Company logo
Company banner
Kneza Miloša 10, 11000 Belgrade, Serbia

Tel/Fax: (+381 11) 334-55-44; 334-52-52; 334-55-66

Change language

NEW LAW ON INFORMATION SECURITY – ENTERED INTO FORCE ON OCTOBER 31, 2025

On October 22, 2025, the National Assembly of the Republic of Serbia adopted the new Law on Information Security1 (hereinafter: the “New Law”), aligning the domestic legal framework with the EU NIS2 Directive. Compared to the previous Law on Information Security2 , the New Law encompasses a broader circle of obligated entities, introduces additional obligations, provides for the establishment of a new institution, and brings stricter supervision and a new system of fines.

Although the Law has already entered into force, its full application in practice is still not entirely clear. While for certain categories of entities it can be clearly determined that they fall under the scope of the Law, for others it will be possible to determine whether and to what extent they fall under its provisions only after the adoption of subordinate legislation.

Who are the obligated entities under the New Law?

The previous Law defined the operator of information and communication technology (ICT) systems as a legal entity, public authority, or organizational unit of a public authority that uses an ICT system in the course of performing its activities or tasks within its competence.

The New Law extends this definition to natural persons acting as registered business entities who use an ICT system in the course of their activities.

In addition, the New Law, in line with the NIS2 Directive, introduces a division of ICT systems of special significance into priority and important systems, with detailed sectors listed for each category of operators.

  1. Operators of priority ICT systems are:
    1. legal entities and natural persons acting as registered business entities performing activities in the sectors of: energy and mining; transport; banking and financial markets; healthcare; drinking water; wastewater; digital infrastructure; ICT service management and other sectors which, among others, include: management of nuclear facilities; provision of qualified trust services, provision of DNS services; performance of electronic communications activities, etc.;
    2. public authorities;
    3. operators of critical infrastructure.
  2. Operators of important ICT systems are:
    1. legal entities and natural persons acting as registered business entities performing activities in the sectors of: postal services; waste management; packaging waste management; production and supply of chemicals; food production, processing, and distribution; manufacturing of computers, electronic and optical products; manufacturing of electrical equipment; manufacturing of machinery and devices; manufacturing of motor vehicles, trailers and semi-trailers; manufacturing of medical devices; information society services; production, trade, and transport of arms and military equipment;
    2. research institutions;
    3. legal and natural persons and public authorities referred to in item 1 sub-items 1. and 2. which do not fall under priority ICT operators according to the applicable criteria.

In addition to the expressly listed sectors, the competent Ministry has the authority to designate additional entities as operators of priority or important ICT systems. This applies to those entities where disruption or disturbance of ICT systems could have serious consequences for public or national security, public health, or cause significant systemic risk – particularly in sectors where such consequences could also have cross-border effects.

However, the New Law does not contain complete parameters and criteria for determining the status of priority and important ICT system operators but leaves this matter to be further regulated by Government regulation. That regulation will precisely determine the conditions, general and sector-specific criteria, including those relating to the size of business entities. Until the adoption of this regulation, it remains uncertain which entities will fall under the provisions of the New Law.

What are the new obligations of operators?

The New Law on Information Security expands the list of obligations for ICT system operators of special significance. Operators, in addition to existing obligations, are now required to:

  • undertake stricter technical, operational, organizational, and physical measures, manage risks and ensure prevention and reduction of harmful consequences of incidents;
  • perform risk assessments and adopt a risk assessment act, and revise it at least once a year;
  • report not only incidents, but also avoided incidents that represent a serious threat;
  • submit statistical data both on incidents and on avoided incidents in ICT systems.

Unlike the previous Law, the New Law introduces a short deadline for submitting incident notifications, requiring operators to submit notification of an incident that may have a significant impact on information security without delay, and no later than within 24 hours from the moment they became aware of the incident.

In addition, the deadline for adopting the risk assessment act and the ICT system of special significance security act is set at 18 months from the date of entry into force of the New Law.

Classification of incidents: four levels of risk

One of the important novelties is the classification of incidents according to the level of risk. Incidents in ICT systems of special significance that may have a significant impact on information security are classified, taking into account the consequences of the incident, into four levels of risk: low, medium, high, and very high. The Government will, by secondary legislation, regulate, among other things, the list of incidents and the method of their classification according to the level of risk.

New Office for Information Security

The New Law provides for the establishment of the Office for Information Security, which will commence operations on January 1, 2027. Its role will be the prevention and protection against security risks and incidents in ICT systems in the Republic of Serbia. The Office will take over the functions of the National Center for the Prevention of ICT Security Risks (CERT) and will have numerous other competences aimed at ensuring a unified and high level of protection of information systems, as well as strengthening trust in digital services.

A special task of the Office will also be expert supervision over the application of the law and the work of ICT system operators of special significance. This includes reviewing risk assessments, levels of technical protection and implementation of security measures, as well as responding to incidents. If irregularities are identified during expert supervision, the Office will order their rectification within a certain period, and if they are not remedied, it will notify the inspection authorities.

Expanded powers of inspectors

The supervisory role of information security inspectors has been significantly strengthened. Unlike the previous Law, where the inspector could only order the rectification of irregularities and prohibit the use of unsafe procedures and technical means, the New Law significantly broadens their powers.

Accordingly, the inspector is authorized: to require ICT system operators to test systems for vulnerabilities; to order publication of information of public interest regarding non-compliance with the law; to order the appointment of a person responsible for compliance monitoring; to propose temporary suspension or revocation of certificates or licenses in case of failure to correct irregularities; and to initiate appropriate proceedings for imposing temporary bans on performing management functions.

Monetary fines for non-compliance

The New Law provides for a new system of fines for misdemeanors, the amount of which depends on whether the obligated entity is a priority or important ICT operator, as well as whether it is a legal entity, natural person, or responsible person.

For legal entities – priority ICT operators, fines range from RSD 50,000 to RSD 2,000,000, while for obligations relating to incident reporting and handling, fines range from RSD 50,000 to RSD 500,000. For natural persons – priority ICT operators, fines range from RSD 10,000 to RSD 500,000, and for responsible persons within legal entities from RSD 5,000 to RSD 50,000.

For legal entities – important ICT operators, fines range from RSD 50,000 to RSD 1,000,000, while for obligations relating to incidents fines range from RSD 50,000 to RSD 500,000. For natural persons – important ICT operators, fines range from RSD 10,000 to RSD 250,000, and for responsible persons within legal entities from RSD 5,000 to RSD 50,000.

Subordinate legislation

The New Law leaves a number of issues unresolved, as many matters will be further regulated by secondary legislation. These acts will, among other things, specify the criteria for designating priority and important ICT operators (including size thresholds), the content and manner of maintaining registers, mandatory protection measures and the content of the security act, the procedure for notification and classification of incidents, as well as rules for certification, proactive scanning and ICT system testing.

In other words, until subordinate legislation is adopted, it remains uncertain not only how the New Law will be applied in practice, but also whether certain entities, not explicitly covered for now, will be obligated by its provisions.

Disclaimer: This text is for informational purposes only and does not constitute legal advice.

Footnotes

  1. “Official Gazette of the Republic of Serbia” No. 91/2025

  2. “Official Gazette of the Republic of Serbia” No. 6/2016, 94/2017 and 77/2019