Governments across Europe are accelerating the digitalization of public services. While governments move quickly to adopt complex technologies—like online platforms, digital IDs, and artificial intelligence (AI)—that enable faster and more accessible services, how can they simultaneously build citizens’ trust that their data and privacy will be protected?

Serbia’s experience suggests that technology alone is not sufficient. Through the World Bank-supported Enabling Digital Governance Project (EDGE), Serbia developed a multi-layered data security training program to meet the needs of everyone from entry-level staff to senior executives. This strategic approach of strengthening skills and governance systems before proceeding to large-scale deployment of digital and AI solutions yields five practical lessons for other countries across Europe and beyond.

  1. Raising awareness of digital risks is key to data security 

As public services increasingly move online, civil servants, not only IT staff but also clerks and teachers, find themselves managing extremely sensitive personal data as part of their daily routines. When data security incidents happen, they are not necessarily the result of malicious intent but often simple human error due to lack of awareness. 

To strengthen security, Serbia shifted from a focus on responding to breaches to proactive risk management. Key to the strategy was raising the baseline level of digital risk awareness across the entire public sector by training over 4,000 public servants on data protection and cybersecurity. Most importantly to long-term success, this represented an evolution toward a culture where information security is embedded in how the public sector operates.

2. One-size-fits-all training doesn’t work 

The government co-designed data security training programs with public servants, thinking of them as “users” and building the curriculum and format around their specific knowledge gaps and needs. Short online modules taking 10-15 minutes allowed busy frontline staff to complete practical lessons on phishing and responsible data handling during breaks. IT administrators participated in intensive hands-on technical exercises, while senior leaders completed one-hour interactive crisis simulation exercises, allowing them to practice making incident response decisions under pressure. Through this role-specific approach, participants gained skills they were immediately able to apply to their routine duties. Several training programs experienced demand far exceeding targets, demonstrating the value and effectiveness of a user-centric approach.

3. Don’t overlook local authorities and frontline workers 

As the program progressed, social welfare facilities, schools, and health centers began expressing interest in staff training. Although they manage extremely sensitive data pertaining to children, patients, and vulnerable families, these institutions had not initially been envisioned as part of the training rollout. The government quickly responded to this demand, extending the program to institutions beyond national-level ministries and government agencies in Belgrade. Teams traveled across the country to deliver live training sessions, recognizing that data protection challenges impact all levels of governance. 

4. For responsible AI deployment, put governance fundamentals in place first 

While the government was building data protection and cybersecurity capabilities across the nation, growing adoption of AI emerged as a new challenge. AI-powered chatbots and automated procedures are already being piloted to enhance service delivery in Serbia.  

In alignment with emerging European standards such as the EU AI Act, the government has actively invested in establishing an AI governance framework to mitigate risks and bolster public trust. Civil servants are now undergoing training designed to foster an understanding of AI-related risks, ethics, and accountability. 

5. Complement skills with robust national infrastructure

Training alone is not enough to safeguard digital government. While building up civil servants’ skills, Serbia invested in secure national infrastructure through EDGE. The government bolstered its Network Operations Center and established a Security Operations Center and a Computer Emergency Response Team capable of operating 24/7. In the past year alone, national security teams successfully detected and responded to millions of cyberattacks targeting government systems.

Why this matters for the region and beyond

Serbia’s experience offers a broader lesson for digital government reform: building digital services that citizens can trust takes time and a phased, incremental approach. It demonstrates that early investment in skills, governance, and secure systems lays a strong foundation for trusted digital systems without sacrificing innovation.

 

The authors thank Dr. Mihailo Jovanović, Director of the Office for IT and eGovernment (OITeG) Serbia, and team for their close collaboration.

Source link