North Macedonia enacted the Law on Security of Network and Information Systems, published in the Official Gazette (No. 135) on July 4, 2025. The legislation transposes key requirements of the EU’s NIS2 Directive into national law, establishing mandatory cybersecurity risk management measures and incident reporting obligations for operators of essential and important services across sectors including energy, healthcare, and financial services.
Under the law, the Ministry of Digital Transformation serves as the competent authority for network and information systems security, with responsibilities that include cooperating with the national electronic communications regulator on coordinated security risk assessments of network equipment suppliers. The National Centre for Computer Incident Response (MKD-CIRT) retains its role as the operational cybersecurity body, with expanded supervisory and enforcement powers over essential and important entities.
Article 32 of the law requires covered entities to implement technical and organizational measures addressing supply chain security, including ICT products and services. The law also establishes the National Coordinator for Network and Information Systems Security. Certain provisions apply to additional sectors only upon North Macedonia’s accession to the EU. In May 2025, the government formed a National Council for Digital Transformation and Cybersecurity to coordinate policy implementation across government, private sector, and academic stakeholders.