Cybersecurity regulation in Armenia (2026)

A threat actor advertised an alleged dataset of approximately 8 million Armenian government records — including communications from police and judicial bodies — for $2,500 on an underground forum. Authorities denied a direct government email breach but opened an investigation pointing to the electronic civil litigation platform as a likely source.

Armenia's first dedicated cybersecurity statute took effect, mandating minimum security standards (ISO 27001 or equivalent) for critical-infrastructure operators, compulsory cyber-incident reporting to AM-CERT, and establishing a new independent Information Systems Regulatory Authority with commissioners elected by the National Assembly.

The Armenian government approved the draft Law 'On Cybersecurity' and two companion bills submitted by the Ministry of High-Tech Industry and Information Systems Agency of Armenia, clearing them for National Assembly consideration after an 18-month public consultation and revision process.

Beginning in January 2024, Anonymous Russia and Anonymous Sudan conducted repeated DDoS attacks on Armenian government websites, banks, and telecoms; a subsequent FBI investigation concluded Russian actors were behind attacks on Armenian telecommunications infrastructure, underscoring the geopolitical dimension of cyber threats facing Armenia.

Armenia's Ministry of High-Tech Industry released the first draft of a dedicated cybersecurity law for public comment (December 19, 2023 – January 4, 2024), proposing mandatory security requirements for critical information infrastructure operators, incident-reporting duties, and authority for a national cybersecurity body.

Armenia was among the early signatories of the Second Additional Protocol to the Budapest Convention on Cybercrime, committing to enhanced cross-border cooperation mechanisms including expedited subscriber-data disclosure and joint cybercrime investigations — strengthening Armenia's international law-enforcement cooperation framework.

Between September 10–19, 2023, Armenian government agencies, airports, and media were struck by coordinated malware campaigns and DDoS attacks — including malicious documents spoofing National Security Service warnings — timed to coincide with the Azerbaijani offensive that ended Armenian control of Nagorno-Karabakh, marking the most severe hostile cyber operation against Armenia to date.

Armenia's national Computer Emergency Response Team, AM-CERT, operated under the Information Systems Agency of Armenia, became fully operational in September 2023, serving as the primary national body for coordinating cybersecurity incident response for critical infrastructure; Armenia subsequently joined FIRST (Forum of Incident Response and Security Teams).

Access Now and Amnesty International published research confirming Pegasus spyware (NSO Group) had been deployed against at least 12 Armenian nationals — including a former Human Rights Defender, RFE/RL journalists, and a UN official — primarily during 2020–2022, representing the first documented use of commercial spyware in an active international armed conflict.

Armenia's 2020 National Security Strategy, adopted by the Security Council, formally designated cybersecurity as a core national security priority for the first time, directing the creation of a national cybersecurity centre, national CERTs, and a dedicated legal framework for critical information infrastructure — the political mandate that drove the subsequent 2023–2026 legislative process.

Armenia amended its 2015 data protection statute to harmonize it more closely with the EU GDPR, strengthening consent requirements, data-subject rights, and cross-border transfer rules, reflecting Armenia's obligations under Council of Europe Convention 108 and its aspirations for EU alignment.

Armenia enacted its first comprehensive data protection law (No. HO-49-N), establishing principles for lawful data processing, data-subject rights, and a dedicated supervisory authority — forming the foundational legal framework for privacy and data security that underpins all subsequent digital and cybersecurity regulation.