MVJ attended the AHK Cyber & Digital Risk Conference 2026 — Leadership, Governance & Resilience, organised by the German-Serbian Chamber of Commerce and held on 2 June 2026 at Sava Centar in Belgrade.
The conference addressed issues that now require attention well beyond IT departments, including cyber risk and security, regulatory frameworks, the responsible implementation of artificial intelligence and digital resilience. These topics are increasingly relevant for executive management, legal and compliance teams, risk functions, operations and all stakeholders responsible for business continuity and organisational resilience.
A clear message emerged from the conference: cybersecurity and AI are no longer purely technical issues. They are becoming legal, regulatory and strategic business matters, requiring structured governance, internal procedures and board-level attention.
Cybersecurity is moving up the legal and governance agenda
Cybersecurity in Serbia is no longer viewed solely as an IT function. Regulatory requirements are expanding, compliance is becoming more complex and companies are investing significant resources in prevention, monitoring and internal protection systems.
Larger companies in Serbia have already made substantial investments in cybersecurity infrastructure, including in some cases investments reportedly reaching or exceeding EUR 10 million in total. This underlines that cybersecurity is becoming a material business risk, and not only a technical or operational issue.
This trend is expected to continue in the coming years. Compliance obligations and preventive measures are likely to extend increasingly beyond large companies and become relevant for small and medium-sized enterprises as well.
The regulatory framework exists, but implementation is still developing
Serbia has established a foundational cybersecurity regulatory framework, meaning that the core infrastructure is already in place, including obligations relating to incident reporting. Larger companies have been progressively aligning their operations with these requirements, moving from initial adjustments towards more structured and comprehensive compliance systems.
However, the regulatory framework is continuing to evolve, with ongoing efforts focused on:
- advancing the Serbian legal framework towards a more integrated, ecosystem-based approach to cybersecurity;
- further harmonising the framework with EU regulation;
- continuing the development of implementation and enforcement procedures by public authorities, alongside broader ecosystem development.
As discussed during the conference, the AI regulatory and compliance landscape is also expected to develop further, particularly in light of the recent formation of a governmental working group tasked with preparing the draft Serbian Law on Artificial Intelligence.
In substance, while the foundational regulatory framework is in place, its implementation is continuing to develop, with clear momentum towards a more mature cybersecurity and digital resilience ecosystem.
Cyber incidents have become a real legal and business risk
Cyber risk has evolved from a theoretical compliance consideration into a material legal and operational exposure for organisations.
In practice, such risks require a structured and comprehensive legal approach, drawing on regulatory and compliance expertise. This typically includes preventive governance measures, clearly defined incident response frameworks, regulatory engagement protocols, and mechanisms for assessing responsibility and potential legal consequences.
A key area of development is the question of management accountability. Organisations are increasingly expected to demonstrate that appropriate preventive systems were in place, that internal procedures were adequate, and that responses to incidents were timely, coordinated and proportionate.
These issues become more complex in environments involving multiple service providers, interconnected systems, external tools and layered contractual arrangements. Cross-border elements further add to this complexity, raising questions of applicable law, jurisdiction and enforceability.
AI is becoming a strategic governance issue for companies
The key challenge for companies is not only regulatory compliance, but also their readiness to manage technological risk.
The use of artificial intelligence, personal data protection, internal document management, employee use of external tools and vendor management are becoming increasingly interconnected. As a result, companies are facing a new set of practical challenges, including:
- uncertainty as to which business processes can be improved through AI;
- the absence of clearly defined internal AI policies and procedures;
- increased exposure to risks arising from employee use of unapproved tools and applications;
- unclear allocation of responsibility between management, IT teams and external service providers.
The effective use of AI does not simply mean delegating individual tasks to AI tools. It requires an understanding of business processes, internal data flows and the broader commercial context in which a company operates.
AI can also support companies in identifying high-risk suppliers and finding reliable alternatives. However, for AI systems to be useful, they must have access to relevant data. At the same time, that access must be carefully limited, controlled and aligned with data protection rules and the principle of necessity.
The broader conclusion is that AI tools are primarily expected to improve efficiency, quality of work and speed of decision-making. Their role should not be viewed as a replacement for human work, but as a support mechanism for better, faster and more structured business operations.
Key takeaway
Cybersecurity and AI are becoming core governance issues for companies operating in Serbia. The legal framework is developing, enforcement practice is still evolving and companies are increasingly expected to demonstrate that they have adopted adequate internal policies, risk controls and response mechanisms.
For businesses, the focus is moving from isolated technical protection to integrated legal, compliance and management responsibility. In this environment, companies should focus on mapping AI use cases, defining internal ownership, strengthening incident response procedures and ensuring that data access, vendor management and governance controls are properly aligned.
Authors: Dušan Đorđević, Senior Partner; Tea Topalović, Associate.
This article is provided for general information purposes only and does not constitute legal advice. For advice on any specific matter, please contact MVJ.
