Data protection and cybersecurity laws in Montenegro

The Personal Data Protection Law (Official Gazette of Montenegro Nos. 79/2008, 70/2009, 44/2012, 22/2017 and 77/2024) ("the PDPL").

On 1 March 2023, the National Assembly of Montenegro adopted a new Personal Data Protection Act (“New PDPA”), which entered into force on 1 July 2023 and replaced the previous PDPL. The New PDPA is broadly aligned with the General Data Protection Regulation (GDPR) of the European Union, introducing stricter requirements for data controllers and processors, including enhanced data subject rights, new data breach notification obligations, and higher penalties for non-compliance.) 1  

As of now, Montenegro’s Personal Data Protection Law (PDPL), originally adopted in 2008 (Official Gazette Nos. 79/08, 70/09, 44/12, 22/17), is still in force, with only one minor amendment introduced in August 2024 (Official Gazette No. 77/2024).

Agency for Personal Data Protection and Free Access to Information (“the Agency”):

• http://www.azlp.me/en/home

Under the New PDPA, the Agency has gained administrative enforcement powers. It can now impose administrative fines for breaches of the New PDPA without recourse to criminal or offence proceedings.) 2

Changes of the PDPL are anticipated soon, first drafts of the law are already being negotiated.

The new law entered into force on 1 July 2023, as noted above, and no further major legislative changes in personal data protection are currently expected before 2026.) 

N/A

The Agency does not have any enforcement powers. Sanctions can only be imposed by a judge (in criminal or offence proceedings). The fines for offences range from EUR 500 to EUR 20,000 for a legal entity, from EUR 150 to EUR 2,000 for the responsible person in the legal entity, and from EUR 150 to EUR 6,000 for an entrepreneur, per offence.

Criminal offences involving the unauthorised collection and usage of personal data carry a penalty of a monetary fine or imprisonment for up to one year.

• Reputational risk;
• Reimbursement of the potential damages (material and non-material)

Under the New PDPA, the Agency can impose administrative fines ranging from EUR 2,000 to EUR 50,000 for legal entities, while responsible individuals may be fined between EUR 500 and EUR 5,000. The possibility of criminal liability remains for serious offences involving unauthorised collection or misuse of personal data.

Setting up a personal data filing system is subject to notification. After setting up a data filing system, the data controller must appoint a person responsible for the protection of personal data (if the data controller employs more than ten people who process personal data).

Under the New PDPA, registration or notification requirements have largely been replaced with an accountability-based approach, whereby data controllers must be able to demonstrate compliance with all principles of data processing. However, the obligation to appoint a data protection officer remains if the controller employs more than ten people, or if the data processing activities pose heightened risks to data subjects.

• Information requirement;
• Consent requirements, unless processing is required by the law;
• Notification requirement.

Under the New PDPA, data controllers and processors must also implement data protection by design and by default, conduct data protection impact assessments for high-risk processing, and maintain detailed records of processing activities.

Data subjects have the right to:

• be informed in connection with the data processing
• access data relating to them;
• request that the data be corrected, modified, updated or deleted; 
• request a stay and suspension of processing; 
• have the data processing stayed or suspended if they have challenged the correctness, completeness and accuracy of the data. 

The New PDPA introduces the right to data portability, aligning Montenegro’s legislation more closely with the GDPR. Data subjects are now entitled to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit those data to another controller if technically feasible.

According to the PDPL, a third party i.e. user of personal data, is any natural or legal person, state body, state administration body, local self-government body or local administration and other entities exercising public authority, which has the right to process personal data, and it is not a person whose personal data is processed, the original data controller of a data filing system, the processor of personal data or a person employed by the controller of the data filling system or the processor of personal data. A data controller is obliged to inform a person if his/her data will be processed by the third party.

Under the New PDPA, the concept of “third party” remains similar. Data controllers must ensure that any third-party processor provides sufficient guarantees to implement appropriate technical and organisational measures so that processing meets the requirements of the law and ensures the protection of data subject rights.

The Agency's approval is required for the transfer of personal data from Montenegro to a state that is not party to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. The Agency determines whether the requirements are met and whether safeguards are in place for the transfer of data from Montenegro.

Under the New PDPA, cross-border transfers to countries that do not ensure an adequate level of protection may also be carried out if appropriate safeguards are in place, including standard contractual clauses or binding corporate rules approved by the Agency. The Agency generally follows the adequacy framework outlined in the EU GDPR.

The personal data collection manager is obliged, after the establishment of automatic personal data collection, to appoint a person responsible for the protection of personal data. A data controller with more than ten employees who process personal data must designate a person responsible for protecting personal data.

The New PDPA clarifies that a Data Protection Officer (DPO) must be appointed by all public authorities, as well as private entities whose core activities require regular and systematic monitoring of data subjects on a large scale or involve large-scale processing of special categories of data.

Data controllers and data processors must take all necessary technical, human resources and organisational measures to protect data in accordance with established standards and procedures in order to protect data from loss, damage, inadmissible access, modification, publication and any other abuse. These measures must also include a data confidentiality obligation for all persons who work on data processing.

The New PDPA introduces additional requirements regarding encryption, pseudonymisation, and regular testing of security measures to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems.

A breach notification is not regulated by the PDPL. However, under the Law on Information Security of Montenegro, users must report computer security incidents to the competent body.

Under the New PDPA, data controllers are required to notify the Agency of a personal data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where such risk is high, the affected data subjects must also be informed without undue delay.

Prior information consent of a data subject (a natural person) is required.

The New PDPA provides clearer provisions regarding direct marketing and unsolicited communications, requiring explicit and verifiable consent for electronic marketing messages.

Not regulated. General personal data protection rules apply.

Moderate

• http://www.azlp.me/en/home 

Law on Information Security of Montenegro (Official Gazette of Montenegro Nos. 113/2024 ("the Law").

The new Law on Information Security of Montenegro (came into force in December 2024) establishes measures and rules for the protection of information systems and networks from cyber threats. It applies to state authorities, ministries, other administrative bodies, local self-government units, legal entities exercising public authority, companies, other legal entities, and individuals who access or handle data and use or manage network and information systems. The law covers both public and private sectors, with specific obligations for entities designated as "key" and "important" subjects, particularly those providing services essential for the life, health, and security of citizens and the functioning of the state.

N/A

The Law applies to all entities that use or manage network and information systems, including state bodies, local government, public authorities, and private sector entities that handle data or provide services of public interest. The Law sets out obligations for these entities to implement information security measures to ensure the confidentiality, integrity, and availability of data.

• Ministry responsible for information society and e-government: Oversees state administration cybersecurity and acts as the national contact point.
• CIRT for State Administration: Handles incident response for state bodies.
• Cybersecurity Agency: Responsible for cybersecurity of all other key and important entities, conducts professional oversight, and enforces compliance.
• Council for Information Security: Advisory body for monitoring and improving information security.

• Implementation of Security Measures: All entities must implement measures to ensure confidentiality, integrity, and availability of data, including physical, technical, and organizational safeguards.
• Risk Management: Key and important entities must conduct risk analyses, adopt incident response rules, business continuity plans, supply chain security policies, and apply cryptographic protection where necessary.
• Certification: Key entities must obtain and maintain certification under the Montenegrin standard for information security management (MEST ISO/IEC 27001) and undergo periodic compliance checks.
• Designation of Responsible Person: All entities must appoint a person responsible for monitoring the implementation of information security measures.
• Incident Reporting: Entities must assess the impact of cyber threats and incidents. If an incident could significantly affect service continuity, it must be reported to the Cybersecurity Agency (or CIRT for state bodies) within 24 hours. Ongoing and final reports are also required.
• Data Protection: Personal data must be processed in accordance with data protection laws.

The Law introduces significant administrative fines for non-compliance:

• Key entities: EUR 500 to EUR 20,000
• Important entities: EUR 500 to EUR 10,000
• Other entities: EUR 500 to EUR 5,000
• Responsible individuals: EUR 30 to EUR 1,500
• Repeat violations may result in a ban from performing certain activities for 3 to 6 months.

CIRT does not have any enforcement powers. Sanctions can only be imposed by a judge in criminal proceedings. Criminal Code of Montenegro (Official Gazette of Montenegro Nos. 70/2003, 13/2004, 3/2020, 26/2021, 144/2021, 145/2021, 110/2023, 123/2024) (“the Code”) envisages the legal frame for sanctioning the criminal offences against safety of computer data. Subject criminal offences are:

• Damaging computer data and programmes (Article 349 of the Code), for which is envisaged a monetary fine or imprisonment up to five years;
• Computer sabotage (Article 350 of the Code) for which is envisaged a monetary fine or imprisonment up to eight years;
• Producing and entering computer viruses (Article 351 of the Code) for which is envisaged a monetary fine or imprisonment up to two years;
• Computer fraud (Article 352 of the Code) for which is envisaged a monetary fine or imprisonment up to 12 years;
• Unauthorised use of computers and computer network (Article 353 of the Code) for which is envisaged a monetary fine or imprisonment up to five years;
• Disturbing electronic processing, data transfer and computer network functioning (Article 354 of the Code) for which is envisaged a monetary fine or imprisonment up to three years.

• Reputational risk;
• Reimbursement of the potential damages (material and non-material).

Montenegro has a national CERT/CSIRT structure composed of the CIRT for state administration (handling incidents for government bodies) and the Cybersecurity Agency (handling incidents for all other key and important entities). These bodies are mandated by law to coordinate incident response, ensure compliance, and represent Montenegro in international cybersecurity matters, ensuring a unified and effective national response to cyber threats and incidents.

• Incident Classification: Incidents are classified as low, medium, or high impact, with escalating reporting and response requirements.
• Sectors Covered: The Law defines key and important entities across sectors such as energy, transport, banking, health, water, digital infrastructure, public administration, and more.
• Crisis Management: In case of a major cyber crisis, the Ministry, with the Agency, can propose that the government declare a cyber crisis, triggering coordinated national response measures.

• Awareness and Training: The Agency is tasked with organizing training for employees, raising public awareness, and collaborating with domestic and international partners.
• Sectoral and Central Registers: The Law mandates the creation of sectoral and consolidated registers of key and important entities, with strict confidentiality requirements.

• http://www.cirt.me/en/library/strategije?alphabet=lat