In early 2022, the Government of Kosovo, with the support of the U.S. Agency for International Development (USAID)’s Critical Infrastructure Digitalization and Resilience (CIDR) program, launched Kosovo’s Critical Infrastructure Cybersecurity Working Group (CICWG). This working group, led by the Prime Minister’s office and facilitated by CIDR, brings together stakeholders across the public and private sectors, academia, and civil society to discuss and recommend ways to bolster the cyber resilience of critical infrastructure.

The group’s work has been invaluable. In less than two years, while supporting the passage of Kosovo’s first-ever comprehensive Law on Cybersecurity, the Kosovo CICWG led the drafting of complementary bylaws that will help operationalize the law for specific critical infrastructure sectors and key institutions. This is an important milestone in the evolution of Kosovo’s cyber resilience, especially because it coincides with the establishment of the Cybersecurity Agency—a single government entity responsible for proposing and implementing cybersecurity measures within Kosovo.

CICWG preparing to engage in a tabletop exercise for addressing cybersecurity vulnerabilities and defensive options.

Through its experience with the CICWG and technical assistance to the Government of Kosovo, CIDR plays an important role in building out the legal framework underpinning the Cybersecurity Agency and ensuring the implementation of the Law on Cybersecurity. Recent achievements include:

• Providing direct advisory and technical services to the government in establishing the Cybersecurity Agency, including the development of a key regulation finalizing the agency’s organizational structure, systematizing job titles and levels, and drafting job descriptions for all key positions. Recently signed by Kosovo’s Prime Minister, this regulation marks a crucial milestone in the establishment of the agency and in Kosovo’s bolstering of its cyber defenses.
• Supporting the drafting of 10 out of 14 new secondary legislation (bylaws) from the Law on Cybersecurity, which will help ensure the full implementation of the law. Kosovo’s Ministry of Internal Affairs has already published six of these new instructions for public consultation, which helps ensure public participation in Kosovo’s policy and regulatory process around cybersecurity.

Given these recent successes, the government has recognized the CICWG as a key force for cultivating Kosovo’s cyber-secure future. Kosovo’s National Cybersecurity Strategy 2023-2027 named the CICWG as the primary body working to increase the cybersecurity resilience of Kosovo’s critical infrastructure. Prime Minister Albin Kurti said at the recent inauguration of Kosovo’s State Cybersecurity Training Center: “The establishment of the CICWG, with the support of the USAID CIDR program, is another initiative through which we have emphasized our comprehensive approach to cybersecurity. This initiative demonstrates our conviction that cyber defense is a collective effort. Therefore, we will be secure, because we are all secure, and it requires the participation of governmental institutions, as well as the private sector and academia.”

Kosovo CICWG discussing national critical information infrastructure and risk scenarios in the health sector.

As Kurti noted in his remarks, a key element of the CICWG’s success is the active participation of a cross-section of Kosovo’s cybersecurity and critical infrastructure stakeholders. By bringing together critical infrastructure operators, cybersecurity companies, cybersecurity experts, and the Government of Kosovo (among other stakeholders) in a single recurring forum, the CICWG has created the space for these stakeholders to share their diverse viewpoints, talk through thorny issues, and build consensus around specific policies, laws, and regulations.

This approach also builds trust among Kosovo’s cybersecurity and critical infrastructure stakeholders, which helps reinforce Kosovo’s cyber resilience in the long term. These successful policy and regulatory reforms in Kosovo underscore the importance of multi-stakeholder engagements in cybersecurity policymaking and serve as an important model for other countries seeking to establish or modernize policies, laws, and regulations on cybersecurity for critical infrastructure.

Albulena Xhelili Berisha is the CIDR/Kosovo Country Director and Inta Plostins is a Senior Digital Specialist with DAI’s Center for Digital Acceleration.