ROAD TO RESILIENCE: Governance and Capacity Building in Kosovo’s Cyber Defense and Critical Infrastructure

The government of Kosovo (GOK) has made cybersecurity and critical infrastructure protection national priorities. GOK enacted the Law on Cyber Security (LCS) and Law on Critical Infrastructure LCI) and adopted the Kosovo Security Strategy (KSS) and Cyber Security Strategy. It also established a Cyber Security Agency (CSA) designed to function as a central hub for coordinating GOK cyber agencies and protecting cyber assets across various sectors. In addition, GOK prioritized governance and capacity-building in cyber defense and identification of key sectors in critical infrastructure.

But challenges remain and more work should be completed if Kosovo is going to build resilience to cyberattacks and secure its infrastructure sectors, especially in energy, e-governance, and telecommunications. More people in Kosovo, as well as across the Western Balkans, use information and communication technologies (ICT) today than ever before, which means more cyber incidents and attacks will take place. 95% of Kosovo’s population between the ages of 16-74 access the Internet on a regular basis and broadband coverage and 5G telecommunications increasing on an annual basis. Kosovo has witnessed an increase in cyber violations and crimes, targeting telecommunications, financial institutions, and e-government services. From 2020 to 2023, Kosovo experienced a significant increase in malware, social engineering, and ransomware attacks with many going unreported to authorities. Moreover, Kosovo’s public institutions are targeted on a regular basis. High profile attacks targeted Kosovo’s Central Election Commission, Kosovo Telecom, and e-Kosova. The Cybercrime Investigations office in the Kosovo Police maintain records of arrests and apprehensions of suspected cybercriminals.

As cyber threats and attacks against Kosovo’s critical infrastructure sectors and public institutions become increasingly more sophisticated, the GOK must be relentless and vigilant in its pursuit of resilience concepts through capacity-building efforts and connecting capacity with governance frameworks GOK has passed key legislation, drafted strategic guidance documents, and established agencies to address cyber threats. While governance has improved and cyber agencies are in place, capacity-building remains a challenge. The GOK must work with its international partners, build, maintain, and expand partnerships with Kosovo’s dynamic private sector, and promote cybersecurity education and awareness.

In 2023 and 2024, KCSS published analyses of critical infrastructure and cybersecurity. These include guidance on digital threats and capacity-building in NGOs, best practices and guidance in Kosovo’s critical infrastructure sectors, modeling critical infrastructure protection approaches developed by the Baltic States, Kosovo’s critical infrastructure protection in a comparative regional perspective, alignment of the Law on Critical Infrastructure with European Union NIS2 Directive, and a cybersecurity handbook on incident response, data protection, and Internet safety.

This report relies on open-source assessments of publicly available information and structured interviews with Kosovo’s stakeholders in public institutions and the private sector to assess progress in governance and capacity. It analyzes legislation and governing frameworks on cybersecurity and critical infrastructure, strategic guidance, and agency operations and capacities. The report concludes that whole-of-government and whole-of-society efforts are needed to keep Kosovo on the road to resilience.