Draft Law on Cybersecurity
On April 26, 2023, the Council of Ministers published for public consultation the draft law “On Cybersecurity,” which consultation concluded on May 24, 2023. The draft law is expected to be reviewed and approved in the parliamentary committees and the Parliament of Albania. With the entry into force of this draft law, Law No. 2/2017, “On Cybersecurity,” will be repealed.
The proposed draft law is in full compliance with Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 “concerning measures for a high common level of network and information systems security across the Union” (NIS 1), and is partially aligned with Directive (EU) No. 2022/2555 of the European Parliament and of the Council of 14 December 2022 “on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No. 910/2014 and Directive (EU) No. 2018/1972, and repealing Directive (EU) No. 2016/1148” (NIS2).
The purpose of the draft law is to define the rights and obligations of public and private entities that administer infrastructure of information, communication networks and their systems, the violation or destruction of which would have an impact on the health, safety, economic well-being of citizens and the effective functioning of the economy in the country.
Compared to the current law in force No. 2/2017, “On Cybersecurity,” this draft law introduces several key innovations:
- Clear structures and responsibilities of entities responsible for cybersecurity are envisaged.
- The National Cybersecurity Authority (the Authority): oversees and enforces cybersecurity legislation.
- The National Cybersecurity Incident Response Team (the national CSIRT): is established under the Authority, which interacts with operators of critical and important information infrastructures to ensure the continuity of their operations at all times and without interruption.
- Sectoral Cybersecurity Incident Response Teams (sectoral CSIRTs): are established within entities that manage critical and important information infrastructures and are responsible for cybersecurity incidents within their respective areas of responsibility.
- CSIRT within operators of critical and important information infrastructures: performs monitoring, preventive, remedial, and reporting functions of cyber incidents or potential cyber attacks.
- The Cyber Security Emergency Response Team (CERT) for handling emergency situations and cyber crisis situations: is established as an ad-hoc structure by the Authority in cases of cyber security emergencies and crises.
- Cybersecurity certification is ensured in accordance with the certification schemes of the European Union as well as the related procedures.
- Increasing national and international cooperation to strengthen cybersecurity within the country and fulfill international obligations in this field.
- Harmonization with NIS 1 (fully) and NIS 2 (partially).