New Law on Payment Services: Focus on Cybersecurity Measures for Securing Serbia's Financial Institutions

Here are the key cybersecurity measures embedded in the new law:

1. Strong Customer Authentication (SCA)

• Requirement: SCA mandates multi-factor authentication (MFA) for electronic payments. Customers must verify their identity using at least two of the following factors:
  • Something they know (e.g., password or PIN).
  • Something they have (e.g., a mobile device, security token).
  • Something they are (e.g., biometric data like a fingerprint or facial recognition).
• Purpose: To significantly reduce the risk of fraud and unauthorized access to payment accounts by ensuring that only the rightful user can authorize transactions

2. Secure API Access for Third-Party Providers (TPPs)

• Requirement: Financial institutions, including banks, must develop and maintain secure APIs (Application Programming Interfaces) that allow licensed TPPs to access customer payment account data and initiate transactions securely.
• Purpose: To enable secure data sharing and transactions between banks and TPPs, ensuring that customer data is protected from breaches and unauthorized access during these interactions.

3. Data Protection and Privacy Compliance

• Requirement: All payment service providers must comply with stringent data protection regulations, particularly those aligned with the GDPR. This includes the secure handling, storage, and transmission of customer data.
• Purpose: To safeguard personal and financial information from cyber threats such as hacking, data breaches, and identity theft.

4. Incident Reporting and Response

• Requirement: Companies are required to have systems in place for detecting, managing, and reporting security incidents, including data breaches. Significant incidents must be reported to the National Bank of Serbia (NBS) promptly.
• Purpose: To ensure quick response and mitigation of cybersecurity threats, minimizing damage to customers and maintaining the integrity of the payment system.

5. Risk Management Framework

• Requirement: Financial institutions must implement a comprehensive risk management framework that includes regular cybersecurity risk assessments, the deployment of preventive measures, and continuous monitoring for potential threats.
• Purpose: To proactively identify, assess, and mitigate cybersecurity risks, reducing the likelihood of successful cyberattacks.

6. Regulatory Oversight for Foreign E-Money Issuers

• Requirement: Foreign e-money issuers must notify the NBS before offering services to Serbian residents, and local providers cannot execute transactions with unregistered foreign issuers.
• Purpose: To ensure that all entities providing financial services in Serbia meet the necessary cybersecurity and regulatory standards, protecting the local financial ecosystem from external threats.

7. Exemptions with Cybersecurity Controls

• Requirement: Certain exemptions, such as the limited network and electronic communication exemptions, come with cybersecurity conditions, including transaction limits, monitoring requirements, and periodic audits.
• Purpose: To prevent misuse of exemptions as a loophole for cybercriminal activities, ensuring that even exempted transactions are secure and monitored.

8. Regulatory Sandbox with Security Provisions

• Requirement: The regulatory sandbox allows testing of new payment services under controlled conditions, with security measures tailored to the innovative nature of the services being tested.
• Purpose: To encourage innovation while ensuring that new services are rigorously tested for cybersecurity vulnerabilities before full-scale deployment.

As these amendments come into effect on May 6, 2025, financial institutions in Serbia must begin preparations to comply with the new requirements. This includes upgrading cybersecurity measures, adapting to new operational frameworks, and ensuring that all payment services meet the highest standards of security and transparency.