Reasons for adopting the new Law on Information Security

By enacting the new Law on Information Security (“Official Gazette of the RS” No. 91/2025, hereinafter: the New Law), the aim is to ensure a higher level of general information security (cybersecurity) in the context of increasing digitalisation and increasingly complex cyber-environment.

Another reason for adopting the New Law is to harmonise national regulation with European standards – specifically with the NIS2 Directive of the EU, which has expanded and revised the regulatory framework for information security at the EU level. 

More generally, the reasons for adopting the New Law also include improving the institutional framework so that it is properly equipped to implement the newly established obligations and competences, and the need to improve solutions and remove shortcomings identified in the previous law – including organisational and structural improvements of the legal text itself.

A broader circle of subjects covered by the New Law and their classification

Under the New Law, operators of information and communication technology systems (hereinafter: ICT systems) – besides legal persons, state bodies or organizational units of government – may now also be natural persons registered as subjects.

Moreover, the New Law divides ICT systems of special importance into two categories – priority ICT systems and important ICT systems:

Priority ICT systems – systems of key significance for maintaining critical societal and economic activities, where any disruption or interruption in service could have serious impact on public security, public health, energy supply, water supply, traffic safety, financial stability, etc.

  • Operators of priority ICT systems are legal or natural persons (as registered subjects) from sectors vital for society functioning – energy and mining, transport, banking, healthcare, etc. These were already covered under the previous law.

Important ICT systems – systems which were not covered under the previous law. These relate to sectors such as postal services, research institutions, food production, production of electronics, computers, machinery and equipment, motor vehicles, medical devices…

  • Operators of important ICT systems can be legal or natural persons (registered subjects) from these broader sectors, including entities from the areas of packaging waste management, scientific-research institutions, chemical and food production, manufacturing of electronic equipment, vehicles, weapons, as well as providers of information-society services.

Thus, a much broader set of subjects (from both public sector and, especially, private sector) is now addressed by the new Law and subject to its information-security obligations. 

New obligations – Risk Assessment Act, Security Act, incident-reporting deadlines and incident-reporting during incident

The New Law introduces a more extensive and precise set of obligations for operators of ICT systems of special importance:

  • Risk Assessment Act – all operators of ICT systems of special importance are required to perform a risk assessment and adopt a Risk Assessment Act within 18 months from the date of entry into force of the New Law (by 30th of April 2027);
  • Security Act – similarly, they must adopt a Security Act for their ICT systems, based on the Risk Assessment Act, within the same 18-month period (by 30th of April 2027);
  • Annual reviews and alignment – once adopted, both the Risk Assessment Act and the Security Act must be regularly reviewed and aligned at least annually;
  • Incident reporting deadline – the New Law establishes a 24-hour deadline from the moment the operator becomes aware of a security incident that significantly jeopardises information security, to submit a notification about the incident;
  • Obligation to report also prevented (near-miss) incidents – the New Law requires operators to report not only actual incidents but also prevented incidents that represented a serious threat to information security;
  • Reporting during incident – beyond the initial notification, the New Law provides for periodic reporting during the incident – for medium-level incidents every three days, and for high or very high level incidents every 24 hours and retains the pre-existing obligation to submit a final incident report within 15 days from the end of the incident.

Institutional changes – establishment of an Office for Information Security

The New Law provides for the establishment of an Office for Information Security – a new institution responsible for prevention, protection against security risks, coordination, supervision and responding in case of incidents. This Office will assume the role of the national CERT, and its full operation is planned from 1st of January 2027.

Until then, functions in the domain of information security previously handled by the national CERT will be carried out by the existing regulatory authority for electronic communications and postal services; other tasks foreseen by the New Law will be managed by the Office for IT and eGovernment.

The New Law also increases the role of the state in oversight – besides inspection oversight carried out by the Information Security Inspection, there will be expert supervision over implementation of the New Law and work of ICT-system operators of special importance, carried out by the Office for Information Security.

In practice, this means that protection of ICT systems is no longer solely a matter of “internal procedures” of private or state entities, but part of a structured institutional system, with state support and supervision.

New offences and sanctions

The New Law prescribes new offences and sanctions for failure to meet obligations, covering both the new obligations and the broader set of entities now subject to the law.

Failure to adopt a Risk Assessment Act:

  • Legal persons who are operators of priority ICT systems – from RSD 50,000 to 500,000;
  • Responsible persons in a legal entity (priority operator) – from RSD 5,000 to 50,000; 
  • Natural persons (registered subjects) operating a priority ICT system – from RSD 10,000 to 500,000.

Failure to provide incident notification and reports during / after incident:

  • Legal persons who are operators of priority ICT systems – from RSD 50,000 to 2,000,000;. 
  • Responsible persons in a legal entity (priority operator) – from RSD 5,000 to 50,000;
  • Natural persons (registered subjects) operating a priority ICT system – from RSD 10,000 to 500,000.

Prescribed sanctions for offences committed by operators of important ICT systems:

  • An operator of important ICT systems may now also be the perpetrator of an offence, and the prescribed range of monetary penalties for these entities is from RSD 50,000 to 1,000,000.

What the New Law actually means in practice – for the state, companies, citizens

Broader responsibility and transparency – more entities, both state and especially private sector, will need to establish internal procedures for protection, risk assessment and security – which means an expansion and strengthening of the security culture in the ICT sphere.

Faster reaction and better coordination – in the event of an incident: with prompt 24-hour reporting, state responsibility through the Office for Information Security, better communication with users/the public, coordination with regulators and other stakeholders.

Higher costs, but greater security – entities falling under operators of ICT systems of special importance will need to invest in risk assessments, security policies, audits, procedures – but in return they raise the overall level of stability, security and data protection.

Stimulus for digital business and investments – a reliable and stable regulatory framework is a prerequisite for growth of ICT sector, stronger digitalisation and investor confidence.

Greater responsibility towards citizens – the New Law enables better protection of data, stronger security of communications and sectors citizens depend on (especially health, energy, water supply, public services…).

Conclusion – significance for economy, state and citizens

The New Law on Information Security represents a qualitative leap – it upgrades the regulation from the level of “basic protective measures” and establishes a strict, systemic approach now covering a broad spectrum of entities. Introducing obligations for risk assessments, adoption of the Risk Assessment Act and Security Act, regular reviews, rapid incident reporting, and establishing an institution with concrete competences for coordination and supervision – all this, at the normative level, reflects a serious approach to challenges of modern ICT systems and cyber-threats.

For businesses, the New Law brings additional obligations – but grounded in real needs and in the best interest of all participants in the digital space that is becoming the dominant business environment.

For the state and citizens, the new regulation means better data protection, increased resilience of systems and more transparent response to incidents. This is important for digitalisation of public services and the direction in which society as a whole is heading, protecting critical infrastructure and establishing a stable framework for future digital development.