Compare
Compare
In recent years, Bosnia and Herzegovina has seen a consistent increase in the rate of Internet absorption along with a continuous extension of broadband access across urban and rural areas. As a potential EU candidate country, Bosnia has recently developed a burgeoning drive to advance the country’s digital and cyber capabilities in line with those of the European Union; ‘smart growth’ is notably included as one of the national priorities under the 2015 Strategic Framework. That said, the institutional, regulatory, and operational framework that would enable the realisation of this ambition is still nascent and the progress in many policy areas is undermined by the complexity of the distribution of powers between the central government and two entities: the Federation of Bosnia and Herzegovina and the Republika Srpska. In 2017, Bosnia formally adopted the Policy of Electronic Communications of Bosnia and Herzegovina 2017-2021, which is largely aligned with the Digital Agenda of Europe [x]. This vision of a Bosnian digital society is a key milestone for the country’s emerging cyber diplomatic apparatus as it clearly identifies the foundational pillars of the country’s ICT ecosystem, which in turn will assist in bringing it into closer alignment with European cyber priorities.
An EU candidate country since 2014, Albania has been eagerly embracing its digital revolution with the government ushering in an array of cyber and digital policy initiatives. In recent years, Albania has worked on adapting its legal framework to comply with the EU’s acquis communautaire and further approach the Digital Single Market. The Albanian policy framework ranks 1st across the Western Balkans region in fostering the inclusivity and competitiveness of digital society [x], while the country currently ranks 80th in the Global Security Index [x]. An OECD report praised Albania for enhancing intragovernmental cooperation, emphasising the cross-cutting character of ICT in its development strategies, and allocating resources towards the implementation of its digital strategy. Despite the proliferation of such policies, however, the country is currently the 5th largest source of cybercrime in Europe, suffering at least 1.3 million cyberattacks yearly [x]. As such, modernising cybercrime legislation and upgrading critical infrastructure protection constitute key priorities for Albanian policymakers.
An EU candidate country since 2012, Serbia is an important partner in the Western Balkans. The 2020 iteration of the Digital Evolution Scorecard characterised Serbia as a ‘break out’ economy, meaning that despite a relative lack of digital infrastructure the country is rapidly digitalising; internet penetration is one of the highest across the region, standing at 79%. Over the past decade, Serbia’s digital policy has been focused on attracting foreign investment, deepening the digital transformation across the public and private sectors, and promoting economic growth in line with EU targets. These objectives have been operationalised through a series of strategies, notably the Strategy for the Development of Information Security for the period 2017-2020 and the Strategy for combat against cyber crime 2019-2023. The ITU notes, however, that “while innovative, internet-based e-commerce is expected to bring significant growth and development, obsolete legislation and a lack of harmonisation with EU standards and best practice persist, hampering progress”. As the country becomes increasingly more digitalised, the challenge for Serbian cyber diplomacy will be to develop and enhance avenues of European, regional, and international cooperation.
At the first substantive session of the 2021-2025 UNGGE, recalling its status as a potential candidate of the EU, Bosnia and Herzegovina aligned itself with the EU’s statement that the existing corpus of international law, notably the UN Charter, international humanitarian law, and international human rights law, apply in cyberspace in its entirety. In particular, this includes the principle of state sovereignty, sovereign equality, the settlement of disputes by peaceful means, the provision of the use of force non-intervention in the internal affairs of other states, and the respect for human rights and fundamental freedoms as principles of international law that are applicable to states use of ICTs in cyberspace. [x] Nevertheless, it has consistently refrained from aligning itself with the EU position in a number of key resolutions at the United Nations, including resolutions A/73/27 and A/74/29.
At the first substantive session of the 2021-2025 UN Group of Governmental exports (UNGGE), Albania aligned itself with the EU’s statement that the existing corpus of international law, notably the UN Charter, international humanitarian law, and international human rights law, apply in cyberspace in its entirety. In particular, this includes the principle of state sovereignty, sovereign equality, the settlement of disputes by peaceful means, the provision of the use of force non-intervention in the internal affairs of other states, and the respect for human rights and fundamental freedoms as principles of international law that are applicable to states use of ICTs in cyberspace. [x] Albania has also consistently aligned itself with the EU position in a number of key resolutions at the United Nations, including resolutions A/73/27 and A/74/29. A 2015 policy paper notes that cybersecurity will only be “efficient” if it is “based on the fundamental human rights and freedoms, pursuant to the Charter of Fundamental Rights of the European Union and the universal values of the EU”. In the same vein, the 2020-2025 National Cybersecurity Strategy includes “improving the legal framework providing norms and regulating cybersecurity in the country, and aligning this framework with European Union directives and regulation” as a stated objective.
The country has not assumed a firm stance on the application of international law in cyberspace. Serbia’s position paper concerning the Open-Ended Working Group (OEWG) highlighted that multilateral dialogue on “information security” must occur “with strict respect for the Charter of the United Nations”. Echoing the stance of states such as China, Russia, and Cuba, Serbia also raised the alarm about the “danger of developing offensive ICT and militarising the digital space”.
At the first substantive session of the 2021-2025 UNGGE, Bosnia and Herzegovina aligned itself with the EU’s position that the previous UNGGE and OEWG reports, including corresponding UNGA resolutions adopted by consensus, form the unequivocal basis for “any further discussions on the position, role, and implementation of the voluntary non-binding norms, rules and principles of state behaviour in cyberspace (norms)” [x]. In 2018, however, it voted in favour of Russian-sponsored resolution A/73/27, which launched the Open-Ended Working Group (OEWG) format.
At the first substantive session of the 2021-2025 UNGGE, Albania aligned itself with the EU’s position that the previous UNGGE and OEWG reports, including corresponding UNGA resolutions adopted by consensus” form the unequivocal basis for “any further discussions on the position, role, and implementation of the voluntary non-binding norms, rules and principles of state behaviour in cyberspace (norms)” [x]. In 2018, Albania voted against the Russian-sponsored resolution A/73/27, which launched the Open-Ended Working Group (OEWG) format.
Serbia was represented in the 2016-2017 UN Group of Governmental Experts (UNGGE). Despite its EU candidate status, Serbia does not typically vote in alignment with the EU on key cybersecurity resolutions presented before the UN First Committee. Notable examples include UNGA resolution 73/27, which first established the Open-Ended Working Group (OEWG), as well as later resolutions 74/29 and 75/240.
The country has no overarching cybersecurity strategy. Elements of strategic contemplation over cybersecurity can be found within the Criminal Code, which criminalises critical infrastructure damage (including that of information systems) as an act of terrorism. The 2015-2020 Strategy for Prevention and Combating Terrorism reiterates an objective laid out in earlier documents regarding the setup of a dedicated national CERT that will develop and implement monitoring and response mechanisms vis-a-vis the misuse of the Internet for terrorist purposes. Bosnia and Herzegovina has been exploring potential avenues of cooperation with NATO, especially in relation to common solutions to security challenges in the area of cyber defence [x], while Bosnian scientists have also participated in the NATO SPS Programme. Finally, as a member state of the OSCE, Bosnia and Herzegovina is required to implement the OSCE’s 16 Confidence Building Measures (CBMs) as adopted by the OSCE Permanent Council.
In recent years, Albania has significantly expanded its capacity-building activities, modernising both the relevant institutional apparatus and the diplomatic outreach accompanying it. Since 2017, ALCIRT, Albania’s national CSIRT, has been given an expanded mandate and merged with the National Authority for Electronic Certification and Cyber Security (AKCESK). AKCESK is responsible for preparing strategic documents relating to cybersecurity, drafting legislation, collaborating with relevant stakeholders (international organisations, civil society organisations, the private sector) and providing training. [x] Through AKCESK, Albania has signed Memoranda of Understanding (MOU) with several regional national CERTs (Kosovo, North Macedonia, Romania) and is currently negotiating similar MoUs with Serbia, Montenegro, Cyprus, and Slovenia. [x] AKCESK also frequently collaborates with the Council of Europe in relation to incident response and awareness training. [x] As a member of NATO, Albania signed the MoU with the NATO Cyber Incident Response Centre (NCIRC) on enhancing cyber defence in 2013 [x] and has participated in numerous NATO-led training initiatives, including the flagship Cyber Coalition exercise. Meanwhile, increased emphasis has been placed on the protection of critical infrastructure, with a 2015 government paper stating that future actions will be focused on “the protection and resilience capacity of critical infrastructure” and on “encouraging operators that own them to implement a full security architecture (including risk management and emergencies)”. [x] In 2020, Albania adopted its first-ever cybersecurity regulation for the electricity sector, which establishes incident reporting and assessment criteria for electricity operators. [x] This was reportedly only the first of many planned initiatives intended to reduce the country’s cyber vulnerabilities and increase trust in digital services.
Serbia’s legislative framework on cybersecurity is structured upon the 2016 Law on Information Security and its bylaws. The Law ushered in several institutional developments, including the creation of a national CERT in the regulatory agency for electronic communications and postal services (RATEL). The national CERT “monitors the status of incidents on national level, provides early warnings, alerts and announcements, and reacts on incidents by providing the information on affected entities and persons”. [x] It also holds seminars and technical trainings for operators of special importance (critical infrastructure) [x].
Meanwhile, the 2021 Cyber Tesla drill (organised in collaboration with the US state of Ohio) constitutes only one example of Serbia’s increased emphasis on critical infrastructure through the prism of cyber defence; the stated objectives included the “construction of military defence system capacities and the National CERT’s capacities for the protection from high-tech attacks, as well as an enhanced cooperation with relevant government and private sector organisations and academic institutions for the purpose of protection of the IT systems”.
In its UNGGE position paper in 2016, Serbia emphasised the importance of interstate cooperation in “maintaining effective and responsive mechanisms for information exchange, alerts and announcements on cybersecurity incidents”. The paper goes on to posit that “the special focus should be on the protection of critical infrastructure”, especially in the case of transnational attacks. In 2021, Norway donated a platform worth €1.2 million which will “[serve] to hold cyber exercises at the national level enables the real situation of different attack scenarios, and will contribute to capacity building and training of officials in various state institutions”, according to State Secretary of the Ministry of Trade, Tourism and Telecommunications Milos Cvetanovic [x].
Meanwhile, the 2021 Cyber Tesla drill (organised in collaboration with the US state of Ohio) constitutes only one example of Serbia’s increased emphasis on critical infrastructure through the prism of cyber defence; the stated objectives included the “construction of military defence system capacities and the National CERT’s capacities for the protection from high-tech attacks, as well as an enhanced cooperation with relevant government and private sector organisations and academic institutions for the purpose of protection of the IT systems”.
In its UNGGE position paper in 2016, Serbia emphasised the importance of interstate cooperation in “maintaining effective and responsive mechanisms for information exchange, alerts and announcements on cybersecurity incidents”. The paper goes on to posit that “the special focus should be on the protection of critical infrastructure”, especially in the case of transnational attacks. In 2021, Norway donated a platform worth €1.2 million which will “[serve] to hold cyber exercises at the national level enables the real situation of different attack scenarios, and will contribute to capacity building and training of officials in various state institutions”, according to State Secretary of the Ministry of Trade, Tourism and Telecommunications Milos Cvetanovic [x].
Bosnia and Herzegovina is a party to the Budapest Convention on Cybercrime, officially acceding in 2006. As of 2019, however, domestic legislation at the state level had only been partially harmonised with Budapest provisions [x]. The country voted against the Russian-sponsored UN resolution that launched the institutional procedure for a new legal instrument on international cybercrime cooperation. Bosnian law enforcement regularly cooperates with Europol and is due to open negotiations for a cooperation agreement with Eurojust [x].
Albania is a party to the Budapest Convention on Cybercrime, with the Albanian Parliament ratifying the Convention in 2002 [x]. Since then, however, national strategic documents have been acknowledging the incomplete harmonisation of national legislation with Budapest provisions. The most recent five-year National Cybersecurity Strategy states that “legislation in the cybersecurity field should be harmonised with EU legislation, thus creating a complete and codified mechanism to adequately address and resolve issues. Besides, where possible, international internet security mechanisms should be accessed, signed, ratified, and implemented”. The Strategy also places special emphasis on children’s online protection, elevating it into a key priority [x]. Aiming to implement the policy goals listed within the National Cybersecurity Strategy, the Strategy for Investigation of Cybercrime (2021-2025) lays out a number of objectives for law enforcement [x]: (1) extending the cybercrime investigation structure throughout the country and building technological and legal capacity; (2) presenting a prompt and efficient response to cybercrime, raising public awareness, taking legislative initiatives, and building professional capacity; (3) presenting a rapid and professional response to the prevention, prosecution, and investigation of cybercrime against children; and (4) increasing national and international cooperation in the field of cybercrime investigation with strategic partners. Albanian police forces have also collaborated with Europol in coordinated action against cyber fraud and through the launch of the Sell Safe awareness campaign. [x]
The Information Society and Information Security Development Strategy for the period 2021-2026 provides a comprehensive approach to the field of information security, which includes both (a) information security of ICT systems of special importance and security of the Republic of Serbia, and (b) security of citizens and businesses, which is particularly reflected through the fight against cybercrime. Its predecessor, the 2017 Strategy for the Development of Information Security, in turn, indicates the fight against cybercrime as one of the government’s five key priorities.
In light of EU accession negotiations, Serbia has signed and ratified the Council of Europe Convention on Cybercrime (Budapest Convention), including its Additional Protocol on Xenophobia and Racism Committed Through Computer Systems. Nevertheless, the country also voted in favour of UNGA resolution 74/247 calling for an international legal instrument to govern this domain. Domestically, the national legislative framework has been developed in accordance with the Budapest Convention and EU legislation. A High-Tech Crime Unit has recently been established within the special prosecutor’s office, along with three specialised units: crime analysis; terrorism and extremism; and drug prevention, addiction and repression.
Serbia is a member of Interpol, with which the country has discussed ways to enhance cooperation with regard to combatting cybercrime. Serbia is also gradually developing its own bilateral cooperation network, signing a Cooperation Memoranda with India in 2016 [x] and Romania in 2017 [x] as well as receiving assistance from Russian experts [x].
Special thanks to Ms Maja Lakusic for her valuable comments.
In light of EU accession negotiations, Serbia has signed and ratified the Council of Europe Convention on Cybercrime (Budapest Convention), including its Additional Protocol on Xenophobia and Racism Committed Through Computer Systems. Nevertheless, the country also voted in favour of UNGA resolution 74/247 calling for an international legal instrument to govern this domain. Domestically, the national legislative framework has been developed in accordance with the Budapest Convention and EU legislation. A High-Tech Crime Unit has recently been established within the special prosecutor’s office, along with three specialised units: crime analysis; terrorism and extremism; and drug prevention, addiction and repression.
Serbia is a member of Interpol, with which the country has discussed ways to enhance cooperation with regard to combatting cybercrime. Serbia is also gradually developing its own bilateral cooperation network, signing a Cooperation Memoranda with India in 2016 [x] and Romania in 2017 [x] as well as receiving assistance from Russian experts [x].
Special thanks to Ms Maja Lakusic for her valuable comments.
