Cybersecurity - Azerbaijan

Law No. 539-VIQD (27 May 2022, in force 6 July 2022) inserted a new chapter on 'Security of Critical Information Infrastructure' into the Law on Information, Informatization and Protection of Information, defining CII, cyber threats, cyber attacks and cyber incidents, and imposing security obligations on CII operators.

Cabinet of Ministers Decision No. 229 (17 July 2023) approved detailed implementing rules requiring CII entities to comply with 29 general security requirements across 7 domains. Covered sectors include public administration, defence, healthcare, financial markets, energy, transport, IT, telecommunications, water supply and ecology.

A Presidential Decree of August 2023 adopted Azerbaijan's first standalone Information Security and Cybersecurity Strategy (2023–2027) and an Action Plan, assigning roles to SCIS, the Ministry of Digital Development and Transport, the State Security Service and others; goals include CII protection, reducing foreign technology dependency and cybersecurity awareness.

The State Service for Special Communication and Information Security (SCIS) is the primary cybersecurity authority and hosts the government CERT (cert.gov.az); the Electronic Security Service (CERT.AZ) operates under the Ministry of Digital Development and Transport for broader incident response; the State Security Service also oversees CII protection.

CII operators must report cyber incidents to the competent authority under the 2022 law and 2023 implementing rules. Azerbaijan does not yet have a broadly applicable sector-neutral breach notification obligation covering private entities generally comparable to the EU NIS2 Directive.

Azerbaijan has ratified the Council of Europe Budapest Convention on Cybercrime and participates in the CoE Octopus community. In 2025, SCIS engaged at CyCon 2025 (Tallinn) and GISEC Global 2025 (Dubai); the service identified 850 indicators of compromise tied to cyberattacks on government institutions in 2025.