Cybercrime and law – managing challenges and prospects in the digital age

When thinking about cybercrime, it is simply unthinkable not to see how much of a daily risk it has become – it is no longer a question of if it will happen, but when. Cybercriminals aren’t just someone breaking into your computer and taking your password; it’s a whole world of fraud, theft, and even endangering the security of countries. In order to even discuss what cybercrime is, one must first clarify what is included in that term. In a general interpretation, cybercrime includes malicious activities such as identity theft, unauthorized access to personal data and their misuse for the purpose of false representation, for example with the aim of stealing money or taking a loan on the account of the victim. Phishing is a widely known concept – e-mail users often receive e-mails that “inform” them that they must submit their account information, while banks warn them not to fall for such scams. Ransomware is an insidious threat – the hacker locks files and demands a ransom, and if the victim doesn’t pay, they lose everything. DDoS attacks flood the server with requests until the site goes down, and social media scams involve fake messages that trick the user into clicking on a malicious link.

According to a report by Cybersecurity Ventures, the global cost of cybercrime is expected to reach $10.5 trillion annually in 2025, three and a half times more than in 2015 (Esentire, 2024) – that’s more than the GDP of many countries! Ransomware attacks are sometimes taken lightly, on the principle of “it’s not me, who cares about me”. Nevertheless, it is a danger that is spreading, growing from year to year, and practically no one can be sure that he will not be the subject of such an attack and blackmail tomorrow. In the last five years, this risk has increased by numbers that are equally ruthless – the number of these attacks has increased by as much as 150% in the period from 2020 to 2025 (Griffiths, 2025). What does this mean in practice? That every day at least one company or at least one individual is a victim of such an attack. Or, more precisely, it happens every 14 seconds (Palatty, 2025). One in a sea of examples of such criminal acts occurred in

Legal systems struggle with great restrictions when trying to react to this threat. Among the difficulties include the multinational character of cybercrime, obsolete legislation, technological backwardism, and the clash between privacy and security. The purpose of this paper is to investigate how current legal systems handle these issues, spot main challenges and provide fixes. Combining statistical data and case studies with the analysis of national and international legal actions, the study uses an interdisciplinary approach. Along with reports from agencies like Interpol and Europol, the methodological process consists in an examination of pertinent materials including the Budapest Convention, GDPR and national legislation of Serbia. By considering the legal frameworks and obstacles in their application, the aim of the paper is to help find solutions by which the law could more successfully control cybercrime..

2.    Legal frameworks for cybercrime

If any crime is a global threat, then the same can be said for cybercrime, which increases the importance of establishing appropriate legal mechanisms. This need exists because the existing legal mechanisms are not sufficiently developed due to the major limitations of legal systems, primarily in terms of enforcement and efficiency. Perpetrators, their victims and infrastructure are often under different jurisdictions, and the international nature of these crimes poses a key burden in the search for applicable solutions. By studying current national and international legal systems, we can see the complexity of these issues, but also see directions in which we could go further.

Adopted in 2001 by the Council of Europe, the Convention on Cybercrime, sometimes known as the Budapest Convention (Council of Europe, 2001), is one of the main international papers for the fight against cybercrime. This agreement compels participating governments to enact legislation that prohibit illegal access to computer systems, data theft, computer fraud and similar crimes, therefore being the first attempt to create a shared legal framework to combat cybercrime. The Convention underlines especially the value of international collaboration in investigations, including information exchange and extradition. More than 70 states, including Serbia, which joined in 2009, had signed this convention by the beginning of this year. However, major challenges remain. Unfortunately, the global system is seriously compromised by the fact that large countries like China and Russia are not signatories, and past practice tells us that massive cyberattacks have often been linked to their infrastructures or citizens. Furthermore, the Budapest Convention was approved more than twenty years ago at a period when major ransomware assaults, the dark web, and cryptocurrencies were inconceivable. This begs the issue of whether this paper can handle contemporary problems include tracing anonymous bitcoin transactions or defending against attacks on important infrastructure.

Extra legal tools have been created inside the European Union to strengthen the battle against cybercrime. Adopted in 2016 and entered into force in 2018, the General Data Protection Regulation (GDPR) set rigorous criteria for the protection of user privacy (European Parliament and Council, 2016), therefore requiring businesses to guarantee the security of personal data. Regarding data leaks, the fines are substantial; for instance, a technology corporation in Ireland paid 1.2 billion euros for poor customer data protection in 2023 (Beveridge, 2023). But GDPR’s main focus is safeguarding privacy, not actively fighting cybercrime, which restricts its applicability in this sense.

On the contrary, the NIS2 Directive, adopted in 2022 and approved in 2023, seeks to enhance the cyber security of EU vital infrastructure like hospitals, electricity grids and water systems. This directive mandates member states create national plans guaranteeing a quick reaction to events and safeguarding against cyberattacks. The NIS2 Directive’s implementation is challenging, nevertheless; many nations – including certain EU members – have limited resources, specialists, and technical capacity to carry out these policies, therefore impeding development.

Legal actions pertaining to cybercrime exist in Serbia at the national level, however their efficacy is dubious. The 2016 Law on Information Security mandates public organizations and businesses to create mechanisms to stop cyberattacks and lays down guidelines for data protection. Article 301 of Serbia’s Criminal Code forbids illegal access to a computer system, with a penalty of up to five years in prison, therefore addressing computer fraud. Still, the application of these rules runs several challenges. The absence of skilled staff is one of the main issues; in Serbia, there are few forensic professionals qualified to carry out thorough investigations about cybercrime. Furthermore, courts sometimes lack understanding of the technological features of these cases; how would you explain to a judge what blockchain is or how bitcoin transaction monitoring operates? This gets even more difficult when the perpetrators are from aboard since the Serbian court system lacks systems for efficient collaboration with other nations in such circumstances.

3.    Challenges in the fight against cybercrime

Another major problem is the law becoming old. Many cybercrime laws were already written decades ago, long before the Internet enjoyed the status it enjoys today. One example can be from our country, Serbia, where the Law on Information Security was adopted in 2016, but this law and the Criminal Code have not been significantly updated in that context since then, which has led to provisions that do not reflect modern forms of cybercrime (forexample mass ransomware attacks, etc., as well as the misuse of artificial intelligence to create false identities). Other countries share the same fate – the US still utilizes the Computer Fraud and Abuse Act of 1986, vintage from an era when few owned computers and the Internet was fresh, to prosecute cybercriminals. Such legislation is generally not well equipped to tackle modern threats, likethe tracing ofotherwise untraceable bitcoin transactions or preventing attacks on critical infrastructure through advanced botnets.

We encounter another hurdle in the technological backwardness of judicial systems. Many police, prosecutors and courts lack the tools to monitor cyber attacks. Tracking fraud transactions, for instance, calls for specialized software and knowledge of blockchain technology yet that is not exactly the case in Serbia, the majority of police agencies there lack even fundamental resources for such a task. Police officers in Europe are not sufficiently trained to deal with large amounts of data in cybercrime investigations, and it can be said that they lag behind technology, which is why they have many problems in the field of digital forensics (Muncaster, 2025). The courts complicate things further – judges often don’t have the technical skills to evaluate seemingly arcane evidence, like server logs or messages encrypted from the dark web.

There aren’t many experts in forensic science who have some knowledge of cybercrime, especially not in a place like Serbia, where salaries in the public sector are paltry and private companies can provide better working conditions.

4.    Perspectives and solutions

It needs a holistic and synergistic approach towards cybercrime as existing laws systems have proved with limited success combatting this global threat. Indicators for the future related for example to international cooperation, modernization of laws, investments in technology and public education have been drawn on the basis of the analysis presented.

International cooperation is the starting point tackling cybercrime more effectively. The Budapest Convention is powerful but should be expanded to other countries, with key global actors like Russia and China missing from this framework and forming significant holes in the system. In this regard, the UN Agreement on Cybercrime (Council of Europe, 2025) can serve as an important enabler in this wider framework of cooperation. States should align their legislation and facilitate information sharing so that perpetrators can be swiftly tracked down and prosecuted, no matter where jurisdiction lies.

Equally important is the modernization of national laws. The two legal acts, the Law on Information Security and the Criminal Code, need to be harmonized with modern threats, such as ransomware attacks and cryptocurrency abuse. By way of example, provisions that would trace the anonymous cryptocurrency transactions would mean much more could be traced. Similarly, countries such as the US would have to reform archaic legislation such as the Computer Fraud Act of 1986, in order for such laws to include new types of cybercrime (Berris, 2020), including abuse of artificial intelligence.

Technological advances are no end of the answer to the backwardness of many law enformcements. Acquiring specialized digital trail tracing tools – like software for analyzing blockchains – would help police and courts to prosecute criminals more efficiently. Forensic experts need to be trained – estimates of the lack of 3.5 million cyber security experts are certainly worrying, and Serbia is particularly vulnerable in this regard. To address this gap, states need to invest in the education and employment of experts.

Public education is a major component of prevention. It helps reduce the number of victims, as exemplified by Internet safety campaigns – e.g. a good practice example is Estonia (Holm, 2025) – through the use of e-government and training of citizens, this country has greatly decreased cybercrime. A similar approach could be followed in Serbia, where users’ awareness of digital threats is still low.

Finally, the great news is that artificial intelligence is also being applied to detect and prevent cyberattacks. Artificial intelligence tools can recognize attack patterns and predict them, but there is also a risk of misuse, so additional guidelines are needed for their use. The answer to this lies in a level of global co-ordination, advancements in tech and education – and only then can we hope the law will be able to keep up with the cybercriminals.

5.    Conclusion

Cybercrime in the digital age has emerged as a global scourge, a threat that legal systems around the world have had difficulty addressing, and this study identifies important challenges and potential avenues for reform. Based on the theoretic review of international and national legal framework it can be concluded that existing mechanisms (Budapest Convention, GDPR) provide a basis for cybercrime fighting, however, they are constrained by inconsistency of legal frameworks in relation of the countries and ways of modern technologies. Law on Information Security and the Criminal Code regulate the field in Serbia, but implementation is one step behind due to the absence of experts and technical capacity. Difficulties like jurisdictional complexity, technology lag, and privacy versus security also make an effective response difficult – Europol reported in 2024 that most cyber attacks go unresolved, primarily due to the anonymity facilitated by VPNs and the dark web.

It is necessary to take a holistic approach in order to combat cybercrime. The Budapest Convention should be expanded to include more countries, and countries like Russia and China should be included in global agreements. This will help promote international collaboration. National legislation must be modernized to deal with current threats like ransomware attacks and the use of cryptocurrencies. Educating the public, training forensic experts and providing specialized tools for the police and courts is the next step towards uncovering new digital clues. And privacy and security must be reconciled – lawmakers have to strike the balance between wanting to protect user data and enabling effective investigations. The future includes international treaties such as the UN Cybercrime Treaty and the application of artificial intelligence to detect and prvent attacks, but till then the cybercriminals are one step ahead of justice without global coordination and tech advances.

Marković M. Darko

Univerzitet Privredna akademija u Novom Sadu, Pravni fakultet za privredu i pravosuđe u

Novom Sadu, Novi Sad, Srbija

Marković Darija

Univerzitet RUDN, Pravni institut, Moskva, Rusija