Law No. 25/2024 “On Cybersecurity”

The law will affect all public and private entities that operate critical or important information infrastructures, as defined in the Annexes I and II of it, such as energy, transport, banking, health, digital infrastructure, etc..

According to the Law, the main obligation of the operators shall be as follows (the below listing is indicative and not exhaustive) :

• register your critical or important information infrastructures with the National Authority for Cybersecurity (the Authority), which is the main regulator and supervisor of cybersecurity in the country; 

• establish a Computer Security Incident Response Team (CSIRT) within your organization, as well as a contact point for communication with the Authority and other CSIRTs;

• implement technical, organizational and operational measures for risk management, based on the content and documentation requirements set by the Council of Ministers;

• report any significant or substantial cybersecurity incident to the Authority and the relevant CSIRTs, as well as inform the public and the users if the incident affects them;

• cooperate with the Authority and other operators in the exchange of information and best practices on cybersecurity threats, vulnerabilities, incidents and solutions.

The law also empowers the Authority, which is a public legal entity under the Prime Minister, to supervise and enforce the cybersecurity legislation, to identify and classify the critical and important information infrastructures, to act as the National CSIRT and the Cyber Emergency Response Team (CERT), to coordinate and cooperate with other national and international institutions in the field of cybersecurity, and to impose administrative fines for breaches of the law.

Failure to comply with the Law may result in administrative fines ranging from 200,000 to 10,000,000 Albanian Lek, depending on the type and severity of the violation. The law also provides for criminal sanctions for certain acts that endanger the security of networks and information systems, such as unauthorized access, interception, interference, damage or destruction. 

The Law came into force 15 days following its publication in the Official Gazette on 18 April 2024. Operators are now required to harmonize their activities with its provisions within a 24-month period.

We advise our clients, that within the above noted period, to review their current policies and practices regarding cybersecurity, to assess if they are subject to this law, their compliance with the new law and to take the necessary steps to ensure a smooth transition and harmonization. Our Legal Department is available to assist you with any questions or concerns you may have regarding the new legal framework and its implications for your business.

Official Gazette of the Republic of Albania

Disclaimer:

It is important to note that the content is for informational purposes only. It should not be considered legal advice or a replacement for personalized legal guidance. Readers are advised to consult professional legal counsel before taking any actions based on the information provided.

Should you require further clarification or wish to discuss any matters in depth, please feel free to reach out to us at: al_pwc_albania@pwc.com.

We are committed to providing you with the assistance you need to navigate the complexities of new legislation requirements with confidence.