By: Elton Derveni – Business Development Specialist

The year 2024 began with a significant development in Albania’s cybersecurity landscape. With the approval of Law No. 25/2024 “On Cybersecurity,” the country has taken a bold step toward aligning with European Union standards, strengthening the protection of information systems, communication networks, and critical infrastructures that support the nation’s economy and society.

But what does this law really mean in practice? And why is it so important for every organization—public or private?

---

From Legislation to Action: How This Law Impacts Real Business Life

This law is not just about national defense against hackers—it’s about protecting citizens, businesses, and essential services from growing digital threats. Its main goal is to establish a clear framework of responsibilities and obligations for entities managing critical information infrastructure, ensuring the resilience of the digital services we all rely on.

At the center of this effort are operators of critical and important infrastructures, who are now legally required to take a proactive approach to cybersecurity, moving away from reaction-based models toward anticipation and resilience.

---

What Exactly Does the Law Require?

The law introduces a mandatory framework based on three types of measures that every operator must implement:

🔹 Organizational measures – policies, roles, and governance structures to manage cybersecurity;
🔹 Technical measures – security technologies and system-level defenses;
🔹 Operational risk management measures – practices to prepare, respond, and recover from incidents.

Each organization must develop a Cybersecurity Preparedness Strategy, which must include:

• Defined policies for incident risk analysis and securing information systems;
• Clear incident response procedures;
• Business continuity plans, including backup management, disaster recovery, and crisis management;
• Supply chain security measures;
• Implementation of multi-factor authentication or continuous verification solutions.

---

From Response to Prevention: A Shift in Cybersecurity Culture

This law represents more than regulatory compliance—it signals a cultural shift in how organizations approach cybersecurity. Instead of reacting to threats, the emphasis is now on preventing them. Organizations are required to have incident response playbooks, perform regular audits and testing, and align with international cybersecurity standards to ensure the integrity of their systems.

---

Incident Reporting: Time is Critical

One of the most crucial aspects of the law is the clear timeline it sets for incident reporting:

• Within 24 hours of identifying any cybersecurity incident, a notification must be sent to the National or Sectoral CSIRT;
• Within 72 hours for any significant incident;
• Within 1 month, a comprehensive report must be submitted, including incident description, threat type, mitigation actions taken, and any cross-border impact (if applicable).

This structured reporting system encourages transparency and fast response, boosting national capacity to handle digital threats effectively.

---

A Call to Action – Especially for the Private Sector

In an environment where digital threats are evolving by the day, this law is not just a compliance requirement—it’s a strategic necessity. Any organization aiming to stay competitive and trustworthy must take its cybersecurity posture seriously. Embracing this law is an opportunity to build trust with customers, partners, and stakeholders by showing commitment to data protection and digital continuity.

---

In Conclusion

Law 25/2024 is far more than just a legal framework. It’s a strategic step toward a safer and more resilient digital Albania. Organizations that understand and embrace this transformation will not only meet compliance requirements but will also gain a strong competitive edge in a world where digital trust is everything.