Cybersecurity regulation in North Macedonia (2026)

The Security of Network and Information Systems Act (Official Gazette No. 135, 04.07.2025) harmonises North Macedonia's national legislation with EU Directive 2022/2555 (NIS2), introducing for the first time a single, unified cybersecurity framework covering essential and important entities across critical sectors.

Entities are classified as essential or important. Both categories are subject to defined cybersecurity risk-management measures and reporting obligations under Chapter IV of the Act; essential entities face stricter supervisory scrutiny.

Regulated entities must issue an early warning within 24 hours, submit an initial assessment within 72 hours, and provide a final report within one month of a significant incident. Additionally, entities must notify the competent incident-response team (MKD-CIRT) within three hours of becoming aware of an incident or cyber threat.

Essential entities may be fined up to 2% of total annual worldwide revenue for the preceding year; important entities face fines up to 1.4% of annual revenue. MKD-CIRT holds supervisory power to impose measures on non-compliant entities.

Adopted by the government in January 2025, the strategy sets five priority areas including establishing a dedicated cybersecurity sector within the Ministry of Digital Transformation, expanding MKD-CIRT capabilities, and aligning with EU frameworks (NIS2, Cybersecurity Act) and ITU/ENISA guidance.

MKD-CIRT, operating under the Agency for Electronic Communications, is the designated national computer incident response team serving as the official national point of contact and coordination for cybersecurity incidents; under the new Act it also exercises supervisory authority over regulated entities.