5 things every employer needs to know about the new Information Security Law

24.06.2026.

Cyber attacks, ransomware incidents, data leaks and email fraud are no longer problems reserved only for large corporations. The increasing digitalization of business has led to information security becoming one of the key risk management issues in every organization.

This is precisely why the new Information Security Act was passed, which significantly expands the obligations of companies and brings the domestic regulatory framework closer to European standards, and above all with the European NIS2 Directive, which sets a higher level of obligations in the field of cybersecurity.

Below, we highlight five of the most important things that every employer should know.

1. Information security is no longer just an IT issue

One of the most significant changes is the fact that responsibility for information security is no longer solely with the IT sector.

The new approach involves the active involvement of management in managing cyber risks, adopting security policies and ensuring adequate resources for protecting information systems. In other words, information security becomes part of corporate governance.

2. A larger number of companies fall under legal obligations

The new law expands the circle of entities that are obliged to implement information security measures.

In addition to traditional critical infrastructure operators, the obligations may also include companies operating in areas of particular importance for the economy and society, including digital services, manufacturing, logistics, the healthcare sector and other activities.

Therefore, it is important for each company to assess whether it falls under the regime of new legal obligations.

3. Cyber risk management becomes a legal requirement

Organizations will need to identify potential threats, assess risks, and establish appropriate technical and organizational protection measures.

This includes:

internal policies and procedures;
access control to information systems;
incident response plans;
regular risk assessments;
data and business process protection measures.

The goal is not just to formally meet legal requirements, but to increase the organization’s resilience to security incidents.

4. Incidents will have to be reported

In the event of a serious cyber incident, companies will be obliged to notify the competent authorities within the legally prescribed deadlines. Timely reporting enables a faster response, reduced consequences and more efficient coordination between institutions and business entities.

Failure to report incidents may constitute grounds for misdemeanor liability.

5. Employees become a key part of the protection system

Regardless of the level of technical protection, human error remains one of the most common causes of security incidents. Therefore, companies will need to pay more attention to employee education, raising awareness of cyber risks, and establishing clear rules for the use of information systems.

Information security training is becoming an important part of the overall compliance system of any organization.

What can employers do today?

In order to prepare for the new obligations in a timely manner, employers should:

analyze whether their organization falls under the application of the law;
conduct an assessment of existing security procedures;
adopt or update internal acts in the field of information security;
define the responsibilities of employees and managers;
organize regular training and awareness-raising for employees.

The law introduces a short deadline for submitting notifications about incidents, so operators must submit a notification about an incident that may have a significant impact on information security without delay, and no later than 24 hours from the date of learning about the incident.

A deadline of 18 months from the date of entry into force of the new Law is provided for the adoption of the act on risk assessment and the act on the security of ICT systems of particular importance.

Conclusion

The law provides for more efficient monitoring mechanisms, as well as misdemeanor sanctions for entities that do not implement the prescribed measures or do not fulfill their legal obligations.

Companies that promptly establish appropriate procedures and develop an information security culture will be in a significantly better position to respond to the challenges of modern business.

Disclaimer: The text is for informational purposes only and does not constitute legal advice.

More news

Key novelties of the Law of the Central Register of Ultimate Beneficial Owners

In March 2025, the National Assembly of the Republic of Serbia adopted a new Law on the Central Register of Ultimate Beneficial Owners, the provisions of which will mostly come into effect on September 14, 2026. This law aims to increase business transparency and prevent abuses in the financial sector, particularly in the areas of anti-money laundering and counter-terrorism financing.

The Law on Safety and Health at Work: Key Changes and Obligations of Employers

The Republic of Serbia has adopted a new Law on Occupational Safety and Health (hereinafter: the Law), which came into force on May 7, 2023. Employers are required to fully harmonize their operations with the new regulations by May 7, 2025, or by January 1, 2026, at the latest.

This law introduces significant changes aimed at improving worker protection and aligning with European standards. Non-compliance may lead to serious consequences, including substantial financial penalties.

New Decree on Conditions of Delivery and Supply of Electrical Energy: NEW OBLIGATIONS OF INVESTORS

On October 13, 2023, the new Decree on Conditions of Delivery and Supply of Electrical Energy (“Decree“) adopted by the the Government of the Republic of Serbia entered into force. Its key novelty is the issue of deposits and bank guarantees of investors/producers. Deposits Namely, one of the prerequisites to obtaining the connection study to […]