ICT system operators of special importance, i.e. companies operating within the activities specified in the Law on Information Security, are obliged to establish and maintain an adequate ICT system, as well as to review the compliance of applied protection measures with the Law on Information Security, and to make a report on the matter.
These obligations should be done by the operators once per year.
ICT system is a technological-organizational unit which includes:
(1) electronic communication networks in the sense of the law governing electronic communications,
(2) devices or groups of interconnected devices, such that within the device, or at least one of the group devices, performs automatic data processing using a computer program,
(3) data that is managed, stored, processed, searched or transmitted using an electronic communications network or devices defined above, for the purpose of their operation, use, protection or maintenance,
(4) organizational structure through which the ICT system is managed;
(5) all types of system and application software and software development tools.
With the latest amendments to the Law on Information Security, all ICT system operators of special importance have the obligation to register in the records kept by the competent Ministry of Trade, Tourism and Telecommunications.
ICT systems of special importance are the systems used:
A) in performing tasks in government bodies:
In practice, business entities face the dilemma of who has the obligation to record ICT systems of special importance.
This system belongs to the authorities, regardless of who installed the system and who
is in charge of its maintenance, and the authorities, as Operators of the ICT system, are obliged to record it.
Therefore, in terms of the Law on Information Security, all obligations on this basis apply to system operators, and the Operator can be a legal entity, authority or organizational unit of the authority, that uses the ICT system in the performance of its activities.
The Operator, among other things, has an obligation to ensure that persons who use the ICT system, i.e. manage the ICT system, are trained for jobs that work and understand their responsibilities. Also, Article 9 of the Law prescribes that the Operator of an ICT system may entrust activities related to the ICT system to third parties (system maintenance, among other things), in which case the Operator is obliged to contractually regulate the relationship with those persons. But these are only third parties to whom certain activities related to the system are entrusted, not the system operators.
B) for the processing of special types of personal data, in terms of the law governing the protection of personal data:
According to the legal definition, it is necessary for a company to cumulatively meet three conditions:
- to use the ICT system;
- to use this system for data processing - "processing" means any collection, storage, inspection and data use, among other things;
- that the processing in the ICT system refers to special types of personal data, which are, pursuant to Art. 17. of the Law on Personal Data Protection, the following: racial or ethnic origin, political opinion, religious or philosophical beliefs or trade union membership, as well as processing of genetic data, biometric data for the purpose of unique identification, health or sexual life data, as well as data on sexual orientation of an individual.
If all 3 conditions are met, then this system has acquired the character of an ICT system of special importance, and the obligation to record it in terms of Art. 6a of the Law on this basis exists.
C) In legal entities and institutions established by the Republic of Serbia, an autonomous province or a unit of local self-government for performing activities.
D) in performing activities of general interest and other activities in the following areas:
- production, transmission and distribution of electricity;
- coal production and processing;
- exploration, production, refining, transport and distribution of oil and trade in oil and oil derivatives;
- exploration, production, processing, transport and distribution of natural and liquefied gas;
- railway, postal, water and air transport;
- health protection
(4) banking and financial markets:
- affairs of financial institutions;
- keeping a register of data on liabilities of individuals and legal entities to financial institutions;
- management activities, i.e. performing activities related to the functioning of the regulated market;
(5) digital infrastructure:
- exchange of internet traffic;
- management of the national internet domain registry and online naming system (DNS systems);
(6) goods of general interest:
- use, management, protection and improvement of goods of general interest (waters, roads, mineral resources, forests, navigable rivers, lakes, shores, spas, wildlife, protected areas);
(7) information society services:
- information society services;
(8) other areas:
- electronic communications;
- publishing the official gazette of the Republic of Serbia;
- management of nuclear facilities;
- production, trade and transport of weapons and military equipment;
- waste management;
- communal activities;
- production and supply of chemicals;
In accordance with the information published on the website of the Ministry of Trade, Tourism and Telecommunications (https://mtt.gov.rs/evidencijaiktsistema/), the registration in the Records kept by the competent Ministry of Trade, Tourism and Telecommunications must be made by 12 May, 2020.
The Law on Information Security prescribes that the Operator of an ICT system of special importance, who does not make an entry in the records, shall be fined.
The fine for this misdemeanour is prescribed in the legal range of approx. EUR 400 to EUR 17.000 for the ICT System of special importance Operator, and from approx. EUR 40 to EUR 400 for the responsible person in the ICT system of special importance Operator.
By Ivana Cvetkovic Diafa, Senior Associate, and Ela Trisic, Associate, Stojkovic Attorneys