Table of Contents Table of Contents
Previous Page  18 / 24 Next Page
Show Menu
Previous Page 18 / 24 Next Page
Page Background

south-east european




American University in Bosnia and Herzegovina.

The university offers cyber security education (both

on a professional and academic level – through MA

and PhD courses) and cooperates with security, in-

telligence and defense institutions in BIH.


Serbia’s legal and institutional framework in the

area of cyber security is based on the Law on In-

formation Security, which was adopted at the be-

ginning of 2016. Important bylaws (on protection

measures, on the list of operators performing ac-

tivities of public interest including critical infra-

structure, on reporting incidents) are being draft-

ed, though mainly within the government circles

and without broader consultations. The Law stip-

ulates that the operators of ICT systems of spe-

cial importance (some of which will be listed as

critical information infrastructure) have to adopt

an act on ICT system security with dedicated pro-

tection measures, supervision of their ICT sys-

tems and persons responsible to perform these

tasks. Furthermore, the Law envisaged the cre-

ation of the Body for the Coordination of Informa-

tion Security, with the option of establishing ex-

pert working sub-groups that could include repre-

sentatives of other public bodies, industry, the ac-

ademic community and civil society. The necessi-

ty to establish a proper cyber security related sys-

tem has been recognized at the strategic level, in

the Strategy for Development of Information Soci-

ety in the Republic of Serbia until 2020 which puts

information security as one of its six priority ar-

eas. As a follow-up, the Working Group for devel-

oping the national strategy on cyber security has

been established in 2016 and has held its first ses-

sions; the strategy is expected to be adopted by

the in the first quarter of 2017. However, a critical

information infrastructure has not been defined

yet, and cyber security standards are not yet ap-


The Law mandated the creation of the n-CERT in

the regulatory agency for electronic communica-

tions and postal services (RATEL). While formally

established, it is in the development phase and cur-

rently lacks technical capabilities and resources;

with proper capacity building, it was expected to

become operational in 2017. At the same time, sev-

eral other CERTs exist or are in formation: the aca-

demic CERT is part of the Academic Network

(AMRES) and protects the network of education,

scientific and research institutions; the Ministry of

Interior has established its own CERT to protect

sensitive citizens’ databases and the system that

operates the databases; the national Internet do-

main registry RNIDS is setting up the CERT for na-

tional domains .rs and .srb, while the civil sector is

working on establishing an independent CERT to

help responding to attacks against the media. At

the moment, however, there is no interaction

among these.

Similar to other countries in the region, the legal

mechanisms to fight cyber crime are in place. The

Criminal Code provides norms on criminal offenc-

es in accordance with legal frameworks of the-

CoE and the EU. The Criminal Code does not reg-

ulate cyber terrorism as an offence, although cy-

ber terrorism can be prosecuted on the basis of

existing offences on terrorism and computer data.

With regard to an institutional framework, a High-

Tech Crime Unit within the special prosecutor’s

office has been established. Moreover three spe-

cialized units - for crime analysis; terrorism and

extremism; and drug prevention, addiction and re-

pression have been established within the MoI.

All these units are in need of further staffing, and

specialized training and adequate budgetary re-

sources are needed. The level of inter-agency co-

operation, information flow and exchange be-

tween law enforcement agencies needs to be fur-

ther improved. However, internal cooperation be-

tween the police and the special prosecutor’s of-

fice for cyber crime is improving. There is no prop-

er multidisciplinary cyber security education on

the policy level. General awareness-raising about

online safety, especially among the youth, is tack-

led through the campaign “Smart and Safe” driv-

en by the Ministry of Trade, Tourism and Tele-

communications, but its scope is limited.

Republic of Macedonia

Macedonia does not have an overarching law

dealing exclusively with cyber security. Instead, a

number of legal documents touch upon some cy-

ber security related issues – the Law on Personal

Data, the Law on Electronic Commerce, the Law

on Electronic communications, the Law on Inter-

ception of Communications, the Law on free Ac-

cess to public Information, the Law on Data in an

Electronic Form and Electronic Signature. In addi-

tion, the amendments to the Law on Criminal Pro-

cedure adopted in 2013 specifically tackle cyber

crime and crimes committed with the use of com-

puters, as well as the collection of digital evidence

by the law enforcement authorities. Although some

international organizations facilitated discussions

during the preparation of the National Cybersecuri-

ty Strategy (for example, the UNDP commissioned

an Assessment Study for the Requirements for

Preparation of a National Cyber Security Strategy),

the national Strategy is still in the drafting process.

The national academic and research network MAR-

net, created in 2010, took over the capabilities and

duties of the academic CERT, which was previous-

ly situated in the Ss. Cyril and Methodius University

in Skopje.

However, with an impetus acquired through im-

plementation of the EU-funded cyber security pilot

project under the EU ENCYSEC, a national MKD-

CERT was formed in 2015 as part of the Agency

for Electronic Communication (AEC), performing

regular CERT functions. In terms of institutional ca-

pacities to deal with cyber crime issues, the Cyber-

crime Unit located within the Department for Sup-

pression of Organized and Serious Crime and the

Forensic Department of the Ministry of Interior

merged into a single Cybercrime and Digital Foren-

sic Department, thus forming a more efficient and

effective investigative unit.


According to the report, there is progress in for-

mally establishing the legal and operational frame-

works in most of the countries of the Western Bal-

kans, except for BIH and Macedonia which are lag-

ging behind. They are all making efforts to meet the

criteria for EU membership, and are being as-

sessed regularly through the EU country reports.

Since all the countries are on the EU track, there is

a formal follow-up on implementing the EU require-

ments as well, both on a policy and on an opera-

tional level. There are significant differences and

important similarities in the development of cyber

security policy across the Western Balkan region.

In most countries, specific legislation on informa-

tion security seems to be in place. It is remarkable

however, that Montenegro had already passed

such a law in 2010, whereas in Serbia for instance,

it was not adopted until early 2016. Bosnia and

Herzegovina on the other hand has not yet man-

aged to develop any significant state-level legisla-

tion on cyber security.

More progress seems to have been achieved with

cyber security strategies and comprehensive risk

assessments. Again, Montenegro has led the trend,

whereas Serbia has yet to finalize a strategy and

Bosnia and Herzegovina has not even started work-

ing on one. Still, Western Balkan countries seem to

be slow in implementing strategies. Whereas

progress is seen in some countries in making law

enforcement activities in the field of cyber crime

more efficient, staff at the CERTs and in LEAs gen-

erally still lack resources and capacities. Hardly any

serious educational policies have been undertaken

in any of the countries in the region. Very little to no

outreach to the private sector has happened and

no significant public-private partnership with private

sector actors have been set up.

Source: DCAF/Diplo

(“Cybersecurity Capacity Building and Research

Programme for South-Eastern Europe“)

Source: Dreamstime