Cybersecurity - Belarus

The Law on Information Security (2016) establishes foundational obligations for all organizations handling information resources, requiring risk assessments, encryption, and incident response protocols. It provides the legal basis for designating Critical Essential Objects of Informatisation (CEOI) and sets out responsibilities of state bodies, organizations, and citizens.

Signed in February 2023, Decree No. 40 mandates the creation of a National Cyber Security Center (under the OAC) and sector-level cybersecurity centers across state bodies and major organizations. Hosting providers are explicitly required to implement protective measures under its provisions; the first certified Cyber Security Center was established at the National Traffic Exchange Center in November 2023.

The Operational and Analytical Center (OAC) under the President, established in 2008, is the central authority for national cybersecurity. It coordinates cyber defense, certifies cybersecurity centers, sets technical protection standards for information systems, and oversees incident reporting. It also regulates the telecommunications market independently.

Organizations must report information security incidents to the OAC under the procedure established by OAC Order of 2 February 2020 on submitting information about information security events. Hosting providers and operators of critical systems face additional specific reporting obligations under Decree No. 40 and associated implementing orders.

The Law on Personal Data Protection (No. 99-Z, in force 15 November 2021) requires operators to notify the National Personal Data Protection Centre immediately, but no later than three working days after discovering a breach, unless the Centre directs otherwise. Notification is not required if the breach did not result in unlawful dissemination, modification, blocking, or unrecoverable deletion of personal data.

Belarus designates Critical Essential Objects of Informatisation (CEOI) — information systems whose failure could cause significant harm to national security across political, economic, social, and other domains. CEOI operators must implement a mandated complex of legal, organizational, and technical measures and are subject to heightened OAC oversight, in line with the 2019 Doctrine of Information Security.