After the European Union adopted the NIS 2 Directive on December 14, 2022, the Member States committed to harmonizing with it and implementing it into their legal systems.
As the Republic of Serbia aspires to join the European Union, the need has arisen for the new Law on Information Security to also be aligned with the EU legislative framework.
What’s new compared to the NIS 1 Directive
Compared to the previous NIS 1 Directive, the new framework introduces a revised classification of operators based on criticality, namely essential and important entities. In addition, the role of CERTs is significantly strengthened, as well as supervision over the implementation of the law’s provisions, accompanied by stricter penalty measures. The Directive also предусматривает the development of a national response plan for handling major incidents, explains Andrej Nikitin, Business Development Manager at Sky Express.
The new Law on Information Security
The principles of the Law remain similar to those of the previous one: when selecting and implementing security measures, operators should be guided by the principles of risk management, comprehensive protection, professionalism and best practices, awareness and training, continuous improvement, and equality and non-discrimination.
Under the new Law, ICT systems of special importance are classified as priority and important. Priority ICT systems are those without which many state functions would be significantly hindered. The main difference between priority and important ICT systems lies in the misdemeanor provisions, which are considerably more severe for priority ICT systems. The new Law expands the areas that fall under priority systems, primarily digital infrastructure and the management of ICT services provided to operators of priority ICT systems. In other words, any operator of an ICT system that provides services to a priority ICT system becomes a priority ICT system of special importance.
Risk Analysis and Other Amendments
The obligations of ICT systems of special importance are being expanded. The key new requirement concerns the obligation to adopt a Risk Assessment Act. The idea is that appropriate security measures are implemented based on the defined risk levels of the ICT system, and that the Act is reviewed annually.
With regard to the registry of ICT systems of special importance, a new type of data is being added, meaning that operators will be required to submit information about their IP addresses. In addition, the security measures for ICT systems of special importance are also being expanded.
Office for Information Security
The new Law provides for the establishment of the Office for Information Security, which will take over key responsibilities in the Republic of Serbia related to the prevention of and protection against security risks and incidents. These responsibilities include CERT-related activities, international cooperation and acting as a single point of contact, the development of training and professional development programs, and maintaining a vulnerability database.
Sky Express Specialized Services
The Sky Express team offers specialized services related to compliance with the Law on Information Security, including the preparation of a risk assessment, the review of the Information Security Act, and the development of mandatory documentation.
