Cybersecurity regulation in Georgia (2026)

The IMF published a technical assistance report finding that while the National Bank of Georgia (NBG) has incident-reporting rules in place, significant gaps remain in cyber-risk governance, supervisory practices, information sharing, and stress-testing frameworks. The report recommended NBG develop an overarching financial-sector cybersecurity strategy.

The European Council granted Georgia EU candidate status conditional on nine reforms, including alignment with EU cybersecurity standards such as the NIS Directive. The status accelerated EU-funded capacity-building for Georgia's Cyber Security Bureau, though Georgia's accession process was later de-facto suspended in November 2024 amid democratic backsliding concerns.

Georgia enacted a modernised Personal Data Protection Law (superseding the 2011 version) that aligns more closely with GDPR standards, including a mandatory 72-hour notification obligation to the Personal Data Protection Service following discovery of a security incident, and data-security obligations on controllers and processors.

Georgia's government adopted its third national-level cybersecurity strategy, setting four priority goals: cyber-culture development, resilience of governance frameworks and public-private partnership, enhancement of technical cyber capabilities, and strengthening Georgia's role as an international contributor to cybersecurity. It succeeded the 2013–2015 and 2017–2018 strategies.

The United States Department of State and UK NCSC jointly attributed the October 2019 mass cyberattack on Georgia to Russia's GRU Unit 74455 (Sandworm), marking a significant multilateral public attribution and establishing that hybrid state-sponsored cyber operations against Georgia are a recurring pattern.

Russia's GRU Sandworm unit (Unit 74455) conducted a widespread disruptive attack against several thousand Georgian government and private websites, defacing them with imagery of former President Saakashvili, and knocked two major TV broadcasters (Imedi and Maestro) off the air — the largest cyber incident in Georgian history to date.

Georgia enacted its foundational Information Security Law (document No. 1679424), establishing mandatory cybersecurity obligations for critical information system subjects, defining 'critical information system', and formalising the role of CERT.GOV.GE under the Data Exchange Agency for incident management and coordination across government and critical infrastructure.

Georgia published its inaugural national cybersecurity strategy, covering 2013–2015, coordinated by the Data Exchange Agency. It established Georgia's first structured policy framework for protecting state networks, promoting cyber literacy, and coordinating incident response, forming the basis for all subsequent strategies.

After signing the Council of Europe's Budapest Convention on Cybercrime in 2008, Georgia's ratification brought the treaty into force, obligating harmonisation of domestic cybercrime law with international standards on illegal access, data interference, system interference, and cross-border law enforcement cooperation.

Georgia stood up its national government Computer Emergency Response Team (CERT.GOV.GE) under the Ministry of Justice's Data Exchange Agency, creating the primary body responsible for detecting, registering, analysing, and responding to critical cyber incidents within government networks and critical infrastructure.

The government established the Data Exchange Agency as an independent legal entity under the Ministry of Justice to coordinate e-governance, develop cybersecurity strategy, and supervise CERT.GOV.GE — becoming the institutional anchor of Georgia's entire cybersecurity governance structure.

Concurrent with the Russian military invasion over South Ossetia, coordinated DDoS attacks knocked out 54 Georgian government, news, and financial websites — the first widely documented case of cyber operations running in parallel with conventional military operations. The incident became a landmark case study that directly drove Georgia's subsequent cybersecurity institution-building.