Cybersecurity regulation in Montenegro (2026)

The Law on Information Security was adopted by the Parliament on 19 November 2024 and published in Official Gazette No. 113/2024, entering into force on 5 December 2024. It is explicitly modelled on EU Directive 2022/2555 (NIS2) and was required for Montenegro's Chapter 10 EU accession talks.

The law applies to state authorities, local self-government units, and private legal entities classified as 'key' or 'important' across sectors including energy, transport, banking, health, water, digital infrastructure, and public administration — mirroring NIS2's annex-based sectoral coverage.

Entities must report incidents that could significantly affect service continuity to the Cybersecurity Agency (or CIRT.ME for state bodies) within 24 hours as an early warning. Incidents are classified as low, medium, or high impact with escalating response duties; a major cyber crisis can trigger a government-declared national cyber crisis.

The Government of Montenegro formally established a National Cybersecurity Agency in 2024 as the umbrella supervisory and coordination body. The existing CIRT.ME (handling state-body incidents) is to be absorbed into the Agency, though full operationalization was still in progress as of late 2024.

The government adopted the Cybersecurity Strategy 2022–2026 with one strategic goal: building a sustainable system capable of detecting and defending against complex cyber threats. It mandates intersectoral coordination, military cyber capability development, and reorganization of CIRT.ME under the new Agency.

Transposing NIS2 is a binding requirement under Montenegro's EU accession Chapter 10 (Information Society and Media). Montenegro is also a party to the Council of Europe Budapest Convention on Cybercrime and participates in the CoE Octopus community for cybercrime cooperation.