Compare
Compare
In October 2021, North Macedonia became one of the first countries among the Western Balkans partners to issue a digital ID to its citizens [x]; the deployment of the digital identity project is only indicative of the country’s turn towards digitalisation and e-government. With a total population of about 2.08 million, Internet penetration in North Macedonia stands at 84%, while data shows that there are about 2.25 million cellular mobile connections. [x] The rapid drive towards digitalisation, but also its accompanying risks and vulnerabilities, are accounted for by the 2022 Cybersecurity Strategy, the country’s first comprehensive cybersecurity strategy. The document largely reflects the country’s European ambitions and is explicitly based on the “principles of the Cybersecurity Strategy of the European Union and the NATO Cyber Defence Pledge”.
An EU candidate country since 2012, Serbia is an important partner in the Western Balkans. The 2020 iteration of the Digital Evolution Scorecard characterised Serbia as a ‘break out’ economy, meaning that despite a relative lack of digital infrastructure the country is rapidly digitalising; internet penetration is one of the highest across the region, standing at 79%. Over the past decade, Serbia’s digital policy has been focused on attracting foreign investment, deepening the digital transformation across the public and private sectors, and promoting economic growth in line with EU targets. These objectives have been operationalised through a series of strategies, notably the Strategy for the Development of Information Security for the period 2017-2020 and the Strategy for combat against cyber crime 2019-2023. The ITU notes, however, that “while innovative, internet-based e-commerce is expected to bring significant growth and development, obsolete legislation and a lack of harmonisation with EU standards and best practice persist, hampering progress”. As the country becomes increasingly more digitalised, the challenge for Serbian cyber diplomacy will be to develop and enhance avenues of European, regional, and international cooperation.
Internet penetration in Montenegro stands at 83%, while analysis indicates that internet usage increased by 10,000 users (+2%) from 2021 to 2022. [x] As an EU candidate country, Montenegro has strived to align itself with the EU’s cyber priorities and recent strategic documents like the 2018-2021 Cybersecurity Strategy and its 2013-2017 predecessor represent a firm indication of this ambition. In the past five years, however, the Montenegrin government and media outlets have increasingly seen themselves sitting at the bullseye of numerous malicious cyberattacks, suggesting “synchronised action” on the part of several state and non-state actors. [x] A 2022 digital maturity assessment commissioned by the European Bank for Reconstruction and Development and conducted by e-Governance Academy found Montenegro to have only a “basic” level of digital maturity in seven dimensions, including “financing digitalisation, level of digital skill, and access to services”. The same assessment found that the “right conditions” had been generated for the purposes of digitalisation, but implementation fell short. These conditions included “political will and support, the legal framework, digital infrastructure and interoperability, digital identity/signature and security”. Montenegrin policymakers now perceive an increased need to transform their stated strategic goals into concrete action.
At the first substantive session of the 2021-2025 UNGGE, recalling its candidate status, North Macedonia aligned itself with the EU’s statement that the existing corpus of international law, notably the UN Charter, international humanitarian law, and international human rights law, apply in cyberspace in its entirety. In particular, this includes the principle of state sovereignty, sovereign equality, the settlement of disputes by peaceful means, the provision of the use of force non-intervention in the internal affairs of other states, and the respect for human rights and fundamental freedoms as principles of international law that are applicable to states use of ICTs in cyberspace. [x] North Macedonia has also consistently aligned itself with the EU position in a number of key resolutions at the United Nations, including resolutions A/73/27 and A/74/29.
The country has not assumed a firm stance on the application of international law in cyberspace. Serbia’s position paper concerning the Open-Ended Working Group (OEWG) highlighted that multilateral dialogue on “information security” must occur “with strict respect for the Charter of the United Nations”. Echoing the stance of states such as China, Russia, and Cuba, Serbia also raised the alarm about the “danger of developing offensive ICT and militarising the digital space”.
Recalling its EU candidate status, the first substantive session of the 2021-2025 UN Group of Governmental exports (UNGGE) saw Montenegro aligning itself with the EU’s statement that the existing corpus of international law, notably the UN Charter, international humanitarian law, and international human rights law, apply in cyberspace in its entirety. In particular, this includes the principle of state sovereignty, sovereign equality, the settlement of disputes by peaceful means, the provision of the use of force non-intervention in the internal affairs of other states, and the respect for human rights and fundamental freedoms as principles of international law that are applicable to states use of ICTs in cyberspace. [x] Montenegro has also consistently aligned itself with the EU position in a number of key resolutions at the United Nations, including resolutions A/73/27 and A/74/29.
At the first substantive session of the 2021-2025 UNGGE, North Macedonia aligned itself with the EU’s position that the previous UNGGE and OEWG reports, including corresponding UNGA resolutions adopted by consensus, form the unequivocal basis for “any further discussions on the position, role, and implementation of the voluntary non-binding norms, rules and principles of state behaviour in cyberspace (norms)” [x]. North Macedonia was also the only EU candidate country to have co-sponsored the 2020 Programme of Action (PoA), which explored the possibility of ending the dual-track discussions (UNGGE/OEWG) in favour of a permanent UN forum.
Serbia was represented in the 2016-2017 UN Group of Governmental Experts (UNGGE). Despite its EU candidate status, Serbia does not typically vote in alignment with the EU on key cybersecurity resolutions presented before the UN First Committee. Notable examples include UNGA resolution 73/27, which first established the Open-Ended Working Group (OEWG), as well as later resolutions 74/29 and 75/240.
At the first substantive session of the 2021-2025 UNGGE, Montenegro aligned itself with the EU’s position that the “previous UNGGE and OEWG reports, including corresponding UNGA resolutions adopted by consensus” form the unequivocal basis for “any further discussions on the position, role, and implementation of the voluntary non-binding norms, rules and principles of state behaviour in cyberspace (norms)” [x].
The 2018-2022 Cybersecurity Strategy dedicates a full section to cyber resilience and the protection of ICT infrastructure. The stated objectives include expanding the capabilities of the national CERT (MKD-CIRT), identifying types of critical infrastructure, developing national procedures for cyber crisis management, developing incident reporting and monitoring mechanisms, and establishing a single and comprehensive legal framework for cyber resilience. In 2021, upon joining NATO, North Macedonia signed a Memorandum of Understanding aiming at enhancing cyber defence cooperation between NATO and the country’s defence authorities; the MoU particularly focuses on information-sharing, exchanging best practices, and increasing resilience. [x]
Serbia’s legislative framework on cybersecurity is structured upon the 2016 Law on Information Security and its bylaws. The Law ushered in several institutional developments, including the creation of a national CERT in the regulatory agency for electronic communications and postal services (RATEL). The national CERT “monitors the status of incidents on national level, provides early warnings, alerts and announcements, and reacts on incidents by providing the information on affected entities and persons”. [x] It also holds seminars and technical trainings for operators of special importance (critical infrastructure) [x].
Meanwhile, the 2021 Cyber Tesla drill (organised in collaboration with the US state of Ohio) constitutes only one example of Serbia’s increased emphasis on critical infrastructure through the prism of cyber defence; the stated objectives included the “construction of military defence system capacities and the National CERT’s capacities for the protection from high-tech attacks, as well as an enhanced cooperation with relevant government and private sector organisations and academic institutions for the purpose of protection of the IT systems”.
In its UNGGE position paper in 2016, Serbia emphasised the importance of interstate cooperation in “maintaining effective and responsive mechanisms for information exchange, alerts and announcements on cybersecurity incidents”. The paper goes on to posit that “the special focus should be on the protection of critical infrastructure”, especially in the case of transnational attacks. In 2021, Norway donated a platform worth €1.2 million which will “[serve] to hold cyber exercises at the national level enables the real situation of different attack scenarios, and will contribute to capacity building and training of officials in various state institutions”, according to State Secretary of the Ministry of Trade, Tourism and Telecommunications Milos Cvetanovic [x]. The new Cybersecurity Strategy 2022-2026 aims to improve effective mechanism for responding to cyber incidents and response to cybercrime. The new strategy recognises the establishment of a new body Cyber Security Agency which will be umbrella institution when it comes to cyber security. The CIRT team will be transferred to the new Agency. The 2018-2021 Cybersecurity Strategy explicitly establishes a “reliance” on European and Euro-Atlantic conceptualisations of cybersecurity and resilience. The Strategy points to the EU’s 2016 NIS Directive as the primary source of inspiration, notably in its requirements for the adoption of a national cybersecurity strategy, the definition of relevant authorities, and the creation of a Computer Incident Response Team (CIRT). Indeed, since 2012, the Montenegrin CIRT represents “a central point for coordinating prevention and protection against computer security incidents on the Internet and other IT security risk for the area of Montenegro”. The Strategy also features a dedicated section on cyber defence, highlighting the country’s alignment with NATO targets (E 6202 N). In expanding cyber defence capabilities, the document notes that “special attention will be paid to harmonisation with regard to the standardisation of concepts, methods, policies, and procedures in line with the accepted European and international standards”. It also pledges the country to a set of goals: (1) definition and protection of critical information infrastructure; (2) strengthening the resilience of information systems to incidents; and (3) performing analysis of threats to IT infrastructure. Montenegro completed a bilateral ICT cooperation agreement with Thailand in 2013, while it is also a member of the CAMP initiative, the platform where members “prepare themselves with collective actions to keep cyberspace safe” through training, joint exercises, and dialogues.
Meanwhile, the 2021 Cyber Tesla drill (organised in collaboration with the US state of Ohio) constitutes only one example of Serbia’s increased emphasis on critical infrastructure through the prism of cyber defence; the stated objectives included the “construction of military defence system capacities and the National CERT’s capacities for the protection from high-tech attacks, as well as an enhanced cooperation with relevant government and private sector organisations and academic institutions for the purpose of protection of the IT systems”.
In its UNGGE position paper in 2016, Serbia emphasised the importance of interstate cooperation in “maintaining effective and responsive mechanisms for information exchange, alerts and announcements on cybersecurity incidents”. The paper goes on to posit that “the special focus should be on the protection of critical infrastructure”, especially in the case of transnational attacks. In 2021, Norway donated a platform worth €1.2 million which will “[serve] to hold cyber exercises at the national level enables the real situation of different attack scenarios, and will contribute to capacity building and training of officials in various state institutions”, according to State Secretary of the Ministry of Trade, Tourism and Telecommunications Milos Cvetanovic [x]. The new Cybersecurity Strategy 2022-2026 aims to improve effective mechanism for responding to cyber incidents and response to cybercrime. The new strategy recognises the establishment of a new body Cyber Security Agency which will be umbrella institution when it comes to cyber security. The CIRT team will be transferred to the new Agency. The 2018-2021 Cybersecurity Strategy explicitly establishes a “reliance” on European and Euro-Atlantic conceptualisations of cybersecurity and resilience. The Strategy points to the EU’s 2016 NIS Directive as the primary source of inspiration, notably in its requirements for the adoption of a national cybersecurity strategy, the definition of relevant authorities, and the creation of a Computer Incident Response Team (CIRT). Indeed, since 2012, the Montenegrin CIRT represents “a central point for coordinating prevention and protection against computer security incidents on the Internet and other IT security risk for the area of Montenegro”. The Strategy also features a dedicated section on cyber defence, highlighting the country’s alignment with NATO targets (E 6202 N). In expanding cyber defence capabilities, the document notes that “special attention will be paid to harmonisation with regard to the standardisation of concepts, methods, policies, and procedures in line with the accepted European and international standards”. It also pledges the country to a set of goals: (1) definition and protection of critical information infrastructure; (2) strengthening the resilience of information systems to incidents; and (3) performing analysis of threats to IT infrastructure. Montenegro completed a bilateral ICT cooperation agreement with Thailand in 2013, while it is also a member of the CAMP initiative, the platform where members “prepare themselves with collective actions to keep cyberspace safe” through training, joint exercises, and dialogues.
North Macedonia has ratified the Budapest Convention and its Additional Protocol [x]. Nevertheless, full harmonisation of the Macedonian legal regime with Budapest provisions is still a primary issue. In terms of institutional setup, analysis has pointed out that North Macedonia is lagging behind compared to other countries in the Western Balkans [x]. That said, the 2018-2022 Cybersecurity Strategy identifies several priorities regarding the “prevention, research, and adequate response” to cybercrime. These include: harmonising the national with international policies; developing a single, comprehensive legal framework for cybercrime; modernising authorities in charge of cybercrime; establishing formal procedures of information exchange; participating actively in the creation of international cybercrime regulations and standards, as well as their implementation on a national level; and providing continuous education and training for law enforcement entities in the field of cybersecurity, cybercrime, and electronic evidence. The country’s law enforcement authorities regularly cooperate with Europol, following the conclusion of a strategic agreement in 2007 and an operational agreement in 2011. [x]
The Information Society and Information Security Development Strategy for the period 2021-2026 provides a comprehensive approach to the field of information security, which includes both (a) information security of ICT systems of special importance and security of the Republic of Serbia, and (b) security of citizens and businesses, which is particularly reflected through the fight against cybercrime. Its predecessor, the 2017 Strategy for the Development of Information Security, in turn, indicates the fight against cybercrime as one of the government’s five key priorities.
In light of EU accession negotiations, Serbia has signed and ratified the Council of Europe Convention on Cybercrime (Budapest Convention), including its Additional Protocol on Xenophobia and Racism Committed Through Computer Systems. Nevertheless, the country also voted in favour of UNGA resolution 74/247 calling for an international legal instrument to govern this domain. Domestically, the national legislative framework has been developed in accordance with the Budapest Convention and EU legislation. A High-Tech Crime Unit has recently been established within the special prosecutor’s office, along with three specialised units: crime analysis; terrorism and extremism; and drug prevention, addiction and repression.
Serbia is a member of Interpol, with which the country has discussed ways to enhance cooperation with regard to combatting cybercrime. Serbia is also gradually developing its own bilateral cooperation network, signing a Cooperation Memoranda with India in 2016 [x] and Romania in 2017 [x] as well as receiving assistance from Russian experts [x].
Special thanks to Ms Maja Lakusic for her valuable comments. Montenegro is a party to the Council of Europe-sponsored Budapest Convention, ratifying it in 2010. In February 2013, Montenegro signed the regional Declaration on Strategic Priorities against Cybercrime, which “identified strategic priorities” that largely reflect the spirit and content of the Budapest provisions. [x] The 2018-2021 Strategy lists several developments that have contributed towards strengthening the capabilities of law enforcement authorities in dealing with cybercrime: these include the establishment of a dedicated High-Tech Crime Group within the Ministry of Interior, while the National Security Agency is making “significant efforts aimed at creating normative and operational mechanisms for fighting against cybercrime and espionage”. [x]
Many thanks to Ms Ana Minevski for her valuable comments.
In light of EU accession negotiations, Serbia has signed and ratified the Council of Europe Convention on Cybercrime (Budapest Convention), including its Additional Protocol on Xenophobia and Racism Committed Through Computer Systems. Nevertheless, the country also voted in favour of UNGA resolution 74/247 calling for an international legal instrument to govern this domain. Domestically, the national legislative framework has been developed in accordance with the Budapest Convention and EU legislation. A High-Tech Crime Unit has recently been established within the special prosecutor’s office, along with three specialised units: crime analysis; terrorism and extremism; and drug prevention, addiction and repression.
Serbia is a member of Interpol, with which the country has discussed ways to enhance cooperation with regard to combatting cybercrime. Serbia is also gradually developing its own bilateral cooperation network, signing a Cooperation Memoranda with India in 2016 [x] and Romania in 2017 [x] as well as receiving assistance from Russian experts [x].
Special thanks to Ms Maja Lakusic for her valuable comments. Montenegro is a party to the Council of Europe-sponsored Budapest Convention, ratifying it in 2010. In February 2013, Montenegro signed the regional Declaration on Strategic Priorities against Cybercrime, which “identified strategic priorities” that largely reflect the spirit and content of the Budapest provisions. [x] The 2018-2021 Strategy lists several developments that have contributed towards strengthening the capabilities of law enforcement authorities in dealing with cybercrime: these include the establishment of a dedicated High-Tech Crime Group within the Ministry of Interior, while the National Security Agency is making “significant efforts aimed at creating normative and operational mechanisms for fighting against cybercrime and espionage”. [x]
Many thanks to Ms Ana Minevski for her valuable comments.
