With the adoption of the NIS2 Directive, the European Union has entered a new phase of regulatory development in cybersecurity. NIS2 represents not only a technical upgrade of previous regulations but a fundamental paradigm shift: cybersecurity becomes a matter of managerial responsibility, regulatory oversight, and potential liability for damages.
In this context, the question arises to what extent the domestic regulatory framework, primarily the Law on Information Security, keeps pace with this evolution.
1. Conceptual Difference: Technical Security vs. Managerial Responsibility
The Serbian Law on Information Security is based on a model of identifying operators of ICT systems of special importance and establishing obligations to implement protective measures, report incidents, and cooperate with competent authorities. The focus is primarily on technical and operational system security.
NIS2, however, introduces a broader risk management concept that goes beyond the technical level. The Directive explicitly requires that governing bodies approve and oversee cyber risk management measures, elevating security to the level of corporate governance.
Domestic law does not contain an equally clearly defined personal liability of management for failures in cyber governance. Although liability can be indirectly derived from general due diligence rules, the regulatory text does not contain the explicit framework provided by NIS2.
2. Scope of Entities: Narrow Circle vs. Systemic Approach
The Serbian law applies to operators of ICT systems of special importance, identified through certain sectors and criteria. The approach is relatively restrictive and formally based.
NIS2 introduces a division between essential and important entities and significantly broadens the scope, including digital services, cloud infrastructure, data centers, and other entities of systemic importance to the EU market.
The difference is fundamental: while the domestic framework still starts from identifying critical infrastructure, NIS2 assumes that digital risk has a cascading effect and that security must encompass the entire ecosystem.
3. Risk Management and Supply Chain
Domestic law prescribes obligations to implement protective measures and report incidents, but detailed risk management is left to by-laws and technical guidelines.
NIS2 explicitly emphasizes supply chain risk management. This means that an entity is not only responsible for its own systems but also for the security level of its suppliers and subcontractors.
This difference has direct contractual implications. Under NIS2, companies must precisely regulate security standards in contracts with IT suppliers, cloud providers, and external partners. In the domestic framework, such contractual reflection is not yet strongly normatively encouraged.
4. Sanctions and Regulatory Dynamics
The Law on Information Security provides for administrative liability and fines, but their scope and structure do not reach the level introduced by NIS2 in the EU.
NIS2 establishes a penalty structure comparable to that of the General Data Protection Regulation, with fines tied to the global turnover of the entity. Cybersecurity is thus equated with data protection in terms of regulatory weight.
This difference also affects risk perception. In the domestic system, a cyber incident is still often seen as an operational problem. In the EU, it represents a serious regulatory and financial risk.
5. Civil Liability and Case Law
The Serbian law does not contain a specific regime of civil liability for breaches in the field of cybersecurity. Any liability is derived from general rules of civil law.
In the EU, however, case law is developing that recognizes non-material damage due to breaches of data security, as confirmed by the German Federal Court of Justice in case VI ZR 10/23. Cyber incidents are increasingly reflected through private lawsuits, not only regulatory proceedings.
Such case law evolution currently has no direct counterpart in Serbia, but it can be expected that through cross-border disputes and the influence of European standards, this trend will gradually extend to the domestic market.
6. Conclusion
Comparative analysis shows that the Serbian Law on Information Security provides a stable basic framework but does not contain all the elements of systemic managerial responsibility introduced by NIS2.
NIS2 shifts the focus from technical protection to strategic risk management, from the operational level to management, and from individual incidents to the resilience of the entire digital ecosystem.
For Serbian companies working with EU partners, the difference between these two regimes is not theoretical. It will manifest through:
• contractual requirements of European clients,
• obligations in the supply chain,
• stricter security audits,
• increased responsibility of managerial structures.
In this sense, the question is no longer whether the domestic framework will evolve toward the NIS2 model, but when and to what extent.
Cybersecurity becomes part of corporate strategy and legal risk management, not just an IT function.
This article is for informational purposes only and does not constitute legal advice. If you require further information, please feel free to contact us.
Author:
Ivan Todorović, Partner