The Act on ICT System Security
The Act on ICT System Security encompasses legislative and regulatory measures implemented within specific countries or organizations to ensure the protection of information and communication technologies (ICT). These acts provide a framework for managing ICT system security by defining organizational obligations related to data protection, cyberattack prevention, and incident response. In most cases, laws and regulations align with standards such as NIS2 and ISO 27001.
In Serbia, this is regulated by the Law on Information Security, which includes several key elements:
- Obligations of ICT System Operators – Government institutions, public service providers, financial institutions, and telecommunications companies must implement protective measures and regularly monitor and assess risks to the security of their systems.
- National CERT (Computer Emergency Response Team) – Provides support in protecting ICT systems. It is responsible for coordinating cybersecurity activities, reporting incidents, and offering guidance to operators on how to respond to threats.
- Protection of Critical Infrastructure – Energy systems, healthcare institutions, financial institutions, and other systems vital to national security and economic development are required to implement enhanced cybersecurity measures.
- Incident Reporting – ICT system operators are mandated to report all relevant cyber incidents to the National CERT or competent authorities. These reports help track attack trends and plan responses to future threats.
- Compliance with International Standards – The law requires that ICT protection systems and practices comply with international cybersecurity standards, ensuring a global level of data and system protection.
- Penal Provisions – Penalties are imposed for delayed incident reporting, non-compliance with regulations, or inadequate protection of sensitive systems and data.
- International Cooperation – The law provides for cooperation with international organizations such as Europol, ENISA (European Union Agency for Cybersecurity), and other bodies involved in combating cybercrime and protecting ICT systems, enabling more effective responses to global threats.
- Training and Education – Measures are included to raise awareness about information system security through the education and training of employees managing critical ICT systems.
By establishing the Act on ICT System Security, legal regulation is addressed systematically, and improvements are introduced within the information system framework.