Cybersecurity regulation in Azerbaijan (2026)

A large-scale intrusion hit Baku TV and multiple news websites; Azerbaijan's parliamentary commission publicly attributed the attack to Russia's APT29 (SVR-linked Cozy Bear). Investigators found attackers had maintained covert access for two to three years, making it the most significant publicly attributed cyberattack in Azerbaijan's history.

Azerbaijan's State Service for Special Communication and Information Security (SCIS) reported that nearly 4,000 state-institution employee accounts were leaked to hackers in 2024, with 134 staff across 32 agencies directly compromised. SCIS also blocked over 814 million malicious connections on the AzStatenet government network during the same period.

President Aliyev signed the Strategy of the Republic of Azerbaijan on Information Security and Cybersecurity for 2023–2027 together with its Action Plan, assigning implementation responsibilities to 23 government entities. The strategy—Azerbaijan's first dedicated cybersecurity strategic document—covers critical infrastructure protection, CERT cooperation, capacity building, and international engagement.

The Cabinet adopted detailed technical and procedural rules for CII operators, specifying general and sector-specific security requirements, inspection powers, and incident response obligations across energy, transport, finance, telecoms, and public administration. These rules operationalised the 2022 statutory CII framework.

The Milli Majlis amended the Law on Information, Informatization and Protection of Information to add a dedicated CII security chapter, formally defining 'critical information infrastructure,' 'cyber attack,' 'cyber incident,' and 'cyber threat' for the first time in statute, and imposing mandatory security obligations on CII operators. The law entered into force on 6 July 2022.

President Aliyev's Decree No. 1315 formally named the State Security Service (SSS) as primary authority for cybersecurity of all critical information infrastructure, with SCIS acting jointly for state-body systems. The decree also established an inter-agency commission with powers to conduct inspections and mandate emergency interventions, laying the institutional foundation for the later CII law.

SCIS was separated from the Special State Protection Service and constituted as a standalone agency responsible for government network security (AzStatenet), cryptographic protection of state communications, technical cyber-defence support, and coordination of cybersecurity across state institutions. This consolidation gave cybersecurity its own dedicated institutional home.

Decree No. 833 brought the Electronic Security Center (created by Decree No. 708 of September 2012) into the Ministry of Communications and High Technologies as the Electronic Security Service. The service became Azerbaijan's national CERT (CERT.AZ) and the coordinating state authority for ICT and cyber-incident response.

Azerbaijan adopted a dedicated Personal Data Protection Law establishing rules for data collection, processing, and protection, requiring operators to implement organisational and technical safeguards, and restricting cross-border transfers where the recipient country's protections are inadequate. It introduced the first formal data-subject rights framework.

Azerbaijan acceded to the Council of Europe Convention on Cybercrime (Budapest Convention ETS No. 185), the principal multilateral treaty harmonising cybercrime offences and mutual-assistance procedures. Accession required aligning the Criminal Code with the Convention's substantive offences on unauthorised access, data interference, computer-related fraud, and child exploitation.

Azerbaijan enacted its first comprehensive information law, defining state policy on information systems, categories of data, permissible collection methods, and protection obligations. This foundational statute underpinned all subsequent information-security regulation until the 2022 CII amendments modernised and expanded it.