Building cybersecurity resilience of critical sectors in Serbia

On May 7 and 8, 2025, the event “Building Cybersecurity Resilience of Critical Sectors in Serbia” was held at the Sava Centre in Belgrade.  

The two-day event focused on strengthening the cyber resilience of critical sectors in Serbia, through comprehensive risk management models, legal frameworks and practical methodologies.  

The central focus was on cyber security risk analysis, a key issue in light of anticipated changes to Serbia’s Law on Information Security, which will introduce mandatory risk assessments for ICT systems of special importance. The event also focused on aligning Serbia’s cybersecurity framework with the EU’s NIS2 Directive and adapting its principles into national legislation. 

The event brought together international and local experts and stakeholders from the financial, telecommunications, energy, and governmental sectors to explore the frameworks offered by the EU, its Member States, and Serbia, focusing on how these can be adapted to enhance the country’s cybersecurity. 

Practical sessions 

In addition to panel discussions, practical sessions were held, including a hands-on risk assessment exercise and a simulated ransomware incident management scenario.  

These sessions gave participants the skills needed to identify and prioritise risks for critical entities. The exercise was conducted in two parallel tracks:  

• an incident response exercise for the energy sector  

• a cyber risk assessment workshop for telecommunication and financial sectors.  

Cyber incident response exercise for the energy sector 

In the first track, energy sector participants took part in a simulated ransomware attack on a fictional company, designed to present major operational and reputational risks.  

Participants were split into technical and organisational teams to address both aspects of incident response. In partnership with national CERT of Serbia (SRB CERT) and using their exercise infrastructure, the technical team focused on detection, containment, and system recovery, while regularly updating the organisational team.  

The organisational team took part in a table-top exercise, tasked with making strategic decisions, report to actors simulating company leadership, CERT, prosecutors, journalists, and partners.  

Both groups demonstrated high levels of engagement and collaboration, highlighting the exercise as a valuable, practical learning experience. 

Cybersecurity risk assessment workshops for telecoms and the financial sector 

In the second track, participants from the financial and telecommunications sectors took part in a two-part workshop, designed to strenghten their understanding of cybersecurity risk analysis.  

In the first session, participants were given an overview of sector-specific risks and assessment frameworks. They then worked in teams to analyse cyberattack scenarios, identified key assets, assessed threats and vulnerabilities, evaluated risks using a matrix, and developed mitigation strategies.  

In the second session, teams presented their findings, shared insights, and participated in open discussions to address challenges and solutions. This collaborative format helped reinforce practical risk management skills for use within their organisations. 

A joint post-exercise debrief was held with all participants from both tracks to reflect on lessons learned and propose improvements to strenghten national cyber resilience. 

Key discussions from panels and workshops  

• NIS2 and CER directives: strengthening cybersecurity across the EU: The first panel focused on the EU’s frameworks, particularly the NIS2 Directive and the Critical Entities Resilience (CER) Directive. These directives strengthen cybersecurity by introducing standardised risk assessment methodologies for critical entities. While notable progress has been made, implementation remains challenging, especially in harmonising EU requirements with national regulations. Nonetheless, several member states have successfully applied these frameworks in innovative and effective ways. 

• Progress of harmonising Serbia’s cybersecurity laws with EU standards: In the second panel, Mr Milan Vojvodić, Head of the Department for Regulation in the Information Society at the Ministry of Information and Telecommunications of the Republic of Serbia, who has played a key role in drafting the Draft Law on Information Security, highlighted the most important provisions of the draft law, particularly concerning the forthcoming bylaw that will regulate the risk assessment methodology for ICT systems of critical importance. While he did not provide specific details on the method, he noted that it will be based on the current framework proposed by ENISA. Mr Vojvodić expressed optimism that the new Law on Information Security will be enacted by the end of this year. 

• Protecting critical infrastructure: The third panel highlighted the importance of strong backup and restoration strategies to maintain the continuity of operations in Critical National Infrastructure (CNI) following a cyber-attack. Key measures include regularly testing and updating backup systems, implementing multiple layers of data redundancy, and using geographically dispersed storage locations to reduce the risk of data loss. Integrating these comprehensive backup strategies into broader contingency planning is essential to enhance the resilience of CNI against cyber threats. 

• Recommendations for strengthening CNI cybersecurity in Serbia: The plenary session presented diverse recommendations to enhance the cybersecurity and resilience of Critical National Infrastructure (CNI) in Serbia. The key focus was building human capacity through continuous training and education, improving communication channels for cyber threat intelligence, and fostering stronger third-party coordination. Regulatory compliance, especially with frameworks like DORA, was mentioned as a key focus, as well as increasing awareness among public officials and aligning procurement practices with cybersecurity needs.  

The conclusions from the event will be used to create policy proposals that align with regulatory standards and practices to strengthen Serbia’s national cyber resilience.