Cybersecurity · Belarus
Cybersecurity regulation in Belarus (2026)
Belarus shaded by its cybersecurity status
Belarus operates a multi-instrument cybersecurity regime built across a foundational 2016 Law on Information Security, a 2023 Presidential Decree No. 40 'On Cyber Security' establishing a National Cyber Security Center and sector-level cybersecurity centers, and a 2021 Personal Data Protection Law with mandatory breach notification. The Operational and Analytical Center (OAC) under the President serves as the principal national cybersecurity regulator, overseeing technical standards, incident reporting, and certification of security centers. Critical infrastructure is governed separately through a designated Critical Essential Objects of Informatisation (CEOI) framework with heightened obligations.
Key points
The Law on Information Security (2016) establishes foundational obligations for all organizations handling information resources, requiring risk assessments, encryption, and incident response protocols. It provides the legal basis for designating Critical Essential Objects of Informatisation (CEOI) and sets out responsibilities of state bodies, organizations, and citizens.
Signed in February 2023, Decree No. 40 mandates the creation of a National Cyber Security Center (under the OAC) and sector-level cybersecurity centers across state bodies and major organizations. Hosting providers are explicitly required to implement protective measures under its provisions; the first certified Cyber Security Center was established at the National Traffic Exchange Center in November 2023.
The Operational and Analytical Center (OAC) under the President, established in 2008, is the central authority for national cybersecurity. It coordinates cyber defense, certifies cybersecurity centers, sets technical protection standards for information systems, and oversees incident reporting. It also regulates the telecommunications market independently.
Organizations must report information security incidents to the OAC under the procedure established by OAC Order of 2 February 2020 on submitting information about information security events. Hosting providers and operators of critical systems face additional specific reporting obligations under Decree No. 40 and associated implementing orders.
The Law on Personal Data Protection (No. 99-Z, in force 15 November 2021) requires operators to notify the National Personal Data Protection Centre immediately, but no later than three working days after discovering a breach, unless the Centre directs otherwise. Notification is not required if the breach did not result in unlawful dissemination, modification, blocking, or unrecoverable deletion of personal data.
Belarus designates Critical Essential Objects of Informatisation (CEOI) — information systems whose failure could cause significant harm to national security across political, economic, social, and other domains. CEOI operators must implement a mandated complex of legal, organizational, and technical measures and are subject to heightened OAC oversight, in line with the 2019 Doctrine of Information Security.
Timeline - major decisions & events
The Operational and Analytical Centre (OAC) restricted access to Belarus-hosted websites from abroad for roughly 48 hours (20:00 March 24 – 08:00 March 26), citing a detected threat of destructive cyberspace actions; the blackout coincided with the opposition Day of Will commemoration. This was the first publicly confirmed use of OAC's 2021 network-suspension authority at infrastructure scale.
Telegraf.news ↗President Lukashenko signed Decree No. 326 authorising the Minister of Internal Affairs to sign the 2024 UN Convention Against Cybercrime, expanding Belarus's international obligations on cross-border data exchange and mutual legal assistance in cyber-investigations.
Reform.news ↗The Supreme State Council of the Union State approved a joint Concept of Information Security for Belarus and Russia, establishing a coordinated policy to protect critical infrastructure and the information space of both states and deepening Russia's role in Belarusian cybersecurity governance.
Ministry of Foreign Affairs of the Republic of Belarus ↗Decree No. 40 created Belarus's formal national cyber-security system, establishing a National Centre for Cyber Security and Incident Response under the OAC, sector-level cyber-security centres for state bodies, and a designated telecom operator for inter-centre coordination — the first comprehensive institutional architecture for cyber defence.
CIS Legislation (official Belarusian decree text) ↗The Law of 7 May 2021 No. 99-Z — Belarus's first dedicated personal data protection statute — took effect, introducing GDPR-like obligations for data controllers and processors, rights for data subjects, and a National Centre for Personal Data Protection as the supervisory authority.
National Centre for Personal Data Protection of the Republic of Belarus ↗Law No. 109 of 24 May 2021 amended Belarus's telecommunications legislation to formally authorise the OAC to limit or entirely suspend telecom networks and internet access when national security threats are detected; non-compliance by operators constitutes a gross licensing violation.
Arzinger Law Office ↗On election day the Belarusian government executed a ~61-hour nationwide internet blackout, deploying deep-packet-inspection technology to block SSL traffic, messaging apps and social media; more than 70 websites were subsequently blocked in the weeks that followed — the most severe digital-rights crisis in Belarusian history and a driver of later legislative expansion of OAC powers.
OONI (Open Observatory of Network Interference) ↗Order No. 66 of the Operational and Analytical Centre set binding requirements for all owners of information systems to report information-security events and the state of their technical and cryptographic protection to the OAC, establishing Belarus's first formal incident-notification regime.
DataGuidance ↗The Doctrine defined Belarus's conceptual approach to information security, articulating principles of information sovereignty, the protection of critical national infrastructure, and a peaceful foreign information policy — serving as the strategic policy document underpinning subsequent legislation.
Ministry of Foreign Affairs of the Republic of Belarus ↗Decree No. 196 'On Certain Measures for Improvement of Information Protection' established criteria for classifying assets as critically important digital infrastructure (social, economic, environmental, or informational significance), required technical and cryptographic protection standards, and created the State Register of Critically Important Digital Assets maintained by the OAC.
Arzinger Law Office ↗The foundational Belarusian information-security statute established the legal framework for information systems, defined categories of protected information, imposed obligations on system owners, and assigned coordination roles to state bodies — remaining the bedrock of the cybersecurity legal regime until supplemented by sector-specific decrees and the 2021 Personal Data Law.
RTI Rating (official Belarusian law text) ↗Belarus - other topics
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →