Corporate Law

Corporate Governance and Compliance for Mid-Size Companies in Serbia: Challenges and Best Practices

Mid-size companies in Serbia occupy a specific position: they are large enough to be significantly burdened by regulatory requirements, yet […]

Mid-size companies in Serbia occupy a specific position: they are large enough to be significantly burdened by regulatory requirements, yet they often lack the legal and compliance resources that large corporations possess. This gap between a company’s growth and its internal organisation is one of the primary sources of legal and financial risk — risks that, in practice, materialise at the most inopportune moments: during an acquisition, an investment round, a tax audit, or a reputational crisis.

Corporate governance and regulatory compliance are not a privilege of large organisations — they are tools that bring predictability, efficiency, and protection to every company, regardless of size.

This article is for informational purposes only and does not constitute individual legal advice.


What Corporate Governance Entails

Corporate governance refers to the set of rules, practices, and processes by which a company is directed and controlled. In the Serbian context, the formal framework is established by the Companies Act (Zakon o privrednim društvima — ZPD), which defines the management bodies, their powers, and their responsibilities.

For joint-stock companies (akcionarsko društvo — AD), the ZPD provides for a one-tier governance model (general meeting and one or more directors, or a board of directors) or a two-tier model (general meeting, supervisory board, and one or more executive directors, or an executive board). For limited liability companies (društvo s ograničenom odgovornošću — DOO), the governance structure is more flexible, but the articles of association or the memorandum of association must clearly define the powers of the general meeting and the directors.

A sound corporate governance framework for a mid-size company encompasses:

  • Clearly separated powers between owners and management
  • Documented procedures for making key decisions
  • An internal control and audit system
  • Transparent reporting to owners and creditors
  • A conflict-of-interest management policy

The key distinction: corporate governance is not merely a formal matter of meeting statutory minimums — it is a culture of accountability built from the top down.


Serbian legislation imposes specific compliance obligations in several areas:

Anti-Money Laundering and Counter-Terrorism Financing Act (Zakon o sprečavanju pranja novca i finansiranja terorizma — ZSPNFT): Obliged entities — which include certain categories of business entities outside the financial sector — must have established internal AML/CFT (Anti-Money Laundering / Countering the Financing of Terrorism) compliance procedures, appoint a designated compliance officer for this area, and conduct customer risk assessments. Supervision by the Administration for the Prevention of Money Laundering (Uprava za sprečavanje pranja novca) may result in inspections and fines.

Personal Data Protection Act (Zakon o zaštiti podataka o ličnosti — ZZPL): The Serbian equivalent of the GDPR (General Data Protection Regulation, Regulation (EU) 2016/679). Every company that processes data of employees, clients, or business partners must have a legal basis for the processing, maintain a record of processing activities, and, in certain cases, carry out a Data Protection Impact Assessment (DPIA). The Commissioner for Information of Public Importance and Personal Data Protection (Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti) exercises supervision and may impose monetary fines.

Public Procurement Act (Zakon o javnim nabavkama — ZJN): Companies that apply for public procurement contracts or are engaged as subcontractors must meet strict compliance criteria — documentary, financial, technical, and personal suitability requirements. Incomplete or inaccurate documentation may exclude a company from the procedure.

Employment law compliance: The Labour Act, contribution legislation, and tax regulations impose precise obligations regarding employment contracts, salary calculation, leave entitlements, and occupational health and safety. The Labour Inspectorate carries out regular checks, and sanctions may include suspension of business operations.


Management Bodies and Directors’ Liability

One of the more frequently overlooked aspects of corporate governance is directors’ personal liability. The ZPD provides that a director is personally liable for damages if they act contrary to the law, the constitutional documents, or the resolutions of the general meeting — applying the so-called duty of care and duty of loyalty standard.

In practice, a director’s personal liability may be triggered in the following cases: – Unlawful distributions to owners when the company is insolvent – Transactions with related parties without the appropriate approval procedure – Failure to file for insolvency within the statutory deadline – Failure to settle tax liabilities resulting in personal liability for tax debt

Directors & Officers insurance (D&O policy) is not yet as common in Serbia as it is in Western jurisdictions, but growing interest in this form of protection signals increasing awareness of the associated risks.


Implementing a Compliance Programme: A Practical Approach

Implementing a compliance programme for a mid-size company need not be complicated or costly. The key elements are:

1. Mapping regulatory obligations Identifying all laws and regulations applicable to the company’s activities — from sector-specific rules to general requirements (data protection, AML/CFT, employment law, tax regulations). This is the starting point and should be refreshed at least once a year.

2. Internal regulations and policies Adopting the mandatory internal instruments: Work Rules (Pravilnik o radu), Data Protection Policy, Conflict-of-Interest Policy, AML/CFT procedures (where applicable), and a Code of Business Conduct. These documents are not merely a formal requirement — they form the basis for employees’ disciplinary accountability and serve as a defence during regulatory inspections.

3. Engaging the compliance function For companies above a certain size, engaging an internal compliance officer or an external adviser who periodically reviews compliance significantly reduces the risk of unforeseen issues. An outsourced compliance model is effective for companies that cannot economically justify a full-time position.

4. Regular internal audits Periodic compliance reviews (at least once a year) before a regulator does them. An internal finding that has not been reported externally allows the company to correct errors without incurring sanctions.

5. Employee training A compliance programme is ineffective if employees do not understand their rights and obligations. Regular training, especially for individuals handling personal data or cash, reduces operational risk.


ESG and Corporate Responsibility: A New Regulatory Wave

European regulation is progressively introducing ESG (Environmental, Social, Governance) requirements that also indirectly affect Serbian companies operating with EU partners or preparing for accession to the EU market. The CSRD (Corporate Sustainability Reporting Directive) introduced sustainability reporting obligations for certain categories of companies, and its effects reach into supply chains outside the EU. The precise scope and timeline of the CSRD’s application are subject to ongoing amendments at EU level (the so-called Omnibus package), and monitoring developments in this regulation is part of the preparation process.

Serbian companies that form part of European supply chains are already receiving ESG compliance questionnaires. Preparation for these requirements — documenting processes, measuring emissions, diversity policies — will be a competitive advantage, not merely a regulatory obligation.


Frequently Asked Questions (Q&A)

Is every company in Serbia required to have an internal data protection instrument? Every data controller within the meaning of the ZZPL must maintain a record of processing activities and have a legal basis for each category of processing. Maintaining a record of processing activities is a general statutory obligation for all controllers. The exemption for companies with fewer than 250 employees applies only if the processing is exclusively occasional, does not pose a risk to the rights of data subjects, and does not involve special categories of data — and since almost every company continuously processes employee data, this exemption is rarely applicable in practice, meaning the record is as a rule mandatory even for smaller companies.

What are the most common grounds for fines during inspections by the Serbian Tax Administration? In practice, the most common grounds are: failure to record revenue, incorrect calculation of value added tax (VAT), irregular employee records, payment of unregistered remuneration, and inaccurate accounting books. A regular internal tax review conducted with an attorney or tax adviser significantly reduces these risks.

What is the deadline for convening the annual shareholders’/members’ meeting? The ZPD provides for the obligation to hold the annual general meeting no later than 6 months after the end of the financial year. Failure to observe this deadline constitutes a misdemeanour and is particularly critical for joint-stock companies subject to the obligation to publish an annual report.

How can a company protect itself from liability for the acts of its employees? The key mechanisms are: clear internal regulations with prescribed procedures, regular training, documented disciplinary accountability, and a whistleblowing policy. Documented compliance with procedures is the strongest defence in the event of a dispute.


Conclusion

Corporate governance and compliance are not an administrative burden — they are tools through which mid-size companies build their reputation, reduce risk, and position themselves for growth. Investors, banks, and business partners are increasingly evaluating a company’s organisational soundness as a criterion for engagement.

Proactive establishment of a compliance system, a clear distribution of responsibilities within management bodies, and regular internal audits — these are steps whose value is measured in reduced exposure to sanctions, lower cost of capital, and a stronger position in any future M&A (Mergers & Acquisitions) transactions.

Schedule a consultation with the VertexLaw team and take the first step towards well-organised and resilient corporate governance.


Sources: – https://www.paragraf.rs/propisi/zakon_o_privrednim_drustvima.html – https://www.paragraf.rs/propisi/zakon_o_zastiti_podataka_o_licnosti.html – https://www.paragraf.rs/propisi/zakon-o-sprecavanju-pranja-novca-i-finansiranja-terorizma.html

The content of this website is informational and does not constitute legal advice. For specific legal advice, contact a lawyer directly. The firm operates in accordance with the Law on the Legal Profession and the Code of Professional Ethics for Lawyers.

Scroll to Top