State-owned Telekom Srbija has suffered a significant data breach exposing information on 650,000 users spanning 2019 to 2025, marking the second major cybersecurity incident at the telecommunications provider in recent days and revealing systemic vulnerabilities in Serbian state enterprises.The breach, affecting approximately 10 percent of Serbia's population, compromised both private and business customer data accumulated over six years, according to cybersecurity monitoring platform Bezbedan Balkan. The leaked database represents a substantial portion of the country's telecommunications infrastructure, raising questions about data protection practices at state-controlled companies as Belgrade pursues European Union integration.This marks the second leak from Telekom Srbija within a matter of days, suggesting not an isolated incident but deeper structural problems in the company's cybersecurity architecture. The pattern mirrors concerns across the Western Balkans region, where digital infrastructure often lags behind the standards required by Brussels for EU membership."In the Balkans, as across post-conflict regions, the path forward requires acknowledging the past without being imprisoned by it," but when it comes to digital security, the region faces present-tense challenges that cannot be deferred. The breach highlights a significant gap between the EU's stringent data protection requirements—enforced through regulations like GDPR—and current Balkan capabilities in cybersecurity.For a country aspiring to EU membership, repeated data breaches at state enterprises present both a technical and political problem. Brussels has increasingly emphasized digital standards and cybersecurity resilience as criteria for integration, particularly as Europe faces heightened concerns about digital sovereignty and infrastructure security.The timing is particularly sensitive for Serbia, which has been navigating a complex diplomatic position between European integration and maintaining relationships with Russia and China, both of which have invested heavily in Serbian telecommunications infrastructure. Questions about data security inevitably intersect with geopolitical considerations about which systems and partners can be trusted with sensitive citizen information.Serbian authorities have not yet issued a comprehensive statement addressing the scale of the breach or outlining remediation measures. The lack of immediate official response itself reflects governance challenges common across the region, where transparency around cybersecurity incidents often lags Western European norms.For the 650,000 affected users—individuals and businesses whose data has been compromised—the breach represents not just privacy concerns but potential financial and security risks. The six-year span of the leaked data means some information may be outdated, but contact details, account information, and usage patterns could still be exploited for fraud or social engineering attacks.The incident underscores the urgency of modernizing digital infrastructure across the Western Balkans. As these countries seek closer EU ties, the gap between Brussels' expectations for data protection and current regional capabilities represents a significant obstacle—one that requires sustained investment, institutional reform, and a cultural shift toward prioritizing cybersecurity at state enterprises.