The law introduces clearer definitions, including key terms from the NIS 2 Directive, and expands the scope to cover new digital service providers. It categorizes operators as either “priority” or “essential” based on their sector’s criticality, imposing stricter obligations on both.
Key requirements include conducting risk assessments, developing security acts, and reporting incidents promptly to authorities and users. Operators must implement specific security measures, such as multifactor authentication, regular backups, and vulnerability monitoring. A compliance deadline of 18 months is set for submitting required documentation. Enhanced supervisory powers are granted to the Information Security Office, with inspectors able to impose bans and initiate proceedings for non-compliance. The law aims to strengthen Serbia’s resilience against evolving cybersecurity threats in the digital economy.
This is the first part of the overview provided by Partner Ivan Milošević from the JPM Belgrade office.
