Two Laws, Two Paths – Serbia’s New Digital Reality (DSA and Information Security Law)
Digital regulation in Serbia is entering a new phase. In addition to the expected alignment with the EU Digital Services Act (DSA), a new Information Security Law came into effect on October 31, 2025. These regulations are changing the way digital, technology, and traditional companies conduct their business.
New Information Security Law (as of October 31, 2025)
Serbia has adopted a regulation inspired by the EU NIS2 Directive. The law expands obligations to new sectors and introduces stricter information system security measures. Compliance with the new requirements will be mandatory for most companies by April 2027.
Who is covered by the law?
The law now covers the following sectors: healthcare, food industry, transport, utilities, IT services, postal and courier services, and civil aviation. Any company with more than 50 employees can be classified as critical.
Companies will be required to implement 37 measures in four categories: organizational, personnel, technological, and physical. These include establishing security policies, encryption, incident management, and access control.
What are the key deadlines?
- By December 31, 2025: The Government issues classification regulations
- 90 days after the regulations: Registration in the state registry
- By April 2027: Adoption of internal acts on risk assessment
- Within 24 hours: Reporting of security incidents
Penalties for violations and non-compliance with the law will range from 2 million dinars for critical operators, 1 million dinars for important operators, while responsible persons are subject to fines and disciplinary measures.
EU Digital Services Act (DSA) and Serbia
Although Serbia is not yet an EU member, companies operating with users in the EU must already apply DSA requirements. The establishment of an independent institution – Digital Services Coordinator (DSC) – is expected. There is a possibility that REM could take on this role, which raises debates about independence and potential misuse.
EU Digital Identity and eIDAS 2.0
Serbia is adopting EU standards for digital identity and e-signing. During 2025, two European Digital Innovation Hubs (EDIH) centers were opened to help companies with digital transformation and EU compliance.
Practical Advice for Companies in 2025
- Assess whether you fall within the sectors covered by the law.
- If you have EU users, align your business with DSA requirements.
- Monitor the regulations that the Serbian Government should adopt by the end of 2025.
- Prepare internal security policies and an incident response plan.
- Monitor the development of the EU AI Act regulation and its potential application in Serbia.
Conclusion
Serbia stands at a crossroads between domestic and European digital regulation. New regulations, including the Information Security Law, DSA, and eIDAS 2.0, are changing the business environment. Companies should respond in time and seek support from experts in technology law and IT security.
Need legal advice on copyright and AI?
Follow for more legal insights:
