Cybersecurity strategy of Montenegro 2022-2026

December 2021

View the original document

Strategies and Action Plans

The Cybersecurity Strategy of Montenegro 2022–2026, adopted in December 2021 by the Ministry of Public Administration, Digital Society and Media, outlines a comprehensive national response to the increasing cybersecurity risks facing the country. The strategy was developed with input from public consultations, regional and international partners, and aligns with EU and NATO standards, aiming to build a resilient and secure digital environment in Montenegro.

Context

Montenegro has experienced rising cyber threats, particularly exacerbated by the COVID-19 pandemic and increasing digitalisation. The strategy identifies hybrid threats, sophisticated cyberattacks, and weak institutional capacity as major concerns. Recognising the role of cyber resilience in national security, the strategy emphasises protection of critical infrastructure, alignment with EU directives like NIS, and NATO’s cyber defence obligations.

Vision

The vision is a secure digital environment where citizens, critical infrastructure operators, the private sector, and public administration are protected from cyber threats through education, international cooperation, and institutional strengthening.

Strategic and operational goals

The strategy is centred around one strategic goal:

Montenegro possesses a sustainable system capable of effectively detecting and defending against complex cyber threats.

To achieve this, it defines seven operational objectives, each with measurable indicators:

  1. Enhancing human and financial resources
    Increasing budget allocations and the number of cybersecurity professionals across key institutions.
  2. Creating an effective response mechanism to cyber incidents
    Reorganising the national CIRT, developing military cyber capabilities, and establishing a Cybersecurity Agency.
  3. Improving prevention and cybersecurity education
    Promoting cybersecurity hygiene, training public officials, and integrating cybersecurity into the education system.
  4. Strengthening response to cybercrime
    Reforming legislation, enhancing digital forensics, and improving international cooperation in investigations.
  5. Building a robust data protection framework
    Aligning national laws with the GDPR and enhancing oversight of personal data processing.
  6. Developing cooperation with national and international partners
    Encouraging trust-based information sharing between the government, the private sector, academia, and civil society.
  7. Protecting critical information infrastructure
    Mapping critical ICT assets, establishing baseline protection standards, and conducting regular risk assessments.

Key challenges

  • Inadequate budgeting and staffing
  • Limited cyber literacy among decision-makers and the public
  • Fragmented institutional responsibilities
  • Slow legislative harmonisation with EU law
  • Lack of mechanisms for real-time threat detection and mitigation

Action plan 2022–2023

The Action Plan operationalises the first phase of the strategy, with concrete measures scheduled for 2022 and 2023. Key highlights include:

  • Organisational and legal steps: Initiation of procedures to establish the Cybersecurity Agency, legal amendments to harmonise with GDPR, and updated protocols for reporting and responding to cyber incidents.
  • Capacity development: Recruitment of new cybersecurity professionals in key ministries and agencies, design and rollout of specialised training programs for public servants, law enforcement, and judiciary actors.
  • Public awareness: Launch of national education campaigns targeting youth, civil servants, and the general public on topics such as safe internet usage, digital identity protection, and common cyber threats.
  • Infrastructure protection: Risk analysis and identification of critical ICT systems, along with pilot testing of incident simulations and cyber resilience drills.
  • Cooperation mechanisms: Establishing formal cooperation protocols with private ISPs, banks, and telecoms, and deepening ties with EU agencies and NATO centres of excellence.
  • Evaluation and monitoring: Setting up monitoring tools and reporting systems to track the implementation of each activity and assess the achievement of the strategy’s operational indicators.

The Action Plan serves as a bridge between high-level policy and practical implementation, ensuring that institutions across government are mobilised to work in synchrony.

Institutional framework

The strategy emphasises intersectoral coordination, led by the newly proposed Cybersecurity Agency and supported by ministries, intelligence services, the national police, and CIRT.ME. It also aims to centralise expertise and streamline operational responses.

Monitoring and evaluation

Progress will be tracked via performance indicators for each operational goal, with mid-term and final evaluations scheduled to adjust implementation as needed.