What is new in the amendments to the Law on Information Security
By autumn, Serbia will receive an improved Law on Information Security with better protection of data for citizens and businesses. Changes to the law are necessary due to the new European Union directive in this area, which was adopted at the end of last year, and the deadline for harmonization is October 2024.
The previous work on the drafting of amendments to the law and the planned novelties were presented at today's meeting in NALED, involving members of the eGovernment Alliance, representatives of the Network for Cyber Security and other organizations interested in improving the security of ICT systems in Serbia.
Milan Vojvodić, the deputy head of the working group for amendments to the law and the head of the department for regulation in the field of information society in the Ministry of Information and Telecommunications, pointed out that as many as 20 bodies and organizations, or 57 members, are working on the improvement of this regulation.
In addition to the Ministry of Information and Telecommunications and the Ministries of Internal Affairs and Defense, the working group also includes the National Bank of Serbia, the Office for IT and eGovernment, security services, RATEL, the Commissioner for Information of Public Importance, the General Secretariat of the Government and the Office of the National Security Council. There are also NALED, SKGO, Serbian Chamber of Commerce, Council of Foreign Investors, RNIDS, Cyber Security Network and educational institutions.
At the meeting, it was pointed out that one of the main novelties is defining which ICT system operators are priority and important, as classified by the European directive. The priority category is planned to include all medium and large companies that operate in areas of essential importance for citizens and the functioning of the state, such as energy, transport, banking, healthcare, water, etc. They also include those who provide telecommunications and trust services, government bodies and operators of critical infrastructure.
All of them will be required to check the compliance of their systems with the intended protection measures against cyber attacks at least twice a year, while the so-called important operators have this obligation at least once a year.
When it comes to incidents, the new provisions will provide for the adoption of a national response plan to incidents that significantly threaten information security, and operators will be obliged to report incidents to the National CERT, as well as users. Also, priority operators will be obliged to submit statistics on avoided incidents in order to obtain more information about the threats ICT systems are exposed to.
Another improvement of the current Law on Information Security concerns the strengthened role of the Regulatory Body for Electronic Communications and Postal Services - National CERT. In cooperation with ICT systems of special importance, at their request, CERT will be able to check the vulnerability of their systems, as well as, with prior notification to the operator, perform a non-intrusive scan of networks and ICT systems that are publicly available.
Also, an important change is the establishment and maintenance of the Vulnerability Database of ICT products and services in the National CERT. All natural and legal persons, as well as manufacturers, suppliers and service providers in the ICT system will be able to report vulnerabilities and for now this reporting will be on a voluntary basis.
It is expected that the draft law will be ready by mid-July, and one of the major issues that remains to be resolved is whether it is necessary to form an agency for information security and what its responsibilities would be, as well as the issue of harmonizing this law with other regulations. The changes could be before the members of the assembly in the fall and it is planned to leave a period of six months to a year for full implementation.
