Cybersecurity

Implementation indicators 

  • Institutions and legislation

    Institutions and legislation

    Computer incident response is generally provided by security and defence authorities. Only the computer emergency response team (CERT) of Republika Srpska is established to support the enrity security. There is no cybersecurity
    strategy or legal framework in force, and there are no legal references to critical energy infrastructures. The Guidelines for development of a cybersecurity framework, designed in 2019 with support from OSCE, provide a good starting point.

  • Requirements for operators and NRA

    Requirements for operators and NRA

    The CERT of Republika Srpska is engaged in the exchange of information on cybersecurity incidents in this entity, and constitues the sole cybersecurity risk-related source in Bosnia and Herzegovina. The energy operators started implementing cybersecurity standards. Implementation of the Guidelines should provide concrete rules for cybersecurity risk assessment and impose requirements to the energy operators. Cybersecurity competences of the energy
    regulatory authorities need to be upgraded.

State of implementation

Bosnia and Herzegovina is in the early stages of developing a compliant legal framework and institutional cybersecurity environment for the energy sector on state and entity level.
There is no comprehensive cybersecurity strategy or legislation on state level. Some cyber defence aspects are touched upon in the strategies on combating organized crime and terrorism adopted by the Council of Ministers. Guidelines for a strategic cybersecurity framework were developed in 2019 by a multi-stakeholder task force including energy representatives. The Strategy on the establishment of a computer emergency response team (CERT) adopted in 2011, has never been implemented and there is no CERT responsible for energy covering the whole territory. Computer incident response in general is provided by the defence, security and law enforcement agencies.

The Strategy of 2011 defines critical infrastructure as “information and automated systems of general public relevance”, with no reference to energy. The guidelines of 2019 envisage the development of a legal framework and mechanisms for identification, designation and protection of critical information infrastructure and services, and establishment of a CERT, including the energy sector. The Ministry of Foreign Trade and Economic Relations coordinates a project to develop a roadmap and streamline implementation of Directive 2016/1148/EC (NIS Directive) in energy. The project completion deadline is May 2022.

There are no adopted cybersecurity strategies or compliant laws on entity level. The Law on Information Security of Republika Srpska identifies the entity Ministry as the competent authority. The Computer Emergency Response Team of Republika Srpska operates within the Agency for Information Society of this entity since 2015, providing computer incident prevention, incident response and general protection of the cyberspace. In Federation of Bosnia and Herzegovina, prevention from cybercrime is provided mainly by the Ministry of Interior.

The independent electricity system operator NOS BIH started implementing an information security management system and security controls pursuant to the ISO 27001 standard in function of cybersecurity. The development of corresponding risk assessment
and risk management policies, business continuity plan and disaster recovery plan is scheduled for the end of 2020. The guidelines of 2019 address incident prevention measures and reporting obligations in compliance with the NIS Directive. The CERT of Republika Srpska is collecting and exchanging information on cybersecurity threats and events with other CSIRTs.

The legal provisions defining competences of the energy regulators in Bosnia and Herzegovina do not refer to cybersecurituy.

It is imminent for Bosnia and Herzegovina to promptly adopt laws and set-up mechanisms addressing critical infrastructure and cybersecurity, and establish a CERT responsible for energy at state-level.