ARTICLE
9 December 2025

NIS2 And The New Serbian Law On Information Security

K
Kinstellar

Contributor

Kinstellar logo
Kinstellar acts as trusted legal counsel to leading investors across Emerging Europe and Central Asia. With offices in 11 jurisdictions and over 350 local and international lawyers, we deliver consistent, joined-up legal advice and assistance across diverse regional markets – together with the know-how and experience to champion your interests while minimising exposure to risk.
Explore Firm Details
The Republic of Serbia has adopted a new Law on Information Security (Zakon o informacionoj bezbednosti) ("Serbian NIS2"), marking a significant reform of the national cybersecurity framework and alignment...
Serbia Technology
Nadežda Miljanović
Your Author LinkedIn Connections
Kinstellar are most popular:
  • within Technology, Transport and Immigration topic(s)
  • with readers working within the Banking & Credit industries

December 2025 – The Republic of Serbia has adopted a new Law on Information Security (Zakon o informacionoj bezbednosti) ("Serbian NIS2"), marking a significant reform of the national cybersecurity framework and alignment with the EU NIS2 Directive. The Serbian NIS2 broadens the range of regulated entities, strengthens institutional coordination, and introduces clearer obligations for organisations operating ICT systems of special importance. Secondary legislation is expected in 2025–2026, and the previous law remains partially applicable until the end of 2025 to secure continuity during the transition period.

This article provides an overview of the key novelties introduced by the Serbian NIS2, together with an outline of the regulatory framework, the obligations imposed on operators, and the institutional mechanisms established for incident management and oversight.

Scope of application and operator classification

The Serbian NIS2 classifies operators of ICT systems of special importance into two categories. This approach mirrors the structure of the NIS2 Directive and reflects differences in the criticality of the sectors concerned. Operators in essential sectors are designated as essential, while those in sectors of economic and industrial relevance fall under the category of important operators.

Key sectoral categories

The final categorisation will be defined through a government decree expected by the end of 2025. Until then, the sectors remain indicative, although broadly aligned with European standards.

Illustrative sectors for essential operators:

  • energy and mining;
  • transport;
  • banking, financial markets, and trust services;
  • healthcare;
  • water supply;
  • digital infrastructure, including cloud and data centres;
  • public authorities and operators of critical infrastructure;
  • other areas such as electronic communications.

Illustrative sectors for important operators:

  • postal and courier services;
  • waste and chemical management;
  • food production and processing;
  • manufacturing of machinery, electronics, and equipment;
  • e‑commerce and online information-society services;
  • research institutions and defence‑related activities.

Governance obligations

The Serbian NIS2 introduces formalised governance obligations requiring operators to adopt two core internal documents: (i) newly stipulated by the Serbian NIS2, a Risk Assessment Policy based on a harmonised methodology to be issued by the National CERT (Centre for the Security of ICT Systems), and (ii) as already stipulated by previous law, an Information Security Policy defining technical and organisational measures within the organisation. These documents constitute the internal compliance foundation and must be regularly reviewed and updated to reflect changes in the risk environment.

Technical and organisational measures

Technical requirements align with the principles of ISO 27001:2022, introducing expectations regarding secure configuration, system monitoring, access controls, and business‑continuity arrangements. Additional guidance will be provided through secondary legislation. Compliance with these measures is central to ensuring resilience across essential systems.

Incident classification and reporting

The Serbian NIS2 establishes a structured system for classifying incidents into four levels: low, medium, high, and very high. This enables state authorities to calibrate intervention measures based on severity. Medium‑level incidents require recommendations from the Office for Information Security, while high‑level incidents activate coordinated operational responses. In the most severe cases, the government may declare a cybersecurity crisis, assuming primary responsibility for incident mitigation.

Reporting obligations include:

  • immediate or 24‑hour notification of significant incidents;
  • user notification where services are disrupted;
  • submission of annual statistical incident reports;
  • regular communication with authorities during high‑severity incidents.

Institutional framework

A major structural innovation introduced by the Serbian NIS2 is the establishment of the Office for Information Security, commencing operations on 1 January 2027. This body will coordinate serious incident responses, act as both National CERT and Government CERT, serve as the single point of contact for international cooperation, manage the national vulnerability database, and conduct expert oversight. Until it becomes operational, these functions will remain with the IT Public Administration Office.

After the adoption of the relevant decree, organisations must determine whether they fall under the application of the Serbian NIS2. If the answer is affirmative, they must classify themselves as either essential or important ICT systems of special importance and register in the Register of Operators of ICT Systems of Special Importance. The deadline for registration is 90 days from the adoption of the regulation by the Ministry of Information and Telecommunications, which will further define this register. The register will contain data on administrators, responsible persons, public static IP addresses of the operator, and other relevant information.

Supervision and enforcement

Supervisory mechanisms under the new regime consist of inspection oversight performed by the Ministry of Information and Telecommunications and expert oversight to be carried out by the Office for Information Security. Inspectors may order remediation, require technical testing, restrict the use of insecure technology, and initiate further measures. Expert oversight focuses on the adequacy of risk assessments, implementation of prescribed measures, and compliance with recommendations during incident response.

Sanctions and transitional provisions

The Serbian NIS2 introduces a comprehensive set of sanctions, with essential operators facing fines ranging from approximately EUR 400 to EUR 17,000, and important operators facing fines between approximately EUR 400 and EUR 8,550 for violations such as failure to comply with registration requirements, adopt necessary internal documents, implement security measures, report incidents, or provide required reports and comply with inspections. Individuals may also be held liable, including responsible persons within legal entities, who could face personal fines for failing to meet their obligations under the law.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Nadežda Miljanović
Nadežda Miljanović
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More