The new Law on Information Security introduces significant changes and new protection measures – both for individuals and legal entities. Let’s take a look at what’s new.
Previous Law on Information Security
The previous Law on Information Security prescribed obligations related to the protection of systems from cyberattacks, the obligation to report security incidents, and the development of national capacities for crisis management and the prevention of cyberattacks.
However, cyber threats are becoming increasingly subtle, sophisticated, and frequent as technology rapidly evolves. This created the need to improve the law and other regulations to ensure that Serbia remains aligned with the latest international standards. In addition, as part of its EU accession process, the Republic of Serbia is obliged to harmonize its legislation with European Union law in all areas, including information security.
Why Is the New Law Being Adopted?
The new Law on Information Security aims to align with the EU’s NIS2 Directive. Its main purpose is to expand and strengthen existing provisions to better address increasingly complex challenges in the cyber environment.
One of the most important novelties of the new Law is the inclusion of sectors previously not considered in need of protection: food production, the automotive industry, waste management, postal services, and especially healthcare.
The previous Law defined ICT systems (information and communication technology systems) as technological-organizational units that include: electronic communication networks; devices or groups of interconnected devices capable of automatic data processing using a computer program; data that is managed, stored, processed, searched, or transmitted for the purpose of system operation, use, protection, or maintenance; the organizational structure through which the ICT system is managed; and all types of system and application software and development tools.
An ICT system operator is a legal entity, government body, or organizational unit of a government body that uses an ICT system to perform its activities or tasks within its competence. The previous Law was practically focused on state bodies and key infrastructure systems (energy, telecommunications, finance – eGovernment and Business Registers Agency systems, banking systems, etc.).
Priority and Important ICT Systems
The new Law divides ICT systems into priority and important.
Priority ICT systems include all previously covered systems but also expand to public utility companies and private concessionaires involved in water supply, waste management, ICT service provision to others (e.g., hosting, data centers, software platforms), certification bodies, and providers of digital identities (e-certificates, e-seals, etc.).
Due to their public significance, a cyberattack on these systems could endanger public health or cause a domino effect indirectly affecting other critical sectors such as energy and healthcare.
Priority ICT systems will be subject to additional information security obligations (e.g., appointing a security officer, incident response plans, cooperation with national cybersecurity bodies) and will face stricter oversight and mandatory incident reporting.
Important ICT systems must also comply with the new rules, and these include: postal services, production of computers, electronic and optical products, electrical equipment, machinery and devices, motor vehicles, and medical devices.
Office for Information Security, National CERT, and Independent CERTs
The new law also establishes the Office for Information Security, strengthening the role and competencies of the National CERT (Computer Emergency Response Team).
Each independent ICT system must establish its own CERT to manage incidents within its system. Independent operators may share incident-related information with the Office for Information Security and, when needed, with other organizations.
Harmonization with GDPR and the Serbian Personal Data Protection Law
Given that cyberattacks often result in personal data breaches, the deadlines and procedures in the new Law have been harmonized with the EU GDPR and the Serbian Law on Personal Data Protection.
Operators of priority ICT systems must report any incident that may have a significant impact on information security no later than 24 hours after becoming aware of it.
The report must follow a strictly prescribed procedure and contain a precisely defined set of data on the incident (e.g., nature, scope, consequences, and remedial measures taken).
In addition to preventing or mitigating damage to systems and data, the law also seeks to ensure the protection of individuals’ rights.
New Obligations for Legal Entities
By expanding the scope of sectors considered critical for information security, the new Law introduces obligations for a large number of companies that previously had none. Whether through internal departments or outsourcing, they will face substantial daily responsibilities.
The Law imposes on operators the obligation to:
· enhance data security,
· develop incident response plans,
· strengthen internal procedures and accountability.
All this entails higher costs, as companies will need to invest in stronger IT infrastructure and protection systems, hire additional cybersecurity experts, and train employees to handle crisis situations.
This is particularly relevant for entities in priority sectors, which must ensure business continuity with a strong focus on incident resilience.
At the same time, businesses stand to benefit from increased data security, which will enhance their reputation and trust, both domestically and in potential partnerships with companies from EU countries.
How the New Law Protects Individuals
Individuals are most often indirect targets of cyberattacks, but that doesn’t mean they don’t suffer direct harm.
All the new measures introduced by the law ultimately aim to protect individuals — their property, data, medical records, and more.
If properly implemented and enforced, the Law will provide citizens with greater protection against cybercrime and overall higher levels of information security.
Levels of Cyber Risk and Threat
The new law classifies ICT incidents according to the level of threat they pose to information security — basic, medium, high, and very high.
Depending on the incident level, the Office for Information Security will prepare recommendations and measures for incident resolution.
The Law also announces the adoption of additional by-laws that will define the procedures and steps to be taken for each level of risk.
Penalties
Violations of the Law on Information Security can range from failing to adopt risk assessment or security acts, to failing to implement security measures, or not reporting incidents.
Fines range from RSD 50,000 up to RSD 2,000,000, depending on the violation and whether the ICT system is classified as priority or important.
Conclusion
The new Law on Information Security sets much higher standards for data and infrastructure protection than before. This brings Serbia closer to harmonization with EU regulations and strengthens its resilience to cyber threats.
In practice, this means that a large number of legal entities — including those in sectors previously not covered — will now need to implement clear procedures, technical and organizational protection measures, and incident response plans.
Due to the complexity of the new rules, businesses are advised to analyze their ICT systems in time, align internal acts and procedures with legal requirements, and secure professional support to ensure business continuity and avoid substantial fines.
Law Firm Petrović Mojsić & Partners
Meal Allowance and Other Benefits: Legal Obligations and Tax Treatment
Is the meal allowance a mandatory benefit for employees? Although nothing significant has changed recently, questions are numerous:Do all employees in the Republic of Serbia
How to Choose an Attorney Authorized for Cadastre Submissions
Registering property rights in the cadastre is a formal, strictly regulated procedure. Even the smallest mistake can lead to the request being dismissed or rejected.
Registration in the Real Estate Cadastre: New Regulations and the e-Cadastre
Real estate transactions in Serbia, whether you are buying, selling, gifting or inheriting, consist of two formal steps: 1) Contract certification before a public notary
Law on Occupational Safety and Health – Applicable as of January 1, 2026
Amendments to the Law on Occupational Safety and Health (hereinafter: the Law), which entered into force on May 7, 2023, introduced a series of new
New Law on Information Security – what’s new?
The new Law on Information Security introduces significant changes and new protection measures – both for individuals and legal entities. Let’s take a look at
Distance selling and e-commerce: obligations of sellers and rights of consumers
Only a few years ago, an online store seemed like a novelty. Today, we order and shop “with a click,” pick up goods from parcel