NCSI FULFILMENT PERCENTAGE
Version 8 Mar 2022
GENERAL CYBER SECURITY INDICATORS
-
1. Cyber security policy development 7/7 100%77 100%
-
1.1. Cyber security policy unit 333
Requirements
CriteriaA central government entity (ministry or equivalent) has a specialised official or unit responsible for national cyber security policy development.
Accepted referencesOfficial website or legal act
Evidence
Law on Information Security (Official Gazette of RS", no. 6 of 28 January 2016, 94 of 19 October 2017, 77 of 31 October 2019), Article 4
“The state administration body responsible for the security of the ICT system is the ministry responsible for information security affairs (hereinafter: the competent authority).”
https://www.paragraf.rs/propisi/zakon_o_ministarstvima.html
The Law about Ministries ("Official Gazette of RS", No. 128/2020), Article 9 (Ministry of Trade, Tourism and Telecommunications)
“ (...) The Ministry of Trade, Tourism and Telecommunications performs state administration tasks in the field of information society related to: proposing policies and strategies for the development of the information society; preparation of laws, other regulations, standards and measures in the field of electronic business; measures to encourage research and development in the field of information society; preparation of laws, other regulations, standards and measures in the field of information society and information and communication technologies; application of information and communication technologies; provision of information services; development and functioning of information and communication infrastructure; development and improvement of academic, ie educational and scientific research computer network; data protection and information security; international affairs in the field of information society;”
Background: This Ministry has established Sector for Information Society and Information Security. Within this sector are Unit for regulation, analysis and planning in the Information Society Field and Unit for Information Security and e-Commerce. This sector has prepared regulations (laws, bylaws) in cyber security area and also Cyber Security Strategy.
https://mtt.gov.rs/extfile/sr/34949/INFORMATOR%20O%20RADU%20MTTT%2031.okt.2021.%20cirilica.pdf
Information on the work of the Ministry of Trade, Tourism and Telecommunication (2021)
Page 6 - Organisational Structure of the Ministry
-
1.2. Cyber security policy coordination format 222
Requirements
CriteriaThe central government has a committee, council, working group, etc. for national-level cyber security policy coordination.
Accepted referencesOfficial website or legal act
Evidence
https://www.pravno-informacioni-sistem.rs/SlGlasnikPortal/eli/rep/sgrs/vlada/odluka/2020/8/4/reg
Decision on the establishment of the Information Security Coordination Body
The Government of Serbia has The Coordination Body for Cyber Security Affairs, which consists of the representatives of relevant state bodies in this area. The tasks of this body are defined by Article 2 of Decision on Establishing
-
1.3. Cyber security strategy 111
Requirements
CriteriaThe central government has established a national-level cyber security strategy or other equivalent document.
Accepted referencesValid official document
Evidence
http://www.pravno-informacioni-sistem.rs/SlGlasnikPortal/eli/rep/sgrs/vlada/strategija/2021/86/1/reg
Strategy for the Development of an Information Society and Information Security in the Republic of Serbia for the period 2021-2026
http://www.pravno-informacioni-sistem.rs/SlGlasnikPortal/eli/rep/sgrs/vlada/strategija/2018/71/1/reg
In addition, as a complementary document, the Strategy for the Fight against High-Tech Crime for the Period 2019-2023 (in Serbian) and its accompanying Action Plan for the years 2019-2020 (can be found at the very end of the document as an annex).
“In light of the EU accession negotiations, Serbia adopted the Strategy for Combating Cybercrime 2019-2023, with the Action Plan (2019 - 2020) for the implementation of the Strategy on 15 September 2018. Chapter 6 of the Strategy includes the need to amend relevant legislation, by the 4th quarter of 2020, to increase institutional capacity and training, foster inter-agency cooperation and awareness raising and prevention in the area of high-tech crime.” Source (COE) can be seen here.
-
1.4. Cyber security strategy implementation plan 111
Requirements
CriteriaThe central government has established an implementation plan to the national-level cyber security strategy or other equivalent document.
Accepted referencesValid official document or its enforcement act
Evidence
http://www.pravno-informacioni-sistem.rs/SlGlasnikPortal/eli/rep/sgrs/vlada/strategija/2021/86/1/reg
The Strategy for the Development of an Information Society and Information Security in the Republic of Serbia for the period 2021-2026 has an action plan for the years 2021-2023 (see section 9)
-
-
2. Cyber threat analysis and information 4/5 80%45 80%
-
2.1. Cyber threats analysis unit 333
Requirements
CriteriaA central government entity has a national-level unit that is specialised in national strategic cyber threat situation analysis.
Accepted referencesOfficial website or legal act
Evidence
Ministry of Foreign Affairs (Department for European Security and Defense Policy (CSDP))
"In that sense, the Ministry of Foreign Affairs monitors and analyzes global, regional and local security challenges, threats and risks with all implications for the security of the Republic of Serbia, especially issues of global terrorism, energy security and cyber security"
“The Department for European Security and Defense Policy (CSDP) and Security Challenges performs tasks related to: (...) analysis of existing and new global security threats and challenges in the world (terrorism, energy and cyber security) and especially in the region of Southeast Europe”
-
2.2. Public cyber threat reports are published annually 001
Requirements
CriteriaThe public part of the national cyber threat situation analysis is published at least once a year.
Accepted referencesOfficial public report
Evidence
-
2.3. Cyber safety and security website 111
Requirements
CriteriaPublic authorities provide at least one cyber safety and security website for cyber security and ICT professionals, and regular users.
Accepted referencesWebsite
Evidence
https://www.pametnoibezbedno.gov.rs/
Ministry of Trade, Tourism and Telecommunications administrates the web site "Safe&Smart" where can be found information on cyber security matters. The aim of this initiative is to educate and raise awareness about the necessity of fast, correct and targeted involvement of citizens, the education system and the economy in contemporary digital currents. The platform launches educational and promotional projects that should contribute to the development of digital literacy, digital competences and digital security culture among all citizens of Serbia.
Also, on the website of National CERT there are notifications and recommendations regarding cyber security.
-
-
3. Education and professional development 5/9 56%59 56%
-
3.1. Cyber safety competencies in primary or secondary education 111
Requirements
CriteriaPrimary or secondary education curricula include cyber safety / computer safety competences.
Accepted referencesOfficial curriculum or official report
Evidence
Cyber security lectures are included in Informatics and computing curricula for elementary schools (digital literacy area) (p.181 of PDF document).
https://eacea.ec.europa.eu/national-policies/eurydice/sites/default/files/en_digital_education_n.pdf
Digital Education at School in Europe (Eurydice Report), 2019
- "The majority of European education systems have explicitly included learning outcomes related to all five digital competence areas. In descending order of prevalence these are: information and data literacy, digital content creation, communication and collaboration, safety, and problem solving (see Figure 1.5)" (see p. 10)
- For the purpose of this focused analysis, eight (6) of the 21 digital competences in DigComp have been selected, taking at least one from each of the five areas (…) Protecting personal data and privacy (safety area): the increasing relevance of this competence is reflected in European curricula, as nearly 30 education systems have explicit related learning outcomes in secondary education, and nearly 20 in primary education (see Figure 1.7) (pp. 10-11)
- See page 43, Figure 1.7, Serbia (RS) has it for ISCED 3
- See page 119: Curriculum approaches to digital competences according to national curricula for primary and general secondary education (ISCED 1-3), 2018/19
-
3.2. Bachelor’s level cyber security programme 002
Requirements
CriteriaThere is at least one cyber security / electronic information security focused programme at Bachelor’s or equivalent level.
Accepted referencesAccredited study programme
Evidence
-
3.3. Master’s level cyber security programme 222
Requirements
CriteriaThere is at least one cyber security / electronic information security focused programme at Master’s or equivalent level.
Accepted referencesAccredited study programme
Evidence
http://www.metropolitan.ac.rs/en/master-studies/information-security/
There are accredited information security study programmes and courses in Republic of Serbia. For example, there is a information security module at master studies at University "Metropolitan" Belgrade.
There is also an information security course at accredited master programme of Faculty of Transport and Traffic Engineering in Belgrade.
-
3.4. PhD level cyber security programme 002
Requirements
CriteriaThere is at least one cyber security / electronic information security focused programme at PhD or equivalent level.
Accepted referencesAccredited study programme
Evidence
-
3.5. Cyber security professional association 222
Requirements
CriteriaThere is a professional association of cyber/electronic information security specialists, managers or auditors.
Accepted referencesWebsite
Evidence
https://engage.isaca.org/belgradechapter/home
eSafety is a non-profit association formed in February 2016. It is made up of IT security professionals who are gathered around the general vision and intention to raise the significance, role and awareness of information security, as well as knowledge of high-tech crime.
-
-
4. Contribution to global cyber security 2/6 33%26 33%
-
4.1. Convention on Cybercrime 111
Requirements
CriteriaThe country has ratified the Convention on Cybercrime.
Accepted referencesOfficial website of the convention
Evidence
https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/185/signatures?p_auth=zrS8ISMY
Republic of Serbia has signed and ratified the Convention on Cybercrime.
Republic of Serbia has adopted the Law on ratifying of Convention on cybercrime (Web link 2, Official Gazette of the Republic of Serbia, No. 19/2009, Page 3-20) and the Law on ratifying of and the Law on ratifying Additional Protocol to the Convention on cybercrime, concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems (Official Gazette of the Republic of Serbia, No. 19/2009, Page 40-45).
-
4.2. Representation in international cooperation formats 111
Requirements
CriteriaThe government is regularly represented in a cooperation format that is dedicated to international cyber security (e.g. FIRST).
Accepted referencesOfficial website of the cooperation format
Evidence
https://www.first.org/members/teams/#serbia
https://www.trusted-introducer.org/directory/country_LICSA.html
Serbian CERT teams are listed on Trusted Introducer List and they are available for international cooperation.
https://www.osce.org/secretariat/cyber-ict-security
Serbia participates in OEBS Informal workgroup formed by Decision 1039 of OEBS Permanent Council on development of confidence-building measures to reduce the risks of conflict stemming from the use of information and communication technologies.
-
4.3. International cyber security organisation hosted by the country 003
Requirements
CriteriaA regional or international cyber security organisation is hosted by the country.
Accepted referencesOrganisation’s official website
Evidence
-
4.4. Cyber security capacity building for other countries 001
Requirements
CriteriaThe country has (co-)financed or (co-)organised at least one capacity building project for another country in the last 3 years.
Accepted referencesOfficial website or project document
Evidence
-
BASELINE CYBER SECURITY INDICATORS
-
5. Protection of digital services 5/5 100%55 100%
-
5.1. Cyber security responsibility for digital service providers 111
Requirements
CriteriaAccording to legislation, digital service providers (except micro and small enterprises): (1) must manage cyber/ICT risks or (2) must implement established cyber/information security requirements.
Accepted referencesLegal act
Evidence
http://www.pravno-informacioni-sistem.rs/SlGlasnikPortal/eli/rep/sgrs/skupstina/zakon/2016/6/5/reg
By the amendments of The Law on Information security, information society service providers (digital service providers) are recognized as ICT systems of particular importance in the Republic of Serbia (Article 6). In accordance with the Law, they are obliged to take protection measures of their ICT system, to adopt policy on security of ICT system, take system audits every year and report incidents that significantly disrupt information security of their system.
-
5.2. Cyber security standard for the public sector 111
Requirements
CriteriaPublic sector digital service providers must implement (1) cyber/ICT security requirements (defined by legislation) or (2) a widely recognised security standard.
Accepted referencesLegal act
Evidence
According to Article 6 of Law on Information Security, public sector bodies are determined as operators of ICT systems of particular importance. Public sector bodies are obliged to conduct protection measures of their ICT systems (Article 7), to adopt Act on Information Security of their ICT systems (Article 8) and to report incidents which significantly endanger their ICT systems (Article 11).
-
5.3. Competent supervisory authority 333
Requirements
CriteriaThe government has a competent authority in the field of cyber/information security that has the power to supervise public and private digital service providers regarding the implementation of cyber/information security requirements.
Accepted referencesOfficial website or legal act
Evidence
By the amendments of The Law on Information security, information society service providers (digital service providers) are recognized as ICT systems of particular importance in the Republic of Serbia (Article 6). In accordance with the Article 28 of the Law, competent ministry takes supervision over ICT systems of particular importance.
-
-
6. Protection of essential services 6/6 100%66 100%
-
6.1. Operators of essential services are identified 111
Requirements
CriteriaThere is a legal act that allows to identify operators of essential services.
Accepted referencesLegal act
Evidence
According to Article 6 of Law on Information Security (Web link 1), operators of particular importance are: 1) public sector bodies, 2) entities which use ICT systems processing particulary sensitive personal data, 3) operators of ICT systems in areas of public interest (operators of essential services). In Article 6 are defined areas of public interest.
https://www.pravno-informacioni-sistem.rs/SlGlasnikPortal/eli/rep/sgrs/vlada/uredba/2019/94/6
The list of services are closely defined by Government Regulation on determing List of activities in areas of public interest in which ICT systems of particular importance are used.
-
6.2. Cyber security requirements for operators of essential services 111
Requirements
CriteriaAccording to the legislation, operators of essential services must manage cyber/ICT risks.
Accepted referencesLegal act
Evidence
Article 7,8 of Law on Information security, the operators of ICT systems of particular interest (including operators of essential services) are obliged to take protection measures in order to prevent incidents in their ICT systems, operators of ICT systems of particular importance have to conduct security audit
Protection measures are regulated by Government Regulation on ICT systems of particular importance protection measures.
Security of ICT system, audit methods and report content are closely regulated by Government regulation.
-
6.3. Competent supervisory authority 333
Requirements
CriteriaThe government has a competent authority in the field of cyber/information security that has the power to supervise operators of essential services, regarding cyber/information security requirements.
Accepted referencesOfficial website or legal act
Evidence
Article 28-29: competent ministry for information security (which is now Ministry of Trade, Tourism and Telecommunications) conducts inpection on operators of ICT systems of particular importance (including operators of essential services)
-
6.4. Regular monitoring of security measures 111
Requirements
CriteriaOperators of essential services must regularly (at least once every 3 years) provide evidence of the effective implementation of cyber/information security policies (e.g. audit result, documentation, specific report).
Accepted referencesLegal act
Evidence
Operators of ICT systems have to conduct security audit of their ICT systems at least once per year and to make a report on that audit (Article 8, Web link 1).
-
-
7. E-identification and trust services 9/9 100%99 100%
-
7.1. Unique persistent identifier 111
Requirements
CriteriaThe government provides a unique persistent identifier to all citizens, residents, and legal entities. For example, the identifier remains the same after document expiration and name change.
Accepted referencesLegal act
Evidence
http://www.pravno-informacioni-sistem.rs/SlGlasnikPortal/eli/rep/sgrs/skupstina/zakon/2018/24/6/reg
Citizens of the Republic of Serbia have a unique identification number, which is individual and unrepeatable identification citizen's data (Article 1; Law on the unique registration number of citizens).
Companies in Serbia have an identification number which is given by Statistical Office of Serbia (Article 4).
-
7.2. Requirements for cryptosystems 111
Requirements
CriteriaRequirements for cryptosystems in the field of trust services are regulated.
Accepted referencesLegal act
Evidence
Art. 4 ref to: ETSI TS 119 312 „Electronic Signatures and Infrastructures (ESI) – Cryptographic Suites”
-
7.3. Electronic identification 111
Requirements
CriteriaElectronic identification is regulated.
Accepted referencesLegal act
Evidence
Electronic identification in Serbia is regulated by Law on Electronic Document, Electronic Identification and Trust Services in Electronic Business (Web Link 1, Article 17-24) and by the Regulation on detailed conditons for electronic identification schemes for each level of assurance (Web link 2).
http://www.pravno-informacioni-sistem.rs/SlGlasnikPortal/eli/rep/sgrs/vlada/uredba/2018/60/1/reg
-
7.4. Electronic signature 111
Requirements
CriteriaE-signature is regulated
Accepted referencesLegal act
Evidence
Electronic signature/seal in Serbia is regulated by Law on Electronic Document, Electronic Identification and Trust Services in Electronic Business (Web Link 1, Article 42-51), and by Regulation on conditions for trust services providing (Web link 2) and by Rulebook on conditions for qualified electronic certificates (Web link 3). Also, there is Rulebook on conditions for qualified creation signature/seal devices (link: http://www.pravno-informacioni-sistem.rs/SlGlasnikPortal/eli/rep/sgrs/ministarstva/pravilnik/2018/34/4/reg)
http://www.pravno-informacioni-sistem.rs/SlGlasnikPortal/eli/rep/sgrs/vlada/uredba/2018/37/2/reg
-
7.5. Timestamping 111
Requirements
CriteriaTimestamping is regulated.
Accepted referencesLegal act
Evidence
Timestamping is regulated by Law on Electronic Document, Electronic Identification and Trust Services in Electronic Business (Articles 52-53).
Rules on the issuance of a time stamp
-
7.6. Electronic registered delivery service 111
Requirements
CriteriaElectronic registered delivery service between state entities, citizens and private sector entities is regulated. The service provides legally binding data exchange and guarantees the confidentiality and integrity of information.
Accepted referencesLegal act
Evidence
Electronic registred delivery is regulated by Law on Electronic Document, Electronic Identification and Trust Services in Electronic Business (Article 15, Article 54-55). In Article 54 is regulated that service providers have to fullfil technical and security requirements, which guarantee confidentiality and integrity of information. Legal effect of registred delivery service in administrative procedures is regulated by Article 55.
-
7.7. Competent supervisory authority 333
Requirements
CriteriaThere is an authority responsible for the supervision of qualified trust service providers.
Accepted referencesOfficial website or legal act
Evidence
Ministry competent for information society (Ministry of Trade, Tourism and Telecommunications is an authority resposnible for the supervision of qualified trust services providers (Article 28).
-
-
8. Protection of personal data 4/4 100%44 100%
-
8.1. Personal data protection legislation 111
Requirements
CriteriaThere is a legal act for personal data protection.
Accepted referencesLegal act
Evidence
http://www.pravno-informacioni-sistem.rs/SlGlasnikPortal/eli/rep/sgrs/skupstina/zakon/2018/87/13/reg
Law on Personal Data Protection (English version as of 2008 can be accessed here)
-
8.2. Personal data protection authority 333
Requirements
CriteriaThere is an independent public supervisory authority that is responsible for personal data protection.
Accepted referencesOfficial website or legal act
Evidence
http://www.pravno-informacioni-sistem.rs/SlGlasnikPortal/eli/rep/sgrs/skupstina/zakon/2018/87/13/reg
Commissioner for Information of Public Importance and Personal Data Protection
See Law on Personal Data Protection Article 73 in conjunction with article 4 (22)
Official website of the Commissioner
-
INCIDENT AND CRISIS MANAGEMENT INDICATORS
-
9. Cyber incidents response 5/6 83%56 83%
-
9.1. Cyber incidents response unit 333
Requirements
CriteriaThe government has a unit (CSIRT, CERT, CIRT, etc.) that is specialised in national-level cyber incident detection and response.
Accepted referencesOfficial website or legal act
Evidence
National CERT
-
9.2. Reporting responsibility 001
Requirements
CriteriaDigital service providers and operators of essential services have an obligation to notify appointed government authorities of cyber security incidents.
Accepted referencesLegal act
Evidence
-
9.3. Single point of contact for international coordination 222
Requirements
CriteriaThe government has designated a single point of contact for international cyber security coordination.
Accepted referencesOfficial website or legal act
Evidence
http://www.pravno-informacioni-sistem.rs/SlGlasnikPortal/eli/rep/sgrs/skupstina/zakon/2016/6/5/reg
In accordance with the Article 15 of the Law on Information Security, the National CERT is the authorized point of contact for the cooperation with the similar organizations in other countries.
-
-
10. Cyber crisis management 3/5 60%35 60%
-
10.1. Cyber crisis management plan 001
Requirements
CriteriaThe government has established a crisis management plan for large-scale cyber incidents.
Accepted referencesLegal act
Evidence
-
10.2. National-level cyber crisis management exercise 222
Requirements
CriteriaThe government has conducted a national-level cyber crisis management exercise or a crisis management exercise with a cyber component in the last 3 years.
Accepted referencesExercise document/website or press release
Evidence
https://www.osce.org/secretariat/351176
Representatives of Serbian state bodies participated at table top exercise in Serbia on protecting critical energy infrastructure from cyber-related terrorist attacks, which was organized by OSCE in October 2017 (Web link 1).
-
10.3. Participation in international cyber crisis exercises 111
Requirements
CriteriaThe country's team has participated in an international cyber crisis management exercise in the last 3 years.
Accepted referencesExercise document/website or press release
Evidence
https://www.coe.int/en/web/cybercrime/iproceeds-2
iPROCEEDS-2
"Cooperation on Cybercrime under the Instrument of Pre-accession Assistance (IPA) – is a Joint project of the European Union and the Council of Europe.
Participating countries/areas: Albania, Bosnia and Herzegovina, Montenegro, North Macedonia, Serbia, Turkey and Kosovo*
Objective: To further strengthen the capacity of authorities in project countries and areas to search, seize and confiscate cybercrime proceeds and prevent money laundering on the Internet and to secure electronic evidence."
Simulation Exercise on Joint Action against Cybercrime "The three-day exercises focused on simulated computer incident and potential cybercrime against a private health Research Centre conducting COVID-19 research. The main objective was to give investigators, prosecutors, cybersecurity experts and private industry representatives a set of skills that are necessary for joint action against cybercrime (...)".
-
10.4. Operational support of volunteers in cyber crises 001
Requirements
CriteriaThe procedures for using volunteers in the field of cyber security are established by legislation.
Accepted referencesLegal act
Evidence
-
-
11. Fight against cybercrime 9/9 100%99 100%
-
11.1. Cybercrimes are criminalised 111
Requirements
CriteriaCybercrimes are defined by legislation.
Accepted referencesLegal act
Evidence
https://www.pravno-informacioni-sistem.rs/SlGlasnikPortal/eli/rep/sgrs/skupstina/zakon/2005/85/6/reg
Criminal Code (English version as of 2019) can be accessed here. See artilcles 298-304a, Article 185b, Article 198-204.
-
11.2. Cybercrime unit 333
Requirements
CriteriaThere is a government entity with a specific function of combatting cybercrime.
Accepted referencesOfficial website or legal act
Evidence
http://arhiva.mup.gov.rs/cms_lat/UKP.nsf/sbpok.h?OpenPage
Cybercrime Department is a unit which is part of Ministry of Interior - Service for Organized Crime (Web link 1) and it has a specific function of combatting cybercrime (Web link 2, Article 9).
Also, Special Prosecutor's Office for Cybercrime (Web Link 3) is competent authority for cybercrime processing (Web link 2, Article 4).
-
11.3. Digital forensics unit 333
Requirements
CriteriaThere is a government entity with a specific function of digital forensics.
Accepted referencesOfficial website or legal act
Evidence
Digital forensics is performed by the Section for providing and analysis of electronic evidences and electronic forensics within Ministry of Interior, Service for Combating Organized Crime (Web link 1, page 13, paragraph 2)
National Center for Criminal Forensics
-
11.4. 24/7 contact point for international cybercrime 222
Requirements
CriteriaThe government has designated an international 24/7 contact point for cybercrimes.
Accepted referencesOfficial website or legal act
Evidence
https://rm.coe.int/cyber-list-of-competent-authorities-september-2021/1680a3aaae
Cyber Crime Department Service for Combating Organized Crime Ministry of Interior
-
-
12. Military cyber operations 3/6 50%36 50%
-
12.1. Cyber operations unit 003
Requirements
CriteriaMilitary forces have a unit (cyber command, etc.) that is specialised in planning and conducting cyber operations.
Accepted referencesOfficial website or legal act
Evidence
-
12.2. Cyber operations exercise 222
Requirements
CriteriaMilitary forces have conducted a cyber operations exercise or an exercise with a cyber operations component in the country in the last 3 years.
Accepted referencesExercise document/website or press release
Evidence
-
12.3. Participation in international cyber exercises 111
Requirements
CriteriaThe country's military team has participated in an international cyber operations exercise in the last 3 years.
Accepted referencesExercise document/website or press release
Evidence
-
Information Disclaimer
The information provided on the NCSI website is based on publicly available evidence materials. The appearance in the index and subsequent ranking is commensurate to the existence and public availability of such information. The NCSI links to third party websites and information. The NCSI and eGA are not responsible for the accuracy or completeness of third party website information.
What can I do to improve my country's data in NCSI?
Become a data contributor Update a specific indicator with evidence data
CONTRIBUTORS
Ministry of Trade, Tourism and Telecommunications
