New Information Security Law: First Year of Implementation, the Role of SOCs, and Oversight

The discussion highlighted that Serbia is in a transitional but highly demanding phase, where the legislative framework is still being completed, while operators are already expected to prepare seriously—particularly in the areas of risk management, SOC capacity, and supplier relationships.

Operator Categorization: Priority and Important

One of the central novelties of the Law is the classification of operators as either priority or important, depending on the criticality of their systems and their impact on society and the economy.

As Milan Vojvodić from the Ministry of Information and Telecommunications emphasized, the next key step is the Regulation on Criteria for Operator Categorization, expected to be adopted in January 2026.

This regulation will:

• Define who falls under the law and who is exempt (applying the principle that micro and small enterprises are generally excluded),

• Distinguish priority systems (energy, healthcare, banking, transport) from important systems,

• Set different levels of obligations, oversight, and technical protection measures.

According to the Ministry, the first year of law implementation will be a year of classification, alignment, and preparation—not repression.

Registry of ICT Systems of Special Importance

A particularly important innovation is the Regulation on the Registry of ICT Systems, which introduces the obligation for operators to:

• Register their ICT systems of special importance,

• Provide information about responsible personnel,

• Specify system locations, IP addresses, and basic technical characteristics.

This registry forms the basis for:

• More efficient oversight,

• Faster incident response,

• Coordination with the national CERT and relevant authorities.

SOC (Security Operations Center): From Optional to Expected

A topic that drew particular attention was the role of SOCs under the new regulatory framework.

As Andrej Nikitin (Sky Express) pointed out, providers of security and IT services are no longer merely “partners”; in practice, they become operators of critical parts of information systems, with high privileges and direct influence on security.

In this context:

• SOC is no longer a “technical add-on” but a central security management function,

• SOCs are expected to participate in risk analysis, technology selection, and incident monitoring,

• SOCs must be documented, integrated into processes, and aligned with internal acts (policies, procedures, incident response plans).

It was emphasized that SOCs cannot be identical for small companies and large enterprises, but they must be proportional to risk, formalized, and auditable.

Supplier Management and the Supply Chain

Panelists agreed that supply chain risk management is one of the most challenging yet crucial aspects of the Law.

Suppliers:

• Have privileged access to systems,

• Often manage critical services,

• Become a source of regulatory and operational risk.

The Law requires that:

• Supplier risks be included in the Risk Assessment Act,

• Testing and verification of suppliers be conducted,

• Responsibility cannot be entirely outsourced to third parties.

As Nebojša Cvijetić highlighted, the biggest challenge remains management accountability, as risk cannot be “outsourced” through contracts.

Increased Inspection and Technical Oversight

The state’s new role is also reflected in strengthened inspection and professional oversight carried out by the Office for Information Security.

Its responsibilities include:

• Conducting technical and professional inspections,

• Verifying the implementation of technical protection measures,

• Applying and monitoring risk assessment methodology (expected by July 2026),

• Participating in the resolution of serious incidents and proposing corrective actions.

In the event of an incident, oversight will no longer be purely formal but operational, focused on remediation and prevention.

Expectations for the First Year of Implementation

According to the panel’s conclusions, the first year will be marked by:

• Adoption of key secondary legislation,

• Operator categorization,

• Establishment of the ICT systems registry,

• Preparation and alignment of internal acts,

• Laying the foundation for more active oversight from 2027.

While a penalty framework exists (up to 2,000,000 RSD for priority operators), the focus in the initial phase is clearly on prevention and awareness-raising rather than sanctions.

The new Information Security Law not only introduces new obligations but also changes the way organizations think about security: it becomes a matter of management, accountability, and business continuity. SOCs, risk assessment, suppliers, and state system registries are no longer merely technical topics—they are strategic issues for any serious enterprise.