Compare
Compare
An EU candidate country since 2012, Serbia is an important partner in the Western Balkans. The 2020 iteration of the Digital Evolution Scorecard characterised Serbia as a ‘break out’ economy, meaning that despite a relative lack of digital infrastructure the country is rapidly digitalising; internet penetration is one of the highest across the region, standing at 79%. Over the past decade, Serbia’s digital policy has been focused on attracting foreign investment, deepening the digital transformation across the public and private sectors, and promoting economic growth in line with EU targets. These objectives have been operationalised through a series of strategies, notably the Strategy for the Development of Information Security for the period 2017-2020 and the Strategy for combat against cyber crime 2019-2023. The ITU notes, however, that “while innovative, internet-based e-commerce is expected to bring significant growth and development, obsolete legislation and a lack of harmonisation with EU standards and best practice persist, hampering progress”. As the country becomes increasingly more digitalised, the challenge for Serbian cyber diplomacy will be to develop and enhance avenues of European, regional, and international cooperation.
Thanks to its regulatory powers, robust digital economy, and active foreign and security policy, the European Union is one of the key players in cyberspace. The EU strongly promotes the position that international law, and in particular the United Nations (UN) Charter, applies in cyberspace. As a complement to binding international law, the EU endorses the voluntary non-binding norms, rules and principles of responsible State behaviour that have been articulated by the UN Group of Governmental Experts. It also encourages the development and implementation of regional confidence building measures, both in the Organisation for Security and Co-operation in Europe and other regions. On a bilateral level, the EU has established cyber dialogues with strategic partners to reinforce the exchange of good practices, lessons learnt and further the idea of responsible state behaviour in cyberspace.
According to the International Telecommunications Union (ITU), as of 2021, Peru had an internet penetration rate of around 71.1 %. However other indexes place this number in the mid 60’s. Although many improvements were made in the past few years, Peru still possesses low network coverage, especially in rural areas and a relatively low network performance.
The government of Peru has been implementing initiatives to increase connectivity in rural areas, including a national broadband plan and a program to deploy free Wi-Fi hotspots in public spaces, with a year-on-year increase of almost 100 %.
Peru ranked 86 out of 182 countries surveyed in the ITU’s Global Cybersecurity Index in 2020.
The government of Peru has been implementing initiatives to increase connectivity in rural areas, including a national broadband plan and a program to deploy free Wi-Fi hotspots in public spaces, with a year-on-year increase of almost 100 %.
Peru ranked 86 out of 182 countries surveyed in the ITU’s Global Cybersecurity Index in 2020.
The country has not assumed a firm stance on the application of international law in cyberspace. Serbia’s position paper concerning the Open-Ended Working Group (OEWG) highlighted that multilateral dialogue on “information security” must occur “with strict respect for the Charter of the United Nations”. Echoing the stance of states such as China, Russia, and Cuba, Serbia also raised the alarm about the “danger of developing offensive ICT and militarising the digital space”.
Under the auspices of the UN, the EU and its Member States have consistently reaffirmed that a universal cyber security framework can only be grounded in existing international law, including the Charter of the United Nations in its entirety, international humanitarian law, and international human rights law.
Addressing issues as to how existing international law and international humanitarian law, including the principles of humanity, necessity, proportionality and distinction, apply to the use ICTs by States is necessary to increase accountability and transparency. International humanitarian law is fully applicable in cyberspace and this should not be misunderstood as legitimising the use of force between states in the cyber domain. The EU has typically opposed calls for the need to adapt existing international law as a means to develop a new legal instrument for cyber issues. Peru is one of the Latin American countries to have signed and ratified the Council of Europe’s Convention 108+.
The country has also participated in the United Nations Open-ended Working Group (OEWG) on Developments in the Field of Information and Telecommunications in the Context of International Security. As a matter of fact, after the third substantive session of the OEWG, Peru issued a statement supporting the primacy of the UN Charter and the application of international law in the use of ICTs and in cyberspace, as well as the future establishment of legally binding obligations.
On the other hand, Peru along with Chile and the United States of America, has a divergent view on the notion of cyber attack and the applicability of international law. Peru states that in order for a cyber operation to be considered an attack, it results in direct death, injury or physical harm.
Addressing issues as to how existing international law and international humanitarian law, including the principles of humanity, necessity, proportionality and distinction, apply to the use ICTs by States is necessary to increase accountability and transparency. International humanitarian law is fully applicable in cyberspace and this should not be misunderstood as legitimising the use of force between states in the cyber domain. The EU has typically opposed calls for the need to adapt existing international law as a means to develop a new legal instrument for cyber issues. Peru is one of the Latin American countries to have signed and ratified the Council of Europe’s Convention 108+.
The country has also participated in the United Nations Open-ended Working Group (OEWG) on Developments in the Field of Information and Telecommunications in the Context of International Security. As a matter of fact, after the third substantive session of the OEWG, Peru issued a statement supporting the primacy of the UN Charter and the application of international law in the use of ICTs and in cyberspace, as well as the future establishment of legally binding obligations.
On the other hand, Peru along with Chile and the United States of America, has a divergent view on the notion of cyber attack and the applicability of international law. Peru states that in order for a cyber operation to be considered an attack, it results in direct death, injury or physical harm.
Serbia was represented in the 2016-2017 UN Group of Governmental Experts (UNGGE). Despite its EU candidate status, Serbia does not typically vote in alignment with the EU on key cybersecurity resolutions presented before the UN First Committee. Notable examples include UNGA resolution 73/27, which first established the Open-Ended Working Group (OEWG), as well as later resolutions 74/29 and 75/240.
Since 2014, the EU’s ambition has been to act as an ‘honest broker’ on multilateral discussions surrounding issues of cyber governance and norms of responsible state behaviour, aiming to ensure the support and partnership of proactive players in the context of the global debate. The EU has long promoted the need for voluntary, non-binding norms. It believes that norms crystallised under the UN GGE process should generally not be revisited and that progress should be made on matters relating to their implementation.
Within the OEWG, the EU advanced a suggestion to develop a global repository of existing practice within the United Nations, which would enable UN member states to showcase how they are implementing the voluntary norms of responsible state behaviour, confidence building and other measures. Peru stresses the need to make a distinction between 'cyber attacks' (which involve 'damage being caused to a militarily relevant target, which may be totally or partially destroyed, even captured or neutralised') and an 'abrupt disruption of communications in cyberspace', i.e. cyber operations that cause inconvenience, even extreme inconvenience, but not direct injury or death, or destruction of property. Accordingly, Peru emphasises the determination of the legality of cyber operations in the context of the use of force by taking into account whether they may result in death or injury to persons or property.
Peru has noted the difficulty of attribution in cyberspace. Coinciding with other American states, Peru has focused on the state's duty to ensure that its territory is not used by non-state actors to launch attacks. In this regard, Peru states that the inertia of a state towards a non-state actor that could unleash a cyber-attack on another state and that it was in a position to control could make its behaviour attributable to the state.
In any case, Peru highlights the validity of various human rights in cyberspace, including 'the right to privacy and intimacy, freedom of information, freedom of expression, free and equal access to information, bridging the digital divide, intellectual property rights, free flow of information, the right to secrecy of communications'.
Within the OEWG, the EU advanced a suggestion to develop a global repository of existing practice within the United Nations, which would enable UN member states to showcase how they are implementing the voluntary norms of responsible state behaviour, confidence building and other measures. Peru stresses the need to make a distinction between 'cyber attacks' (which involve 'damage being caused to a militarily relevant target, which may be totally or partially destroyed, even captured or neutralised') and an 'abrupt disruption of communications in cyberspace', i.e. cyber operations that cause inconvenience, even extreme inconvenience, but not direct injury or death, or destruction of property. Accordingly, Peru emphasises the determination of the legality of cyber operations in the context of the use of force by taking into account whether they may result in death or injury to persons or property.
Peru has noted the difficulty of attribution in cyberspace. Coinciding with other American states, Peru has focused on the state's duty to ensure that its territory is not used by non-state actors to launch attacks. In this regard, Peru states that the inertia of a state towards a non-state actor that could unleash a cyber-attack on another state and that it was in a position to control could make its behaviour attributable to the state.
In any case, Peru highlights the validity of various human rights in cyberspace, including 'the right to privacy and intimacy, freedom of information, freedom of expression, free and equal access to information, bridging the digital divide, intellectual property rights, free flow of information, the right to secrecy of communications'.
Serbia’s legislative framework on cybersecurity is structured upon the 2016 Law on Information Security and its bylaws. The Law ushered in several institutional developments, including the creation of a national CERT in the regulatory agency for electronic communications and postal services (RATEL). The national CERT “monitors the status of incidents on national level, provides early warnings, alerts and announcements, and reacts on incidents by providing the information on affected entities and persons”. [x] It also holds seminars and technical trainings for operators of special importance (critical infrastructure) [x].
Meanwhile, the 2021 Cyber Tesla drill (organised in collaboration with the US state of Ohio) constitutes only one example of Serbia’s increased emphasis on critical infrastructure through the prism of cyber defence; the stated objectives included the “construction of military defence system capacities and the National CERT’s capacities for the protection from high-tech attacks, as well as an enhanced cooperation with relevant government and private sector organisations and academic institutions for the purpose of protection of the IT systems”.
In its UNGGE position paper in 2016, Serbia emphasised the importance of interstate cooperation in “maintaining effective and responsive mechanisms for information exchange, alerts and announcements on cybersecurity incidents”. The paper goes on to posit that “the special focus should be on the protection of critical infrastructure”, especially in the case of transnational attacks. In 2021, Norway donated a platform worth €1.2 million which will “[serve] to hold cyber exercises at the national level enables the real situation of different attack scenarios, and will contribute to capacity building and training of officials in various state institutions”, according to State Secretary of the Ministry of Trade, Tourism and Telecommunications Milos Cvetanovic [x]. The EU places great importance on cyber resilience and capacity building. Internally, the Union has built a robust legal acquis in relation to the resilience of critical infrastructures, the cornerstone of which rests upon the 2016 Network and Information Security (NIS) Directive and the 2013 and 2019 Cybersecurity Acts. This legal meshwork seeks to integrate cybersecurity into all elements of the supply chain and introduce soft law mechanisms like the EU cybersecurity certification scheme. In doing so, it harmonises national cybersecurity capabilities, cross-border collaboration and the supervision of critical sectors across the EU.
In the coming months, the Commission intends to add upon the existing cyber-acquis by introducing an array of new initiatives, such as the updated NIS Directive (the so-called NIS2), a proposal on a Critical Entities Resilience (CER) Directive, and a plan to launch a network of Security Operations Centres across the Union. The aim is to create a Union-wide ‘cybersecurity shield’ that will facilitate the detection of cyberattacks and provide an impetus for proactive action.
This internal buildup of capabilities is supplemented by the development of a specialised ‘cyber diplomacy toolbox’ that allows the Union and its Member States to address cyber incidents through various joint policies, from cooperation and stabilisation measures to restrictive measures and attribution. The Personal Data Protection Law N° 29733 (PDPL) was enacted in June 2011. In March 2013, the Supreme Decree N° 003-2013-JUS-Regulation of the PDLP (Regulation) was published in order to develop, clarify and expand on the requirements of the PDPL and set forth specific rules, terms and provisions regarding data protection.
Together, the PDLP and its Regulation are the primary data protection laws in Peru.
As of 2021, Peru approved the Bill that creates the National Authority for Transparency, Access to Public Information and Protection of Personal Data.
Peru possesses a Digital Trust Framework, as a means to establish certain obligations for public or private entities acting as digital service providers. These include reporting when a digital security incident involving personal data occurs, as well as implementing technical, organisational, and legal security measures to guarantee the confidentiality of information transmitted through its communications services.
Over the last decades, the Peruvian state has made efforts to promote digital transformation, both within its institutions and in the services it offers to citizens and has outlined a Digital Agenda in 2021 for Digital Transformation.
Meanwhile, the 2021 Cyber Tesla drill (organised in collaboration with the US state of Ohio) constitutes only one example of Serbia’s increased emphasis on critical infrastructure through the prism of cyber defence; the stated objectives included the “construction of military defence system capacities and the National CERT’s capacities for the protection from high-tech attacks, as well as an enhanced cooperation with relevant government and private sector organisations and academic institutions for the purpose of protection of the IT systems”.
In its UNGGE position paper in 2016, Serbia emphasised the importance of interstate cooperation in “maintaining effective and responsive mechanisms for information exchange, alerts and announcements on cybersecurity incidents”. The paper goes on to posit that “the special focus should be on the protection of critical infrastructure”, especially in the case of transnational attacks. In 2021, Norway donated a platform worth €1.2 million which will “[serve] to hold cyber exercises at the national level enables the real situation of different attack scenarios, and will contribute to capacity building and training of officials in various state institutions”, according to State Secretary of the Ministry of Trade, Tourism and Telecommunications Milos Cvetanovic [x]. The EU places great importance on cyber resilience and capacity building. Internally, the Union has built a robust legal acquis in relation to the resilience of critical infrastructures, the cornerstone of which rests upon the 2016 Network and Information Security (NIS) Directive and the 2013 and 2019 Cybersecurity Acts. This legal meshwork seeks to integrate cybersecurity into all elements of the supply chain and introduce soft law mechanisms like the EU cybersecurity certification scheme. In doing so, it harmonises national cybersecurity capabilities, cross-border collaboration and the supervision of critical sectors across the EU.
In the coming months, the Commission intends to add upon the existing cyber-acquis by introducing an array of new initiatives, such as the updated NIS Directive (the so-called NIS2), a proposal on a Critical Entities Resilience (CER) Directive, and a plan to launch a network of Security Operations Centres across the Union. The aim is to create a Union-wide ‘cybersecurity shield’ that will facilitate the detection of cyberattacks and provide an impetus for proactive action.
This internal buildup of capabilities is supplemented by the development of a specialised ‘cyber diplomacy toolbox’ that allows the Union and its Member States to address cyber incidents through various joint policies, from cooperation and stabilisation measures to restrictive measures and attribution. The Personal Data Protection Law N° 29733 (PDPL) was enacted in June 2011. In March 2013, the Supreme Decree N° 003-2013-JUS-Regulation of the PDLP (Regulation) was published in order to develop, clarify and expand on the requirements of the PDPL and set forth specific rules, terms and provisions regarding data protection.
Together, the PDLP and its Regulation are the primary data protection laws in Peru.
As of 2021, Peru approved the Bill that creates the National Authority for Transparency, Access to Public Information and Protection of Personal Data.
Peru possesses a Digital Trust Framework, as a means to establish certain obligations for public or private entities acting as digital service providers. These include reporting when a digital security incident involving personal data occurs, as well as implementing technical, organisational, and legal security measures to guarantee the confidentiality of information transmitted through its communications services.
Over the last decades, the Peruvian state has made efforts to promote digital transformation, both within its institutions and in the services it offers to citizens and has outlined a Digital Agenda in 2021 for Digital Transformation.
The Information Society and Information Security Development Strategy for the period 2021-2026 provides a comprehensive approach to the field of information security, which includes both (a) information security of ICT systems of special importance and security of the Republic of Serbia, and (b) security of citizens and businesses, which is particularly reflected through the fight against cybercrime. Its predecessor, the 2017 Strategy for the Development of Information Security, in turn, indicates the fight against cybercrime as one of the government’s five key priorities.
In light of EU accession negotiations, Serbia has signed and ratified the Council of Europe Convention on Cybercrime (Budapest Convention), including its Additional Protocol on Xenophobia and Racism Committed Through Computer Systems. Nevertheless, the country also voted in favour of UNGA resolution 74/247 calling for an international legal instrument to govern this domain. Domestically, the national legislative framework has been developed in accordance with the Budapest Convention and EU legislation. A High-Tech Crime Unit has recently been established within the special prosecutor’s office, along with three specialised units: crime analysis; terrorism and extremism; and drug prevention, addiction and repression.
Serbia is a member of Interpol, with which the country has discussed ways to enhance cooperation with regard to combatting cybercrime. Serbia is also gradually developing its own bilateral cooperation network, signing a Cooperation Memoranda with India in 2016 [x] and Romania in 2017 [x] as well as receiving assistance from Russian experts [x].
Special thanks to Ms Maja Lakusic for her valuable comments. The EU has been an early champion of the Budapest Convention signed under the auspices of the Council of Europe, given the overlapping membership of the two organisations. Much of the EU’s cyber diplomatic efforts have focused on promoting the Convention as the main instrument of choice for fighting cybercrime on a global level. EU member states have consistently opposed Russian bids for replacing this regime with another legal framework.
The Union is represented in the recently constituted Ad Hoc Committee established by UNGA resolution 74/247 by its Member States and is currently focused on ensuring that the process is inclusive, transparent, consistent with the progress of the UNGGE and OEWG processes, and committed to legal consistency. Peru’s signature and ratification of the Budapest Convention on Cybercrime, which is the only binding international instrument dealing with cybercrime, was a great step towards advancing a cyber agenda.
In 2019, Peru passed a Cyber Defence Act, with the objectives of defending and protecting sovereignty, national interests, critical national assets and key resources to maintain national capabilities against threats or attacks in and through cyberspace, when these affect national security.Peru has also passed a Cybersecurity Framework for the private sector, with the objective of identifying and protecting information assets, detecting security events, and providing for response and recovery from cybersecurity incidents.
In this context, there are more and more reports of cybercrime in the country. According to data from the Public Prosecutor's Office, in 2021 they received 18,596 reports of cybercrime cases, which represents a percentage increase of 92.9% compared to 2020, with phishing and ransomware being the most common attacks.
In light of EU accession negotiations, Serbia has signed and ratified the Council of Europe Convention on Cybercrime (Budapest Convention), including its Additional Protocol on Xenophobia and Racism Committed Through Computer Systems. Nevertheless, the country also voted in favour of UNGA resolution 74/247 calling for an international legal instrument to govern this domain. Domestically, the national legislative framework has been developed in accordance with the Budapest Convention and EU legislation. A High-Tech Crime Unit has recently been established within the special prosecutor’s office, along with three specialised units: crime analysis; terrorism and extremism; and drug prevention, addiction and repression.
Serbia is a member of Interpol, with which the country has discussed ways to enhance cooperation with regard to combatting cybercrime. Serbia is also gradually developing its own bilateral cooperation network, signing a Cooperation Memoranda with India in 2016 [x] and Romania in 2017 [x] as well as receiving assistance from Russian experts [x].
Special thanks to Ms Maja Lakusic for her valuable comments. The EU has been an early champion of the Budapest Convention signed under the auspices of the Council of Europe, given the overlapping membership of the two organisations. Much of the EU’s cyber diplomatic efforts have focused on promoting the Convention as the main instrument of choice for fighting cybercrime on a global level. EU member states have consistently opposed Russian bids for replacing this regime with another legal framework.
The Union is represented in the recently constituted Ad Hoc Committee established by UNGA resolution 74/247 by its Member States and is currently focused on ensuring that the process is inclusive, transparent, consistent with the progress of the UNGGE and OEWG processes, and committed to legal consistency. Peru’s signature and ratification of the Budapest Convention on Cybercrime, which is the only binding international instrument dealing with cybercrime, was a great step towards advancing a cyber agenda.
In 2019, Peru passed a Cyber Defence Act, with the objectives of defending and protecting sovereignty, national interests, critical national assets and key resources to maintain national capabilities against threats or attacks in and through cyberspace, when these affect national security.Peru has also passed a Cybersecurity Framework for the private sector, with the objective of identifying and protecting information assets, detecting security events, and providing for response and recovery from cybersecurity incidents.
In this context, there are more and more reports of cybercrime in the country. According to data from the Public Prosecutor's Office, in 2021 they received 18,596 reports of cybercrime cases, which represents a percentage increase of 92.9% compared to 2020, with phishing and ransomware being the most common attacks.
