Cybersecurity - Georgia

Enacted in 2012 and amended multiple times (amendments recorded as recently as 2025 on matsne.gov.ge), the Law defines 'critical information system subject' as any state body or legal person whose uninterrupted operation is essential to defence, economic security, or public life, and sets binding security obligations for such entities.

Critical information system subjects must notify CERT-GOV-GE immediately upon identifying a computer incident and take urgent steps to preserve incident-related information. CERT is empowered to request access to affected systems and infrastructure for incident response.

Founded in 2011, CERT-GOV-GE operates under the Data Exchange Agency of the Ministry of Justice. It coordinates incident management, information exchange with critical infrastructure entities, and serves as Georgia's primary technical cybersecurity authority.

Approved by Government Resolution No. 482 on 30 September 2021, the third national strategy sets four priority goals: developing cyber culture and organisational capacity; strengthening governance resilience and public-private partnership; building cyber workforce and technical capability; and enhancing Georgia's international cybersecurity standing.

The list of critical information system subjects and their criticality classification is approved by government ordinance, submitted by the Ministry of Justice in agreement with the Ministries of Defence and Internal Affairs and the State Security Service. The original 2013 list identified 36 critical objects.

Georgia is a party to the Council of Europe Convention on Cybercrime (Budapest Convention). As of 2025–2026, however, deteriorating relations with Western partners have led to reduced international cybersecurity assistance, affecting Georgia's capacity-building trajectory.