The latest report by the Albanian Supreme Audit Office confirms in detail that the digital state with record transformations that the world envies is actually a cardboard state.
The 2025 Performance Report of the Supreme State Audit Office, analyzed by VNA, treats cybersecurity as a high-risk area, highlighting structural weaknesses, lack of basic controls and unclear allocation of institutional responsibilities. Through its Information Technology (IT) audits, the SAI has highlighted that many public institutions are exposed to cyberattacks due to outdated infrastructure and lack of security protocols.
Lack of basic security controls
One of the main concerns is that institutions do not apply the most basic technical measures to protect their systems.
"The audits have also identified weaknesses in the field of cybersecurity, as well as a lack of basic security controls, such as firewalls, antivirus, encryption and monitoring mechanisms. In some cases, users have administrative rights without appropriate restrictions, while there is a lack of traceability of actions in the system, increasing exposure to cyber risks and security incidents. The audits have resulted in deficiencies in data management and protection, related to the lack of encryption, insufficient access control and the lack of documented procedures for data backup and recovery ," the SAI report states.
Taxes don't bother me because they are a critical sector.
The SAI has conducted a specific audit on the electronic tax system, which is considered critical infrastructure, finding serious deficiencies in technical and legal management.
" The methodology for identifying operators of critical and important information infrastructures, as required by Law No. 25/2024 'On Cybersecurity', was lacking.
As a result of the centralization of IT services at the National Agency for Information Technology, the GDT has transferred the information technology infrastructure and human resources, creating gaps in specialized human resources, which increases exposure to cyber risks and limits the capacity to respond to incidents.
In the technical and operational aspects, non-compliance with the minimum distance between the primary and secondary site has been identified, contrary to the NAKSHI guidance, lack of documentation for needs analysis and training planning, as well as lack of plans for end-user training; lack of data encryption, lack of documentation for environmental controls in the Government Data Center (e.g. flood, fire, periodic testing), lack of documented scheduling for reviewing system logs, contrary to international best practices (NIST, CIS), ambiguity and lack of complete documentation on third-party access controls to the critical system, "the SAI document states, among other things.
Weaknesses in various public institutions
Audits at the local level and in specific agencies have shown an alarming state of network security.
DAR Lezhë: "The lack of a stable network infrastructure, including firewall and antivirus protection, the use of weak passwords... exposed the institution to cyberattacks."
Seized Assets Administration Agency: "No antivirus was installed for the network, exposing the institution to viruses, malware and ransomware, and jeopardizing the continuity of processes."
Lushnja Educational Center : "The IT infrastructure... proved to be depreciated, inefficient and not equipped with basic security elements, such as firewalls, manageable switches and secure computer equipment"
Meanwhile, the government advertises that it has grown by 15 places in the world ranking, while institutions still have banal problems with the systems.
