Overview of the Amendments to Serbia’s Law on Information Security

Empowering Information Security: New Directive of EU (NIS 2 Directive)

In our increasingly interconnected world, information security has become paramount. The protection of sensitive data, critical infrastructure, and personal information is not only a national concern but a global one. To address the evolving challenges in this domain, the Law on Information Security is being updated with necessary amendments, driven by the new directive of the European Union known as the NIS 2 Directive. This directive requires harmonization by October 2024, and it brings significant changes to the existing Law on Information Security in Serbia.

The existing Law on Information Security, as outlined in “RS Official Gazette,” numbers 6/2016, 94/2017, and 77/2019, primarily focuses on measures to safeguard information and communication systems against security risks. It also delineates the responsibilities of legal entities in managing and using these systems, as well as the competent authorities tasked with implementing protection measures.

Key Amendments:

  1. Broadening the Scope of Information Security: The amended law extends the purview of information security to cover not only the state but also the economy and local self-government. This expansion underscores the comprehensive nature of the new legislation.
  2. Establishment of an Office for Information Security: A pivotal change introduced by the amendments is the creation of an Office for Information Security. This office will oversee various levels of information security and manage incidents effectively. This is a critical step in ensuring a coordinated response to security threats.
  3. Vulnerability Database: The National Computer Emergency Response Team (CERT) will maintain a Vulnerability Database for ICT products and services. This database will allow both natural and legal persons, as well as manufacturers, suppliers, and service providers within the ICT system, to voluntarily report vulnerabilities. This initiative will facilitate the identification and mitigation of security weaknesses in the ICT landscape.

The process of amending the Law on Information Security involves a collaborative effort. A total of 20 bodies and organizations, comprising 57 members, are dedicated to the improvement of this regulatory framework. Notable contributors include the Ministry of Information and Telecommunications, the Ministries of Internal Affairs and Defense, the National Bank of Serbia, the Office for IT and eGovernment, RATEL, the Commissioner for Information of Public Importance, the General Secretariat of the Government, and the Office of the National Security Council. Additionally, organizations such as NALED, SKGO, Serbian Chamber of Commerce, Council of Foreign Investors, RNIDS, Cyber Security Network, and educational institutions have actively participated in this endeavor.

Priority Operators and Essential Services

The amendments align with the European directive by defining operators in the ICT sector that are considered priority and important. This designation encompasses medium and large companies operating in sectors of vital significance to citizens and the functioning of the state, such as energy, transport, banking, healthcare, and water supply. Telecommunications and trust service providers, government bodies, and operators of critical infrastructure are also included in the list of priority operators. These entities are obligated to assess the compliance of their systems with specified protection measures against cyberattacks at least twice a year. Important operators are mandated to conduct this assessment annually.

Incident Response and Reporting

The new provisions introduce a national response plan for incidents that pose significant threats to information security. All operators, regardless of their priority status, are required to report incidents to the National CERT and inform users. Priority operators are further obliged to submit statistics on avoided incidents, enhancing our understanding of the threats to which ICT systems are exposed.

Strengthened Role of National CERT

The amendments emphasize the enhanced role of the Regulatory Body for Electronic Communications and Postal Services, the National CERT. In collaboration with ICT systems of special importance, this entity will be authorized to assess the vulnerability of their systems and, with prior notification to the operator, conduct non-intrusive scans of publicly available networks and ICT systems. This proactive approach ensures that potential security risks are identified and addressed promptly.

The amendments to the Law on Information Security in Serbia are a vital step in safeguarding the nation’s digital landscape and aligning with the NIS 2 Directive of the European Union. These changes will help to create a more robust and responsive framework for information security, thereby enhancing data protection for citizens and businesses.

For all enquiries and dilemmas regarding cyber security and data privacy, feel free to contact us at office@vuliclaw.com