Cybersecurity regulation in Serbia (2026)

The 2025 law explicitly harmonises Serbian law with EU NIS2 Directive (2022/2555). Serbia, as an EU accession candidate, is obliged to align its acquis; the law mirrors NIS2's dual-tier (essential/important operators) classification and sector coverage.

Operators of ICT systems of special importance must notify the national CERT without delay and at the latest within 24 hours of becoming aware of a significant incident. Operators must also submit annual statistical reports and notify near-miss threats. Fines for non-reporting reach RSD 2,000,000 (~EUR 16,800) for legal entities.

Operators must adopt a Risk Assessment Policy (based on methodology issued by national CERT) and an Information Security Policy. Technical requirements align with ISO 27001:2022 principles, covering secure configuration, access controls, monitoring, and business continuity.

RATEL currently houses the National CERT (SRB-CERT) and oversees compliance. The new law creates the Office for Information Security, which will act as National CERT, Government CERT, single point of contact for international cooperation, and manager of the national vulnerability database; it commences operations 1 January 2027.

ICT system operators have 18 months from the law's entry into force (i.e., approximately to April/May 2027) to bring their systems and documentation into compliance with the new requirements. The 2016 law remains partially applicable during the transition period.

Parallel to the cybersecurity law, Serbia's Personal Data Protection Act requires controllers to notify the Commissioner within 72 hours of a personal data breach posing risk to individuals' rights, and to notify affected data subjects without undue delay where the risk is high.