This year, the state will not spend 360 thousand euros, which was planned for the work of the Agency for Cyber Security and the protection of national critical information infrastructure, because the Agency, despite the legal obligation, has not been formed to date.
From the Ministry of Public Administration (MPA), the department that runs Marash Dukaj, they told "Vijesti" that this has a negative effect, because in the event of an attack, "prevention, defense and response to incidents would be left to the very entity that was attacked."
They also recalled that they had repeatedly appealed to the Government about the importance of urgently forming the Agency, the Council... and said that, although the law provides for it, this did not happen.
According to the Law on Information Security, which entered into force on December 05, 2024, the Government, at the proposal of the public administration department, adopted a Decision on the establishment of the Cybersecurity Agency, which entered into force about twenty days later.
"The next step was the formation of the Agency's bodies, specifically the Council and the Acting Director of the Agency, who will perform this function until the vacancy for the director is announced within 90 days from the date of election of the Agency's Council, which is announced by the Agency Council in accordance with the Law. It was envisaged that the obligation to establish the Agency's bodies in accordance with the Law would be implemented no later than 60 days from the date of entry into force of the Law," the MPA reminds.
Maraš Dukaj's department, as they said, submitted proposals for the composition of these bodies to the Government at the time, but this has not happened to date.
"The MPA hopes that the Government will form the bodies of the Agency as soon as possible, since the absence of an operational Agency is slowing down the construction of a centralized and coordinated system for protecting state information resources," they said.
The state budget planned to spend 160 thousand for the professional and operational activities of the Cyber Security Agency in the first eight months of this year.
According to a recently published report for the period January-August, not a single euro was spent on that program.
The MPA said that these funds for 2025 are fully sufficient to service the Agency's needs.
"Considering that the Budget Law stipulates that the Cybersecurity Agency, as a state agency, has the status of a separate budgetary unit. Due to the aforementioned reasons for the delay in establishing the Agency, we can safely say that the funds will not be used, and in this regard, the MPA has prepared a budget proposal for the Agency for 2026 and submitted it to the Ministry of Finance for consideration," they told "Vijesti".
The Cyber Security Agency's jurisdiction, according to the Law on Information Security, also includes the protection of critical infrastructure, and part of the critical infrastructure of state administration bodies is the jurisdiction of the MPA and the state administration's CIRT.
The state budget planned to spend 200 thousand euros over eight months for the protection and regulation of the national critical IT infrastructure.
According to a recently published report for the period January-August, not a single euro was spent on that program either.
"Like the answer to the previous question, the expenditure depends on the formation of the Agency's bodies, the Council and the Director, and the funds will certainly not be spent. This is certainly reflected in a negative way, since in the event of an attack on critical infrastructure, prevention, defense and response to incidents would be left to the entity itself that was attacked. The Ministry has repeatedly appealed to the Government on the importance of forming these bodies as soon as possible, and the same was stated at the Information Security Council," the MPA said.
At the same time, as they added, in June, they informed the Government about the challenges that may arise from the failure to establish and put the Agency into operational function.
"Especially taking into account the fulfillment of the indicators from the Reform Agenda - Growth Plan, with the achievement by the end of 2025. Unspent funds are not the result of neglect, but a consequence of the fact that the process of forming the Agency is still ongoing," they said.
As they add, the MPA believes that it is necessary to accelerate this process, so that the planned funds can be put into operation and contribute to strengthening national capacities in the field of cybersecurity.
"MPA is dedicated to fulfilling its obligations under the law and, in this regard, is in the process of developing a List of Critical Infrastructure, which will identify all entities that will be categorized as critical or important in accordance with the law, as well as developing a National Incident Response Plan, which we expect to be adopted by the Government by the end of 2025," they said.
In the summer of 2022, a cyberattack was carried out on the information and communication infrastructure of the Government of Montenegro, and the details of how the attack, which continued to affect the work of some state bodies for years, occurred are still not known to the public.
The MPA recently told Radio Free Europe that if such an attack were to happen again, the country would be better prepared for defense today. However, they are not sure about the consequences if similar attacks were to occur on critical infrastructure such as the airport, the Port of Bar, or the water supply system, as these fall under the jurisdiction of the Cybersecurity Agency.
Bonus video:
