The Ministry of Public Administration (MPA) says that more funds should be provided in the 2026 budget to strengthen cybersecurity and digital services in the country, as well as the stable functioning of key institutions in this area.
"The proposed budget for 2026 lacks the financial resources necessary for the development of information infrastructure. All of this may result in us being unable to fulfill certain obligations from the Reform Agenda (2024-2027) of the European Union (EU)," says the Director General of the Directorate for Infrastructure, Information Security, Digitalization and E-Services at the MPA. Dusan Polović za Center for Investigative Journalism of Montenegro (CIN-CG).
There could be a shortage of 2,5 million for next year, of which two million for investments in cybersecurity and infrastructure, and about half a million for the Digital Transformation Program from the Reform Agenda, adds Polović.
The Ministry of Finance proposes a similar amount of funding for cybersecurity year after year, and the needs are growing. The Ministry of Finance did not respond to CIN-CG's questions regarding the 2026 MPA budget.
According to the Law on Information Security, which was adopted in December 2024, the Cybersecurity Agency was supposed to be established no later than the end of March this year. However, this has not yet happened.
The MPA has sent proposals to the Government twice for the appointment of the director and members of the Agency's management board. The first proposal was sent in February, respecting the legal deadlines, and the second in June. The Ministry that manages the Agency's director is the Marash Dukaj suggested Samira Orahovac, a member of the Government's Cybersecurity Incident Response Team (CIRT) of Montenegro.
"We have not yet received feedback from the Government on this proposal," said Polović.
The General Secretariat of the Government of Montenegro did not respond to CIN-CG's questions about the Agency's delay.
MANY KEY INSTITUTIONS ARE UNPROTECTED: AIRPORTS, BAR PORT...
"The urgent establishment of the Agency is a priority, both for the security of the state and its citizens, and for Montenegro's credibility in the European integration process. The planned budget for the Agency has not yet been used, and in the event of a serious cyber attack, each state body is left to its own devices without central support. This is unacceptable, and directly threatens key systems," a cybersecurity expert told CIN-CG. Branko Džakula.
After the adoption of the Law, the CIRT, which had covered cybersecurity in all institutions of Montenegro since 2012, lost its jurisdiction over cybersecurity issues of independent and private entities in Montenegro. According to this Law, the Agency's jurisdiction includes all independent and private entities, while the Government's infrastructure remained under the jurisdiction of the CIRT.
"If someone attacks, for example, the Airports of Montenegro, the Port of Bar or some other important infrastructure system, our hands are tied. CIRT no longer has the authority to act in such cases, so the Cyber Security Agency is key here, and it is not yet functional," Polović points out.
"The delay in establishing and operating the Cybersecurity Agency has serious strategic, institutional, and security implications, as the Agency assumes the responsibilities of expert oversight, proactive scanning, incident management, and inter-institutional coordination," she told CIN-CG. Andreja Mihailović from the organization Women4Cyber.
Without a central, competent and operationally equipped body responsible for coordinating national cyber policy, the state remains without a key mechanism that enables oversight of critical infrastructure operators, harmonization of standards, building national capacities, exchange of information on threats, and integrated response to incidents, Mihailović explains to CIN-CG.
"It is important to ensure that the operational start of the Agency's work is based on a stable institutional architecture, adequate human resources and optimal technical capacities, so that the Agency can fully realize its strategic role in strengthening national digital resilience," explains Mihailović.
AND STILL WITHOUT REDUNDANT SYSTEMS
Another obligation under the new Law on Information Security is that the Montenegrin CIRT must have so-called redundant systems and backup work rooms to ensure continuity of work. The Montenegrin CIRT does not yet have this advanced technology.
"For now, we have backup protection systems, and by the end of the year we will have a redundant space equipped for the state administration's CIRT," says Polović.
Backup and redundant systems have different roles in cybersecurity. Backup is a copy of data that is preserved in case of loss or damage, while redundant systems involve a duplicate or parallel infrastructure that allows the system to continue operating without interruption if one part fails. In short, redundancy ensures uninterrupted system operation.
"Redundant systems represent a key element of a highly resilient architecture and imply the establishment of parallel, geographically and technically diverse infrastructure capacities that can autonomously take over the function of primary systems in the event of degradation, interruption, compromise or complete failure," explains Mihailović.
For CIRT, redundancy is of strategic importance because it ensures functioning in the event of cyber disruptions, such as cascading incidents, sophisticated attacks, compromise of government services, or in the event of physical disasters and infrastructure failures. This significantly increases the resilience of the national digital infrastructure, explains Mihailović.
“In the context of Montenegro, this means that the work of CIRT is not interrupted even in extreme circumstances, which is an essential condition for the stable functioning of e-services and critical infrastructure,” says Mihailović.
EU and NATO practice dictates that a national CIRT must have a clearly defined Disaster Recovery Plan (DRP) and Business Continuity Plan (BCP) and at least one geographically separated secondary operations center. This significantly reduces the risks of system outages, increases the resilience of the national digital infrastructure, stabilizes the incident response process, and strengthens international trust in Montenegro as a reliable security point in regional and Euro-Atlantic networks.
“In practice, this includes the application of various mechanisms and strengthening of infrastructure,” explains Mihailović.
"It is necessary to establish modern mechanisms for monitoring and detecting threats, as well as rapid response to incidents, including advanced network monitoring systems, early warnings and clear recovery plans after attacks. Cybersecurity, as a process that requires constant testing of defenses, regular tests, attack simulations and training, can only be sustainable with a combination of a solid institutional structure, professional staff, modern technology and developed awareness at all levels," says Džakula.
He emphasizes that preparedness should not be built during a crisis, but long before it.
WITHOUT FULFILLING OBLIGATIONS, THERE IS NO EU MONEY
The European Commission’s 2025 Report states that Montenegro should “align its national legislation with the Network and Information Security Directive (NIS2) and implement it, including by establishing a National Cybersecurity Agency”, and that it should continue to implement the EU legal framework in the field of electronic communications and audiovisual media services, including by safeguarding the independence of regulatory authorities. It recommends the recruitment of additional staff in this area, “thus further strengthening the administrative capacity in the areas of electronic communications, information society services and audiovisual media services”, it states.
"Montenegro will receive 1,3 million euros from the EU at the end of 2025 because it has fulfilled its obligations under the Digital Transformation Plan for this year. However, difficulties could arise in 2026, because in order to withdraw the funds planned for next year, the budget proposed by the Ministry of Finance lacks about half a million euros for the implementation of Phase II of the Digital Transformation Plan for 2026," explains Polović.
He points out that the MoF's logic in not allocating half a million for these needs is unclear, after which it could receive a much larger amount from the EU, i.e. around two million, for fulfilling the Digital Transformation Plan.
"Although the Government will withdraw 1,3 million for digital transformation this year, much larger funds could have been obtained from the EU in 2025. However, due to the slowness in establishing the Cybersecurity Agency and strengthening the capacities of the CIRT, Montenegro failed to withdraw an additional 3,4 million euros from the EU," explains Polović.
Despite EU recommendations to increase the number of employees, CIRT could be in danger of losing some of its staff next year. The organization lacks the funds to pay salaries for about half of its employees, who are currently financed from EU funds, Polović explains.
"Of the 13 employees, five are permanent, and the rest's project contracts are expiring quickly. All of this requires support. Instead of strengthening in the coming period, CIRT could have been weakened," says Polović.
The MPA has presented to the Government that they need support for salaries in the CIRT. Although the 2026 budget foresees the employment of eight new people, at the level of the entire MPA, the question is how many of them are planned for the CIRT. However, even if funds were provided for new staff, this would not solve the problem.
"The government did not adopt a general personnel plan for 2025, which made it impossible to announce a vacancy, even though we had the funds this year to hire someone else at CIRT," adds Polović.
Several by-laws were supposed to be adopted within six months of the entry into force of the Law on Information Security, but this did not happen either.
Polović announces the adoption of a bylaw by the end of the year - the National Incident Response Plan, as well as the adoption of the List of Critical Infrastructure.
Polović points out that the adoption of these two documents will enable further fulfillment of the indicators from the Growth Plan and thus enable the withdrawal of financial resources from this mechanism in the amount of 1.158 million euros.
All ministries were required to submit sector lists to the MPA in order to create a registry of key cybersecurity entities. The deadline to compile the registry expired in August, but it has not yet been created.
"Most ministries have submitted sector lists, MPA, now we need to review all those lists, send them to the Government for approval, and then compile a register, so all of this is going slower than planned," says Polović.
Montenegro is moving towards a single, European-compatible cyber resilience system, with certain delays understandable due to the transformation of institutions, Andreja Mihailović tells CIN-CG.
"The law introduces complex obligations - from identifying key entities and incident management, to registers, supervision and certification - so temporary deviations mainly reflect the need for consistent application of regulations, coordination and harmonisation with EU practices and the NIS2 Directive," believes Mihailović.
IT IS STILL UNKNOWN WHO IS BEHIND THE 2022 ATTACK.
In late October and early November, the websites of the Government of Montenegro and all ministries were the target of hacker attacks, or DDoS attacks, and some of these services were unavailable for days after the attacks. However, the Ministry of Public Administration (MPA) told CIN-CG that all services and websites were quickly restored on the same day. CIN-CG journalists saw for themselves that even two days after the service went down, the websites of the ministries and the Government were not fully functional.
According to expert Branko Džakula, the recent attack on all important online government services shows that the state's internet infrastructure does not have a sufficient level of resilience.
"Ideally, even if there is a strong DDoS attack, meaning thousands or millions of fraudulent requests to a site per second, defense systems should be able to absorb the impact or redirect traffic. A temporary outage can happen to anyone, but if sites are inaccessible two days after the attack, it means that either the attack is still ongoing without a successful response or the recovery was not done quickly enough," Džakula explains to CIN-CG.
One explanation is that perhaps after the attack itself, a certain number of services were turned off as a precaution, until they were sure everything was safe, says Džakula.
"It has happened before that systems were shut down after working hours while the threat was analyzed. This indicates a reactive approach: instead of keeping the infrastructure available with resilience, we shut it down 'so that the damage doesn't escalate'. This is understandable when you don't have strong protective mechanisms, but it is not a good solution in the long term," says this expert.
Not even three years after a major cyberattack on the infrastructure of the Government of Montenegro, there is no official answer as to who is behind this attack. In August 2022, a ransomware attack of malicious software hit the servers of the Government of Montenegro. During the attack, hackers locked and encrypted data and key files of state systems, and then demanded a ransom for their unlocking and decryption. For months after the attack, Government services were inaccessible, and email addresses did not work. Although the Government in the period after the attack cited several speculations about who could be behind it - from the Cuba Ransomware hacker group to Russia - to this day there is no official answer to this question.
In January 2023, the Police Department announced that it had received a report from the FBI on cyberattacks on government servers in 2022, based on a large amount of data collected through the Ministry of Public Administration's network and monitoring the movement of information between different systems. However, the report was never made public.
"This report remained internal, as recommended by the FBI, solely for the purpose of strengthening the resilience of the government's infrastructure and network of state bodies. However, this report does not state who carried out the attack and how," claims Polović.
"It is worrying that even after more than three years, we still do not know who carried out the cyber attack on the Government in 2022. This creates the impression that the attackers can go unpunished or that the institutions are not capable of detecting them. It is possible that there was not enough evidence for a court verdict, but the lack of information undermines public trust. People are rightly asking: is this being worked on and are we safer today than in 2022," says Džakula.
The Basic State Prosecutor's Office in Podgorica did not respond to CIN-CG's question about the stage at which the proceedings were initiated in connection with the attack three years ago.
Last year, the media reported that the Prosecutor's Office had sent an urgent request for action regarding this case to the Police Directorate (PD), namely the Criminal Intelligence Department and the Group for Suppression of High-Tech Crime.
The Police Department did not respond to CIN-CG's questions regarding this case and referred us to the Prosecutor's Office.
According to Džakula, the problem is that it is not known exactly how the 2022 attack occurred.
"To date, detailed analyses and reports have not been publicly presented, which are the exact weaknesses exploited by the attackers and what has been done to address them. There may be a report internally, but if there is and if it is hidden, it makes it difficult for independent experts to assess where we are when it comes to protection," says Džakula.
IT IS NECESSARY TO IMPROVE DIGITAL LITERACY
"Only one percent of employed public servants have received training on cybersecurity. The lack of cybersecurity experts has been recognized as a global problem, while in Montenegro, due to limited human resources, this problem is even more pronounced," the Cybersecurity Strategy 2022-2026 states.
The plan to raise that number to 15 percent is a good step, but it takes time and perseverance to achieve it, Džakula emphasizes. The culture of incident reporting is also weak, with many organizations preferring to keep quiet about “minor” security problems, which slows down learning from mistakes and improving the system.
Montenegro should focus intensively on strengthening human resources capacities - human resources and the lack of experts have been identified as a major problem.
"It is necessary to rapidly train and employ cybersecurity experts, both in the public sector and through the encouragement of educational programs at universities. One of the most important segments of cybersecurity is the digital literacy of citizens themselves. It is necessary to launch national education campaigns on basic digital security. Citizens must know how to recognize scams, so-called phishing emails, false advertisements and how to protect their personal data on the Internet. The human factor is often the weakest link, which is why investing in knowledge and a culture of cyber hygiene brings great benefits," warns Džakula.
Džakula also emphasizes the importance of international cooperation. It is necessary to expand cooperation with partner countries and organizations.
"Fortunately, Montenegro is already involved in NATO and regional initiatives, and recently became a member of the European Cyber Security Organization (ECSO). We should use this network to access the latest knowledge, training and perhaps exchange experts. It is also commendable that Podgorica is home to the Regional Center for Combating Cybercrime with the support of France, where our personnel are trained side by side with foreign experts," says Džakula.
We should invest in people.
Montenegro is facing a serious shortage of qualified cybersecurity experts, warns Džakula, emphasizing that this is a global problem, and more pronounced in our country due to the small IT base and staff outflow.
"In government, banking and telecommunications, one person often covers multiple roles. The CIRT team has far fewer people than standards would recommend, and in smaller companies, security is almost non-existent," says Džakula.
He warns that the public sector has difficulty retaining young professionals due to low salaries and a lack of professional challenges.
"If we do not design incentive models - higher salaries, training, cooperation with international partners, we risk that the new Cybersecurity Agency will be understaffed from the start," he says.
However, he adds, there are also developments: a master's program in Information Security has been introduced at the University of Montenegro, and private initiatives such as the UN1QUELY Cybersecurity Academy, the Logate Institute, and the WB3C regional center are emerging, which are building a new generation of experts.
"In Montenegro, various university study programs train personnel for these jobs. The primary task is for the Ministry of Finance to recognize the priority in attracting such personnel and, through the Law on Salaries in the Public Sector, ensure adequate salaries for these deficit positions, which is an initiative of the MPA," the MPA told CIN-CG.
"It is crucial that the state supports scholarship programs and partnerships with the private sector," emphasizes Džakula.
As a potential solution, he also cites the idea of "cyber reservists" - civilian experts who would help defend national networks in crisis situations, following the example of Estonia.
Although he assesses the staffing situation as critical, Džakula believes it is not hopeless. “If we invest in education, training and international cooperation, we can create enough domestic experts in a few years. Investing in people is just as important as investing in equipment.”
Bonus video:
