Cybersecurity - Armenia

The Law 'On Cybersecurity' was approved by the National Assembly of Armenia in November 2025 and entered into force on 4 January 2026, following government approval of the legislative package on 14 August 2025. It is Armenia's first dedicated, horizontal cybersecurity statute.

The law designates 14 critical sectors — including energy, transport, healthcare, financial services, manufacturing, and public administration — and places obligations on Critical Information Infrastructure (CII) operators in both state and private spheres to implement organisational and technical measures.

Upon becoming aware of a serious cyber incident (defined as one threatening life, national security, the economy, or critical infrastructure continuity), regulated entities must submit updated information to the Authorised Body within 72 hours. CII operators must also maintain incident-response and business-continuity processes.

CII operators are required to meet government-determined minimum cybersecurity standards and obtain ISO 27001 or equivalent international certification every three years. State bodies and public-sector entities are also subject to mandatory standards.

The companion Law 'On the Information Systems Regulatory Authority' creates an autonomous regulator whose members are elected by the National Assembly. The existing Government Computer Incident Response Center (CERT, cert.gov.am) currently operates under ISAA and will be integrated into the new framework as the operational cyber-incident response function.

Separate from the new cybersecurity law, Armenia's personal data legislation already requires data processors to immediately notify the Police and the Personal Data Protection Authority upon discovering an outflow of personal data from electronic systems.