Cybersecurity - Albania

Law No. 25/2024 'On Cybersecurity' entered into force 15 days after publication in the Official Gazette (18 April 2024), superseding the earlier Law No. 2/2017. It establishes a unified legal framework for network and information system security across critical and important sectors including energy, transport, banking, health, digital infrastructure, and public administration.

The National Cybersecurity Authority (AKSK) supervises and enforces the law, classifies critical and important information infrastructures, operates as the National CSIRT/CERT, and coordinates with international partners. It is the single competent authority for cybersecurity matters in Albania.

Operators of critical and important information infrastructures must notify the National CSIRT within 4 hours of identifying an incident. For significant incidents, a follow-up assessment (severity, impact, indicators of compromise) is due within 72 hours, and a full comprehensive report — covering incident description, threat type, mitigation measures, and cross-border impact — must be submitted within 1 month.

Administrative fines under Law 25/2024 range from 200,000 to 10,000,000 Albanian Lek (approximately €1,800–€90,000), scaled to the type and severity of the violation.

Law 25/2024 was explicitly drafted to transpose key elements of the EU NIS2 Directive into Albanian law as part of Albania's EU accession agenda (National European Integration Plan 2023–2025). The law mirrors NIS2's sector scope, risk-management obligations, and multi-tiered incident-notification structure.

Approved by the Council of Ministers in October 2025, the strategy and its Action Plan 2025–2027 set five pillars: digital infrastructure protection, innovation and R&D (including a National Centre of Excellence for Cybersecurity), hybrid-threat resilience, capacity building, and international cooperation. It aligns with NIS2, eIDAS2, and the EUCC certification framework.