This page contains information on institutional framework of cyber security in Serbia
Legislation
Strategy, law, by-laws
Legislator does not use the term 'cyber' but information security
It determines the goals and measures for the development of the information society and information security
In terms of information security, the Strategy contains:
1) Description of the current situation:
- Realization of Strategy for the development of information security for the period from 2017 to 2020
- State of information security (citizens, businesses, ICT systems of special importance)
2) Changes achieved through the implementation of the Strategy
3) Goals of the Strategy
4) Strategy implementation mechanism and method of reporting on implementation results
5) Conducted consultations with interested parties;
6) Assessment of financial resources needed for the implementation of the Strategy and analysis of financial effects;
7) Action plan for the implementation of the Information Society and Information Security Development Strategy in the Republic of Serbia for the period from 2021 to 2026;
8) Final part;
9) Table of the Action Plan for the implementation of the Strategy for the period from 2021 to 2023
It regulates:
- liability of legal persons in the management and use of information and communication systems
- lays down protection measures against security risks in information and communication systems
- coordination between protection factors
- monitoring the proper application of prescribed protection measures
- Regulation on determining the list of activities in areas where activities of general interest are performed and where information and communication systems of special importance are used. Link
- Regulation on the closer arrangement of measures for the protection of information and communication systems of special importance. Link
- Regulation on the notification procedure for incidents in information and communication systems of special importance. Link
- Regulation on the detailed content of the act on the security of information and communication systems of special importance, the method of verification and the content of the report on the security of information and communication systems of special importance. Link
- Regulation on cryptosecurity and protection against compromising electromagnetic radiation. Link
- Regulation on the safety and protection of children when using information and communication technologies. Link
- Rulebook on data contained in the records of operators of information and communication systems of particular importance. Link
- Rulebook on the type, form and method of submitting statistical data on incidents in information and communication systems of special importance. Link
- Rulebook on the content, registration and record keeping of special centers for the prevention of security risks in information and communication systems. Link
- Decision on the formation of the Body for the Coordination of Information Security Affairs. Link
How is information security achieved?
1) Protection measures against security risks in information and communication systems of special importance are prescribed
2) The responsibility of legal entities during the management and use of information and communication systems is regulated, by prescribing
- obligation in risk prevention and management
- obligation in the event of an incident
- misdemeanors for failure to comply with those obligations
3) Institutions have been determined for the coordination and monitoring of the proper application of prescribed protection measures
TERMS
Information security, incident, information and communication system of special importance
Information security is a set of measures that enables data , which are handled through the information and communication system,
- protection against unauthorized access
- integrity protection
- availability protection
- authenticity protection
- non-repudiation protection
so that ICT system functions
- as intended
- when intended
- under control of authorized persons
What is an information and communication system (ICT system)?
A technological and organizational unit that includes:
(1) electronic communications networks within the meaning of the law governing electronic communications;
(2) devices or groups of interconnected devices, such that automatic processing of data is performed within the devices, or within at least one of the group of devices, using a computer program;
(3) data, handled, kept, processed, searched or transmitted by elements covered under subitems (1) and (2) of this item, for the purposes of their operation, use, protection or maintenance;
(4) organizational structure through which the ICT system is managed;
(5) all types of system and application software and software development tools
Incident is any event that has a negative impact on security of network and information systems
To which incidents does LIS apply?
LIS is applied only to incidents
- incidents in ICT systems of special importance
- which can have a significant impact on information security breaches
What is ICT system of special importance ?
These are ICT systems used for:
Public authority is:
- a state authority
- an autonomous province's authority
- a local self-government unit's authority
- an organization and another legal entity or natural person whom is confidred with the exercise of public powers
In this way, the circle of operators of ICT systems of special importance has been additionally expanded to include all legal entities, authorities, organizational units of authorities that carry out permitted processing of particularly sensitive data.
What are particularly sensitive data?
- data related to race
- data related to ethnicity
- data related to political opinion
- data related to religious or philosophical beliefs
- data related to union membership
- genetic data
- biometric data for identification of a person
- data related to health
- data related to sexual life or sexual orientation of a natural person
In terms of Art. 17 of Personal Data Protection Law, processing of special types of personal data is prohibited
Exceptionally, the processing of special types of personal data is permitted (Art. 17):
1) the person to whom the data refer has given express consent to processing for one or more processing purposes, unless it is prescribed by law that processing is not carried out on the basis of consent;
2) the processing is necessary in order to fulfill the obligations or apply the legally prescribed powers of the controller or the person to whom the data refer in the field of work, social insurance and social protection, if such processing is prescribed by law or a collective agreement that prescribes implementation of appropriate measures to protect the basic rights, freedoms and interests of the persons to whom the data refer;
3) processing is necessary in order to protect vital interests of the person to whom the data refer or another natural person, if the person to whom the data refer is physically or legally unable to give consent;
4) the processing is performed within the framework of the registered activity and with the application of appropriate protection measures by an endowment, foundation, association or other non-profit organization with a political, philosophical, religious or trade union goal, provided that the processing is exclusively to members, that is, former members of that organization or persons who have regular contact with it in connection with the organization's goal, as well as that personal data is not disclosed outside of that organization without the consent of the person to whom it relates;
5) personal data, that the person to whom they refer obviously made them publicly available, is processed;
6) processing is necessary in order to submit, realize or defend a legal claim or in the case when a court is acting within its jurisdiction;
7) processing is necessary in order to achieve significant public interest determined by law, if such processing is proportional to achieving the goal, with respect for the essence of the right to protection of personal data and if the application of appropriate and special measures to protect the basic rights and interests of the persons to whom these data refer is ensured;
8) the processing is necessary for the purpose of preventive medicine or occupational medicine, for the purpose of assessing the working ability of employees, medical diagnostics, provision of health or social protection services, i.e. management of health or social systems, on the basis of the law or on the basis of a contract with a healthcare worker, if the processing is carried out by or under the supervision of a healthcare worker or another person who has an obligation to keep professional secrecy prescribed by law or professional rules;
9) processing is necessary in order to achieve public interest in the field of public health, such as protection from serious cross-border threats to the health of the population or ensuring high standards of quality and safety of health care and medicines or medical devices, based on the law which provides appropriate and special measures to protect the rights and freedoms of the persons to whom the data refer, especially with regard to professional secrecy;
10) processing is necessary for the purposes of archiving in the public interest, for the purposes of scientific or historical research and for statistical purposes, in accordance with Article 92, paragraph 1 of this law, if such processing is proportionate to the achievement of the goals they intend to achieve, while respecting the essence of the right to protection of personal data and if the application of appropriate and special measures to protect the basic rights and interests of the persons to whom these data refer is ensured.
Processing of special types of data by competent authorities for special purposes (for the purpose of preventing, investigating and detecting criminal acts, prosecuting perpetrators of criminal acts or enforcing criminal sanctions, including preventing and protection against threats to public and national security) is allowed (Art. 18 ZZPL):
- if neccessary
- with the application of appropriate measures to protect the rights of the persons to whom the data refer
- in one of the following cases:
1) the competent authority is authorized by law to process special types of personal data;
2) the processing of special types of personal data is carried out in order to protect vital interests of the person to whom the data refer or another natural person;
3) processing refers to special types of personal data that the person to whom they relate to has apparently made them available to the public.
LIS lists the areas in which these activities are carried out, and a detailed list of activities for each of these areas is established by Regulation
In this way, the circle of ICT system operators of special importance is broadly set in a large number of areas:
(1) Energy:
- production, transmission and distribution of electricity
- coal production and processing
- production, processing, transport and distribution of oil and trade of oil and petroleum products
- research, production, processing, transport and distribution of natural and liquid gas
(2) Transport:
- railway, postal and air traffic
(3) Health sector:
- health care
(4) Banking and financial markets:
- operations of financial institutions
- management of data registry on obligations of natural and legal persons to financial institutions
- management operations and activities related to the functioning of a regulated market
5) Digital infrastructure:
- exchange of internet traffic
- management of the national Internet domain registry and the naming system in a network (DNS systems)
(6) Public goods:
- use, management, protection and improvement of public goods (water, roads, mineral resources, forests, navigable rivers, lakes, riverbanks, spas, wildlife, protected areas)
(7) Information society services:
- information society services within the meaning of the law governing electronic commerce
(8) Other areas:
- electronic communication
- publication of an official gazette of the Republic of Serbia
- management of nuclear facilities
- production, trade and transport of weapons and military equipment
- waste management
- utility services
- production and supply of chemicals
established by the Republic of Serbia, the autonomous province or a local self-government unit for the performance of activity referred to in item 3) above
Which incidents in ICT systems of special importance have a significant impact ?
1) incidents having a disruptive effect on the performance of tasks and provision of services, or causing significant difficulties in performance of tasks and provision of services
2) incidents impacting a great number of users, lasting for a long time
3) incidents having a disruptive effect on, or causing difficulties in performance of tasks and provision of services, with an impact on performance of tasks and provision of services of other operators of ICT systems of special importance or on public safety
4) incidents having a disruptive effect, or causing difficulties in performance of tasks and provision of services and affecting a major part of the territory of the Republic of Serbia
5) incidents leading to unauthorized access to protected data whose disclosure may jeopardize rights and interest of data subjects
6) incidents resulting from incidents in the ICT system in the area of information society services, when the ICT system of special importance uses the information services of this ICT system
How and to whom to report an incident?
KEY PLAYERS
Protection factors
Ministry of Information and Telecommunications
The Ministry of Information and Telecommunications (Competent authority) is responsible for the security of ICT systems
Previously, the Ministry of Trade, Tourism and Telecommunications was responsible, within which there was Sector for Information Society and Information Security
Sector for information society and information security
- preparation and drafting of laws and other regulations from the scope of the Sector
- preparation and drafting of opinions on laws and other regulations from the scope of the Sector and preparation and drafting of opinions on laws and other regulations of other state bodies, which are related to the scope of the Sector
- preventive action and inspection supervision over the implementation of laws and other regulations regulating information security
- providing professional assistance in the preparation of tender documentation and preparing for the publication and implementation of the competition
- analyzing database structure and data exchange format
- data protection and information security
- participation in processes related to professional development of civil servants in the Sector and other tasks within the scope of the Sector
- Department for regulation in the field of information society
- Support Group for the work of the National Contact Center for Child Internet Safety
- Group for analysis and planning in the field of information society
- Inspection supervision and control group in the field of electronic identification, trusted services and information security for planning and preparation of ICT system protection measures
Ministry of Defense
The Ministry of Defense is responsible for information security related to
- approval of cryptographic products
- distribution of crypto materials
- protection against compromised electromagnetic radiation (CEMR)
- other tasks and activities in accordance with the law and regulations adopted on the basis of the law
1) organize and implement the scientific research in the field of cryptographic security and protection against CEMR
2) develop, implement, verify and classify the cryptographic algorithms
3) research, develop, verify and classify its own cryptographic products and solutions for CEMR protection
4) verify and classify national and foreign cryptographic products and solutions for CEMR protection
5) define procedures and criteria for the evaluation of cryptographic security solutions
6) perform the function of a national body for approval of cryptographic products, and ensure that these products are approved in accordance with the relevant regulations
7) perform the function of a national body for protection from CEMR
8) check the ICT system from the aspect of crypto security and protection against CEMR
9) perform the function of a national body for distribution of crypto material, and define the management, handling, storage, distribution and recording of crypto material in accordance with the regulations
10) plan and coordinate the production of crypto parameters (parameters of cryptographic algorithm), the distribution of crypto material and the protection against compromising electromagnetic radiation in cooperation with independent ICT system operators
11) establish and maintain a central register of verified and distributed crypto material
12) establish and maintain a register of issued approvals for cryptographic products
13) create electronic certificates for cryptographic systems based on public key infrastructure
14) propose the adoption of regulations in the field of crypto security and protection against CEMR, pursuant to this Law
15) perform expert supervision related to crypto security and protection against CEMR
16) provide expert assistance to the inspector for the information security in the field of crypto security and protection against CEMR
17) provide services for a fee to legal and natural persons, outside the public authorities, in the field of crypto security and protection against CEMR, according to the regulation of the Government on the proposal of the Minister of Defense
18) cooperate with national and international bodies and organizations within its competencies regulated by this Law
Body for the Coordination of Information Security Affairs
Established by the Government's Decision on the basis of Art. 5 of the Law on Information Security
- to achieve cooperation and harmonized performance of tasks in the function of improving information security
- to initiate and monitor preventive and other activities in the field of information security
By decision on the formation of the Body for Coordination of Information Security Affairs, the tasks of the Body are:
- achieving cooperation between authorities and harmonizing the performance of work in the function of improving information security
- initiation and monitoring of preventive and other activities in the field of information security
- proposing measures to improve information security in the Republic of Serbia
- proposing measures to improve information security in the Republic of Serbia
- determination of mutual cooperation in the event of incidents that may have a significant impact on the violation of information security in the Republic of Serbia
Representatives of
- ministries responsible for information security, defense, internal affairs, foreign affairs, justice
- security services
- Office of the National Security Council and Classified Information Protection
- General Secretariat of the Government
- National Bank of Serbia
- Centre for ICT System Security of Authorities
- National Center for the Prevention of Security Risks in ICT Systems
National CERT
CERT (Computer Emergency Response Team) is a center for prevention and protection against security risks in ICT (information and communication) systems
The National CERT performs tasks of coordination of prevention and protection against security risks in ICT systems at the national level
The tasks of the national CERT are performed by Regulatory Agency for Electronic Communications and Postal Services RATEL
The National CERT shall collect and exchange information on the risks to the ICT systems security, and the events that jeopardize the ICT system security, and it shall inform, provide support, warn and advise, in this regard, the persons who manage ICT systems in the Republic of Serbia, as well as the public, and it shall in particular:
1) monitor the state of incidents at the national level
2) provide early warnings, alerts and announcements, and inform relevant persons about risks and incidents
3) respond to reported or otherwise detected incidents in ICT systems of special importance, as well as to reports by individuals and legal entities, by providing advice and recommendations on the basis of available information to persons affected by the incident, and undertake other necessary measures within its jurisdiction on the basis of the obtained knowledge
4) continuously prepare risk and incidents analyses
5) raise awareness among citizens, business entities and public authorities about the importance of information security, the risks and protection measures, including the implementation of campaigns aimed at raising this awareness
6) keeps records of Special CERTs
7) submits quarterly reports on undertaken activities to the competent authority
Supervision of the work of the National CERT in the performance of tasks entrusted by LIS is carried out by the Competent Authority (Ministry of Information and Telecommunications), through the Group for Inspection Supervision and Control, formed within the Sector for Information Society and Information Security
Periodically, and at least once a year, it is checked whether
- National CERT has adequate resources
- organizes at least three annual meetings of the National CERT, CERTs of government bodies and CERTs of independent operators of ICT systems, as well as when necessary in the event of incidents that significantly threaten information security in the Republic of Serbia
- controls the performance of established security incident management processes
Special CERTs
The special Center for the Prevention of Security Risks in ICT Systems (Special CERT) performs the tasks of prevention and protection against security risks in ICT systems within a certain legal person, a group of legal persons, a business area and the like.
The Special CERT is a legal person or an organizational unit within a legal person, which is entered in the records of special CERTs managed by the National CERT.
The Registry of special CERTs is maintained by the National CERT
The procedure for registration in the Register of special CERTs is determined in Regulation
Application form for registration in the Register of special CERTs
CERT of public authorities
Centre for Security of ICT Systems within authorities perform the tasks related to the protection against incidents in the ICT systems of authorities, except for the ICT system of independent operators
- Public authority means a state authority, an autonomous province's authority, a local self-government unit's authority, an organization and another legal entity or natural person whom is confidred with the exercise of public powers
The work of the CERT of public authorities shall be carried out by the authority responsible for the design, development, construction, maintenance and improvement of the computer network of republic authorities
The tasks of the CERT of public authorities include:
1) protection of the ICT system of the Computer network of republic authorities
2) coordination and cooperation with ICT system operators connected by CNRA in incident prevention, detection of incidents, gathering of information on incidents, and eliminating the consequences of incidents
3) publication of professional recommendations for the protection of the ICT systems of public authorities, except the ICT system dealing with classified information
CERT of an Independent ICT System Operator
Independent ICT System Operator are
- ministry in charge of defense affairs
- ministry in charge of internal affairs
- ministry in charge of foreign affairs
- security services
They are required to establish their own security centers for ICT systems to manage the incidents in their own systems
These Centers mutually exchange information about incidents, as well as with the National CERT and with the CERT of public authorities, and, if necessary, with other organizations
The scope of work:
1) development of internal acts in the field of information security
2) selection, testing and implementation of technical, physical and organizational measures for protection, equipment and programs
3) selection, testing and implementation of CEMR protection measures
4) supervision of the implementation of security procedures
5) management and use of cryptographic products;
6) analysis of the security of the ICT system in order to assess the risks
7) training of employees in the field of information security
Inspekcija za informacionu bezbednost
Inspection work is performed by the Ministry of Information and Telecommunications through the Information Security Inspectorate
Within Sector for information society and information security a Group for inspection supervision and control in the field of electronic identification, trusted services and information security was formed for the planning and preparation of ICT system protection measures
The Information Security Inspection carries out inspection supervision over
- Law on Information Security implementation
- the work of operators of ICT system of particular importance
The Inspectorate for Information Security does not inspect the work
- independent ICT system operators (ministry responsible for defense affairs, ministry responsible for internal affairs, ministry responsible for foreign affairs, security services)
- ICT system for working with secret data
The information security inspector determines whether the conditions prescribed by the Law on Information Security and the regulations adopted on the basis of that law have been met
Acts in accordance with the Law on Inspection supervision
In the implementation of inspection supervision, in addition to the authorization from Act on Inspection Supervision (Art. 21-34), the Inspector is also authorized to:
1) order the removal of established irregularities and leave a deadline for this
2) prohibit the use of procedures and technical means that endanger or violate information security and leave a deadline for this
Operator of ICT systems of special importance
- a legal entity
- an authority
- an organizational unit of an authority
that uses the ICT system in performing its activities, i.e. the activities within the scope of its competence
In order to understand who should be considered the operator of such a system, one should start from what is meant by ICT system of special importance
In this way, a wide range of legal entities, authorities and their organizational units are reached
RESPONSIBILITY
Obligations of ICT system operators of special importance and consequences of non-compliance with these obligations
What are the obligations of operators of ICT system of special importance?
Based on Art. 6a LIS, an operator of ICT system of special importance is obliged to:
The Registry is kept by the Competent Authority (Ministry of Information and Telecommunications)
The record contains the data specified in Art. 6 b LIS
More detailed conditions for keeping records are prescribed by Rulebook
If the operator does not make an entry in the records within 90 days from the day of adoption of the Rulebook, commits a violation from Art. 30 st. 1 point. 1 of LIS
Protection measures ensure the prevention of incidents, that is, the prevention and reduction of damage from incidents that threaten the exercise of competence and the performance of activities, especially within the scope of providing services to other persons.
Art. 7 ZIB prescribes what protection measures refer to
Certain protection measures are more closely regulated by Ordinance
In the ICT system security act, the operator determines the protection measures, in the manner established by Regulation
If the operator does not apply the protection measures specified by the act, commits a violation from Art. 30 st. 1 point. 3 of LIS
The act determines the protection measures, and in particular the principles, methods and procedures of achieving and maintaining an adequate level of system security, as well as the powers and responsibilities related to the security and resources of ICT systems of particular importance.
The detailed content of the act is prescribed by Regulation
If the operator does not pass the act, commits a violation from Art. 30 st. 1 point. 2 of LIS
The operator is obliged to independently or with the engagement of external experts carry out a check and to prepare a report on it
The method of checking ICT systems of special importance and the content of the check report is prescribed by Regulation
If the operator does not check the compliance of the applied measures, commits a violation from Art. 30 st. 1 point. 4 of LIS
The operator can entrust activities related to the ICT system to third parties, but is obliged to regulate the relationship with those persons in a way that ensures the taking of protection measures for that ICT system in accordance with the law.
A third party is also a business entity that is connected to the ICT system operator of special importance by property and management relations (participants, members of the group of companies to which that business entity belongs, etc.).
The following activities can be entrusted to third parties:
- activities that include processing, storage, i.e. the ability to access data at the disposal of the operator of the ICT system of particular importance, and related to his business
- activities of development, i.e. maintenance of software and hardware components, on which its correct behavior directly depends when performing tasks within its competence, i.e. providing services
Entrustment is carried out on the basis of a contract or a special regulation
Operators are obliged to submit to the Competent Authority (Ministry of Information and Telecommunications) or National CERT:
- incident notification
- after reporting the incident, if the incident is still ongoing, notifications about important events related to the incident and the activities they undertake until the incident ends
- final report on the incident within 15 days from the day the incident ended (the report must contain the type and description of the incident, the time and duration of the incident, the consequences the incident caused, the activities undertaken to eliminate the consequences of the incident and, if necessary, other relevant information)
The procedure for informing about incidents is regulated in more detail by Ordinance
The notification obligation applies only to
- incidents which can have a significant impact on information security breaches
- incidents that led to a significant increase in the risk of consequences
If the operator does not submit a notification about the incident, commits a violation from Art. 31 st. 1 point. 1 of LIS
If the operator does not submit notifications about the incident that is still ongoing, commits a violation from Art. 31 st. 1 point. 2 of LIS
If the operator does not submit an incident report, commits a violation from Art. 31 st. 1 point. 3 of LIS
The obligation to report an incident in the manner described does not apply to:
- independent ICT system operators (ministry responsible for defense affairs, ministry responsible for internal affairs, ministry responsible for foreign affairs, security services)
- operators of ICT systems for working with secret data
The operator is obliged to provide the National CERT with statistical data on all incidents in the previous year, which consolidates these data, submits them to the Competent Authority (Ministry of Information and Telecommunications) and publishes them on the website of the National CERT
Data shall be submitted no later than February 28 of the current year
If the operator does not submit a notification about the incident, commits a violation from Art. 30 st. 1 point. 5 of LIS
The type, form and method of submitting statistical data are determined in Regulations of the National CERT
Na sajtu Nacionalnog CERT-a su dostupni statistički podaci za 2021 and 2020
What if the operator of the ICT system of special importance does not comply with these obligations?
> If the operator does not act according to the established obligations, he commits violations from Art. 30 and 31 ZIB.
If:
1) fails to execute the entry in the registry within the time limit referred to in Article 6b hereof
2) fails to adopt the Act on security of ICT systems referred to in Article 8 paragraph 1 of this Law
3) fails to apply the protection measures determined by the Act on security of ICT systems referred to in Article 8, paragraph 2 of this Law
4) fails to verify the compliance of implemented measures referred to in Article 8, paragraph 4 of this Law
5) fails to submit the statistical data referred to in Article 11b hereof
6) fails to comply with the order of the information security inspector within the given deadline referred to in Article 29, paragraph 1, item 1 of this Law
- operator of an ICT system of special importance shall be imposed a penalty in the amount of 50,000.00 to 2,000,000.00 dinars
- the responsible person of an operator of an ICT system of special importance shall also be punished with a fine ranging from 5,000.00 to 50,000.00 dinars
If:
1) fails to inform the authorities referred to in Article 11, paragraphs 1, 3 and 7) hereof about incidents in the ICT system
2) fails to deliver notifications on important events regarding incident and activities from Article 11 paragraph 5 hereby;
3) fails to deliver final report from Article 11. paragraph 6 hereby
- operator of an ICT system of special importance shall be imposed a penalty in the amount of 50,000.00 to 500,000.00 dinars
- the responsible person of an operator of an ICT system of special importance shall also be punished with a fine ranging from 5,000.00 to 50,000.00 dinars
Misdemeanor proceedings are initiated upon request:
- authorized body (Inspection for Information Security)
- injured person
> If the operator were to fail to apply protective measures, it could be criminal liability
However, the Criminal Code currently does not prescribe a criminal offense under which the omission of an ICT operator of special importance could be classified
> If the elements of a criminal offense are realized as a result of the incident, that could constitute a cybercrime act
Primarily, it could be about crimes against the security of computer data (Art. 298-304a CC), but also about other criminal acts