Paper 3 of 6 · Session 2: Cybersecurity & E-Government
NIS2 Readiness in Western-Balkan Critical-Infrastructure Operators: A Multi-Case Study
Nikola Petrović, Aleksandar Marković, Marijana Despotović-Zrakić · Faculty of Organisational Sciences, Belgrade
Abstract
The EU's NIS2 directive entered transposition in October 2024 and is increasingly used as a soft benchmark for cybersecurity legislation in Western-Balkan candidate countries. This paper reports a multi-case study of seven critical-infrastructure operators in Serbia, North Macedonia and Montenegro. We find that NIS2 readiness is bimodal — large state-owned operators are well advanced, while mid-market private operators are barely engaged. The principal barrier is governance, not technology. We interpret the findings through the lens of anticipatory institutional isomorphism and discuss implications for the EU's pre-accession cybersecurity assistance programmes.
1. Introduction
The EU Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union — known as NIS2 — entered transposition in Member States on 17 October 2024, eight days before our workshop. For Western-Balkan candidate countries (Serbia, Montenegro, North Macedonia, Albania, Bosnia and Herzegovina), NIS2 is not directly applicable but is increasingly being used as a soft benchmark for national cybersecurity legislation and procurement standards. This paper investigates how seven critical-infrastructure operators in three Western-Balkan jurisdictions are preparing for substantive NIS2 alignment.
2. Background and Framework
We use Williamson's (1985) transaction-cost lens to interpret the compliance-versus-substantive-security choice that critical-infrastructure operators face. Compliance is hostage to definition (Anderson 2020); substantive security requires costly organisational redesign.
3. Method
Multi-case study, seven operators across the energy, water, transport and digital-infrastructure sectors in Serbia, North Macedonia and Montenegro. Data: 31 semi-structured interviews, document analysis of internal cybersecurity policies, and a structured maturity questionnaire derived from ENISA's Cybersecurity Maturity Assessment Model (CMA).
4. Findings
Four findings emerge. (F1) NIS2 readiness is highly bimodal — large state-owned operators are well advanced; mid-market private operators are barely engaged. (F2) The principal barrier is not technical but governance-level: the absence of board-level cybersecurity oversight. (F3) Sectoral CSIRT capacity in the three jurisdictions is improving but remains thinly resourced. (F4) Supply-chain-security obligations under NIS2 Article 21 are poorly understood and under-implemented.
5. Discussion
The Western-Balkan accession trajectory creates an unusual setting: operators must align with EU obligations they are not legally bound by. We interpret this as a case of anticipatory institutional isomorphism (DiMaggio & Powell 1983) and discuss its implications for cybersecurity research in candidate-country contexts.
6. Conclusion
We close with policy recommendations directed at the three national cybersecurity agencies and at the European Commission's DG-NEAR.
References (selected)
- Anderson, R. (2020). Security Engineering, 3rd ed. Wiley.
- DiMaggio, P. & Powell, W. (1983). The iron cage revisited. American Sociological Review, 48(2), 147–160.
- ENISA (2023). Cybersecurity Maturity Assessment Model — Operator Edition.
- European Parliament (2022). Directive (EU) 2022/2555 (NIS2). OJEU, L 333, 80–152.
- Despotović-Zrakić, M. et al. (2022). Cyber-resilience in Serbian critical infrastructure: a pre-NIS2 baseline. Computers & Security, 119, 102787.