The Albanian government has opened for consultation a draft law introducing changes to Law No. 25/2024 “On Cybersecurity,” предусматриing tougher measures to protect digital infrastructure and administrative fines of up to 10 million lek for the most serious violations. The accompanying explanatory report says the aim of these changes is to strengthen the legal and institutional framework in this field, increase protection for critical and important information infrastructures, and improve coordination among the responsible institutions.
The proposed changes also expand the role of the National Cybersecurity Authority (AKSK), granting it additional powers in centralized procurement for training in the field of cybersecurity and in authorizing conformity assessment bodies. The draft law also aims to strengthen the cybersecurity certification system, in line with national and European certification schemes.
Të lidhura
None found
One of the new elements of this draft law is the creation of a legal basis allowing operators of critical and important information infrastructures to self-declare their cybersecurity measures. According to the explanatory report, this mechanism will be used as a preliminary instrument for monitoring and assessing operators’ compliance with legal requirements.
The draft law also provides for the obligation to declare the method of hosting and administration of systems, networks and information infrastructures. This framework also includes data on the location of the infrastructure, as well as information on the use of cloud or virtualization services.
Another new requirement concerns the implementation of measures to block, filter, restrict, detect or neutralize indicators of compromise (IOC), indicators of attacks (IOA) and vulnerabilities identified by AKSK, with the aim of increasing protection against cyber threats.
For failure to comply with these obligations, the draft law provides for stiff financial penalties. Failure to implement measures to block or neutralize indicators of attacks may be punished with a fine ranging from 4 million to 10 million lek. Meanwhile, failure to submit the self-declaration of cybersecurity measures within the deadline is set to be punished with a fine of 5 million lek.
Part of the changes are also linked to improving the organization and functioning of sectoral CSIRTs, the structures responsible for managing cybersecurity incidents. The goal is to strengthen coordination between the sectoral and national levels.
The draft law also introduces an institutional innovation with the establishment of the Interinstitutional Cyber Intelligence Group within AKSK. This group will include representatives of the Authority, the Ministry for Europe and Foreign Affairs, the Ministry of Interior, the State Intelligence Service, the General Staff of the Armed Forces and the Defense Intelligence and Security Agency. Its task will be to exchange information on cyber threats and assess their impact on national security, the economy and public services.
According to the explanatory report, the implementation of this draft law will also have costs for the state budget, mainly related to specialized personnel and the operation of the new structures. For the full functioning of sectoral CSIRTs, the financial impact is estimated at 350–450 million lek per year, while for the initial phase during 2026 a cost of 120–150 million lek is projected. These expenses will be covered by the existing budgets of the responsible institutions.
According to the government, these changes are expected to raise the level of protection for critical infrastructures, improve preventive and response capacities against cyberattacks, and strengthen interinstitutional cooperation and information-sharing in the field of cybersecurity.
