Serbia has taken a significant step towards strengthening cyber resilience with the introduction of a new Information Security Law (the “Law”). Although Serbia is not an EU member, the Law aims to align with principles and core mechanisms of the NIS2 Directive, enhancing a safer and more reliable use of information and communication technologies (ICT) and creating a structured framework for managing ICT-related risks.
The Law entered into force on 31 October 2025, while the application of certain provisions – and the corresponding obligations for companies – has been postponed pending the adoption of implementing bylaws. This approach introduces a phased timeline for compliance, necessitating early preparation by affected entities.
Mirroring the approach of the NIS2 Directive compared to its predecessor (NIS1), the new Law significantly expands the scope of regulated entities under Serbia’s previous cybersecurity framework, bringing compliance considerations to the board level in (all too) many companies that were previously unaffected. It also strengthens the existing reporting and risk-management obligations, introduces several new ones, and revamps the structure and competences of state authorities responsible for their enforcement. The main takeaways to note are as follows:
Expanded Scope and Categorisation of Entities
Like the previous law, the new Law also applies to public authorities and entities operating in critical sectors, such as energy, transport, electronic communications, financial institutions, healthcare, and internet exchange points. However, it significantly widens the range of the existing regulated sectors, and also adds additional ones such as food production and distribution, automotive manufacturing, manufacturing of computers, electronic equipment, and other machines and devices, research and production of medicines and medical devices, production and supply of chemicals, and waste management, amongst others.
This list is not exhaustive, as the competent ministry may designate other entities as required to comply with the Law. The detailed designation and categorisation conditions and criteria (including the size of relevant entities) are to be regulated by the Government, starting from the general condition that an interruption/disruption in an entity’s ICT system could have a significant impact on public safety, national security or public health, or may cause significant systemic risk.
The Law also introduces a distinction between “priority” (equivalent to “essential” under NIS2) and “important” ICT operators, primarily based on the sectors they belong to. Both categories are subject to the same substantive cybersecurity, risk management, and reporting obligations, while the main difference lies in the enforcement and penalties: priority entities face fines of up to approx. EUR 17,000, which is double the maximum applicable to important ones. In both cases, the responsible individuals may be fined up to EUR 425, but may also face a temporary ban on performing management functions if their actions prevented the entities from complying with the Law.
As a result, this classification in Serbia may not carry the same significance as in the EU under NIS2, which introduces a stricter supervision regime and higher monitoring intensity for priority entities (although something similar may be implemented in Serbia through future bylaws). Another key difference is the use of size criteria in NIS2, ensuring that it mainly targets medium and large companies, while small and micro companies are generally exempt (unless they fall under specific high-risk categories). On the other hand, the Law only mentions that size criteria will be introduced in a future Government bylaw, but its current structure appears to limit that impact only to companies not falling within the specific sectors already listed. This effectively means that smaller Serbian companies operating in those sectors are, by default, required to comply with the Law – a result likely stemming from a legislative oversight rather than the Government’s intent, particularly given the ambiguous wording.
Key Obligations and Timeline
The Law requires entities to adopt a proactive approach to information security, with particular focus on risk assessment, protective measures, and incident reporting. The most important responsibilities include:
- Submitting the Application for Registration – All regulated entities must submit this application within 90 days after adoption of the relevant bylaw or after establishing their ICT system, whichever occurs later.
- Implementation of Security Measures – Entities must adopt technical, operational, organisational, and physical measures to protect ICT systems, manage risks, and mitigate the consequences of incidents.
- Risk Assessment and Risk Assessment Act – By the end of April 2027, all regulated entities must produce a formal risk assessment act, evaluating ICT threats based on organisational size, likelihood and severity of incidents, and potential social and economic impact, in line with a general methodology to be issued by the authority. This act must be revised at least once a year.
- ICT System Security Act – This act must also be adopted by the end of April 2027, determining the protection measures for achieving and maintaining an adequate level of ICT system security, based on the findings of the Risk Assessment Act (as well as in line with the future bylaw).
- Annual Review and Report on the ICT System Security Act – To ensure this act is not just a tick-the-box exercise, the Law requires it to be harmonised with changes in the environment, which the companies are required to verify (and prepare a formal report) at least once a year, independently or with the engagement of external experts.
- Outsourcing and Supply Chain Security – Companies must assess and manage cybersecurity risks posed by their service providers (including cloud, IT maintenance, etc.) and ensure appropriate measures are in place to comply with the Law. This means verifying compliance through questionnaires or due diligence and (contractually) requiring suppliers to maintain specific measures and promptly report any incidents, permit audits and/or provide evidence of compliance.
- Incident and Threat Reporting – The companies now must report to authorities not only incidents that may have a significant impact on ICT security, but also serious threats or near-miss events that could have led to similar consequences. Notifications must be submitted without delay, and no later than 24 hours after the event is discovered. If the incident can cause a harmful impact on the provision and use of its services, the company must also notify the users to whom it provides these services, including information about the measures that users can use to mitigate the consequences.
Next Steps
Although the Law is largely applicable already, the full scope and operational details of certain obligations will be further specified through implementing regulations, which the Government is expected to adopt by 31 October 2026. In addition, the entities already regulated under the previous law will have a two-month transitional period to adjust, during which the previous law will continue to apply to their key obligations. However, as many provisions of the Law already apply, the companies should start preparing sooner, rather than later.
Organisations may consider taking the following steps to ensure timely alignment with the new requirements:
- Assessing whether your organisation qualifies as a “priority” or “important” operator;
- Reviewing existing cybersecurity measures to identify potential gaps;
- Amending the Supply Chain Contracts;
- Planning for the preparation of the Risk Assessment Act and ICT System Security Act, in line with the methodology/bylaw that the authorities will issue;
- Establishing or refining internal incident reporting procedures to ensure timely reactions;
- Preparing for dual-track reporting if incidents involve personal data; and
- Monitoring the adoption of implementing regulations to ensure full compliance.
The information in this document does not constitute legal advice on any particular matter and is provided for general informational purposes only.
