, transport, banking, financial markets, healthcare, digital infrastructure, ICT service management (B2B), drinking water supply and distribution, wastewater management, postal and courier services, waste management, chemical production and distribution, food production, processing and distribution, digital service providers, as well as research activities.
On the basis of the services they provide, essential entities include, inter alia:
- qualified trust service providers;
- registries of national top-level domains (.mk and .мкд), i.e. DNS service providers;
- operators and providers of public electronic communications networks and services that qualify as medium or large entities;
- owners and operators of critical infrastructure;
- entities designated as essential entities under the law or following a risk assessment.
With regard to important entities, classification is primarily based on the size of the entity, as well as pursuant to the law or following a risk assessment. As a rule, this category includes medium-sized undertakings operating, like the essential entities, in the sectors mentioned above.
A week earlier, a Methodology for Risk Assessment for the Purpose of Determining Essential and Important Entities was published (Official Gazette No. 128/2026 of 12 June 2026). This act sets out the criteria and procedures for conducting risk assessments on the basis of which an entity may be classified as either an essential or an important entity.
Publication of detailed lists
Finally, in the Official Gazette No. 139/2026 of 25 June 2026, the Detailed Lists of sectors and types of entities in highly critical sectors, the detailed list of sub-sectors and types of entities in other critical sectors, the detailed lists of essential and important entities were published.
The fact that the detailed lists of essential and important entities have been published means that the government itself carried out the initial classification of the entities. Each affected entity can now find itself included in the relevant list. However, if an entity determines, based on the Classification Methodology of 18 June 2026 that it meets the criteria for classification as essential or important entities, the Law requires from such entity to notify the competent authority accordingly.
Framework for cybersecurity governance
Two rulebooks, adopted as parts of the implementing regulations, concern the requirements, role, and activities of cybersecurity officers within public sector institutions. The following rules can be extracted from the rulebooks:
- The number of required cybersecurity officers is determined on the basis of the size of the institution, the complexity of its network and information systems, and the volume of data processing. Depending on the criteria, institutions are required to appoint between one and five cybersecurity officers.
- Cybersecurity officers in public sector institutions are required to possess a broad range of legal, organisational, and technical competencies, including knowledge of national and international regulations, the ability to develop and implement cybersecurity policies, risk management, regulatory compliance monitoring, incident management, vulnerability management, data security and cryptography, security of ICT products and services, as well as the ability to ensure effective internal and external coordination.
In addition, a rulebook establishes specific rules regarding the implementation of training for cybersecurity officers in the public and private sectors.
CIRT priorities related to cyber risks and incidents
Lastly, the government has enacted the Methodology for Conducting Risk Assessments for the Purpose of Prioritising the Tasks of the Computer Incident Response Team (Official Gazette No. 139/2026 of 25 June 2026). This Methodology establishes the framework for conducting risk-based prioritisation of the activities of the Computer Incident Response Team for the executive authorities, operating within the Ministry of Digital Transformation (MKD-GOV-CSIRT).
Final remarks
The adoption of the above-mentioned subordinate legislative acts establishes a comprehensive regulatory framework for the implementation of the Law. These instruments have direct practical relevance for public sector institutions, as well as for a significant number of private sector entities, which are required to timely assess their status, fulfil notification obligations towards the competent authority, and establish appropriate cybersecurity governance structures. Notably, an implementing act specifying the risk-management measures applicable to entities within the scope of the Law remains to be adopted.
In light of the new legal obligations and applicable deadlines, it is advisable for all affected entities to promptly assess their compliance with the new regulatory framework and, where necessary, undertake appropriate organisational, technical, and legal measures to ensure full compliance.

