Cybersecurity ยท Kazakhstan
Cybersecurity law & regulation in Kazakhstan (2026)
Kazakhstan shaded by its cybersecurity status
Cybersecurity in Kazakhstan: comprehensive law, anchored by Law on Informatization No. 418-V ZRK (24 November 2015); Law on Personal Data and its Protection No. 94-V (21 May 2013, as amended); Law No. 44-VIII ZRK on Amendments to Legislative Acts on Information Security, Informatization and Digital Assets (11 December 2023, effective 11 February 2024 / 1 July 2024); Concept for Digital Transformation, ICT Development and Cybersecurity 2023-2029 (Government Resolution No. 269, 28 March 2023); supervised by the Committee for Information Security, Ministry of Digital Development, Innovations and Aerospace Industry (MDDI), and KZ-CERT / National Coordination Centre for Information Security (NCCIS).
Kazakhstan operates a comprehensive, cross-sectoral cybersecurity regime anchored in the 2015 Law on Informatization, which obliges all operators of information systems to implement information-security measures, undergo audits, and report incidents. The December 2023 omnibus amendments (Law No. 44-VIII) materially tightened obligations, introducing a statutory definition of a personal-data security breach, a one-business-day breach-notification duty to the MDDI, and expanded state-oversight powers. The overarching strategic framework is the Cyber Shield of Kazakhstan concept (first adopted 2017, updated 2022) now embedded in the 2023-2029 Cybersecurity Development Concept.
Key points
The Law on Informatization (No. 418-V ZRK, 2015) imposes binding information-security requirements on all legal entities operating information systems in Kazakhstan, including mandatory security measures, vulnerability management, and incident reporting to KZ-CERT; it applies across all sectors, not only critical infrastructure.
Enacted 11 December 2023 and in force from 11 February 2024 (most provisions) and 1 July 2024 (breach-notification duties), Law No. 44-VIII amended the Law on Informatization, the Personal Data Law, and other acts to codify a definition of 'breach of personal data security', introduce mandatory 1-business-day breach notification to the MDDI, and expand the MDDI's inspection and enforcement powers.
From 1 July 2024, data controllers (owners/operators) must notify the MDDI within one business day of discovering any unauthorized access, alteration, destruction, or distribution of personal data; this is the primary statutory incident-reporting duty for private-sector entities under the Personal Data Law (No. 94-V).
Separate subordinate regulations set specific security requirements for entities designated as critical information and communication infrastructure (CICI), including mandatory risk assessments, regular cybersecurity audits, and incident reporting to KZ-CERT; the MDDI Committee for Information Security enforces these rules and can impose administrative fines.
KZ-CERT, operating under the NCCIS within the MDDI, holds nationwide responsibility for cyber-incident detection, coordination, and response; it is a FIRST member and logged 68,100 incidents in 2024 (up 97% year-on-year), underscoring active operational use of the reporting framework.
The Cyber Shield of Kazakhstan (2017, updated 2022) and the 2023-2029 Cybersecurity Development Concept (Government Resolution No. 269/2023) set national targets and obligations covering 100% of state and state-integrated information systems. Separately, from 8 January 2025 personal data stored in electronic databases must be physically located on servers within Kazakhstan.
Timeline - major decisions & events
The Digital Code consolidates the Law on Informatization, the Law on Electronic Documents, and the Law on Electronic Digital Signature into a single unified instrument, mandating cybersecurity audits for critical infrastructure and high-risk AI systems, reinforcing data-localization rules, and establishing a 'Digital Sovereignty' principle ensuring state control over critical digital infrastructure. It is the most comprehensive digital regulatory overhaul in Kazakhstan's history.
Interfax Kazakhstan โThe Senate approved the Digital Code, after the President instructed Parliament in September 2025 to fast-track the legislation; the Code introduces mandatory public disclosure of cybersecurity-audit results, criminal and administrative penalties for large-scale data breaches, and biometric SIM-card registration starting 2026 to combat telecom fraud.
Qazinform โPersonal data of approximately 16.3 million residents, names, Individual Identification Numbers (IINs), addresses, phone numbers, and nationality details, were exposed from private (non-government) databases, affecting over three-quarters of the population. The government launched an investigation, detained over 140 suspects, seized 400-plus devices, and proposed raising the maximum fine for information-security violations to approximately US$42,500, while accelerating criminal-liability proposals for mass data leaks.
Tengrinews โThe law signed on 11 December 2023 took effect, requiring all data controllers to notify the Ministry of Digital Development of any personal data breach within one business day of discovery and explicitly mandating that personal data of Kazakhstani citizens be stored and processed on servers physically located inside Kazakhstan, the strictest enforcement of data localization to date.
Grata International (law firm) โKazakhstan updated the criteria under which information and communication infrastructure objects are designated as Critical Information and Communication Infrastructure Facilities (CICIF), refining the scope of entities, spanning energy, finance, healthcare, transport, and government, subject to mandatory security assessments, vulnerability management, and incident notification.
Adilet โ Kazakhstan Legal Information System โKazakhtelecom again instructed users to install the government-issued Qaznet Trust Certificate to enable state-level HTTPS decryption; the attempt failed because Mozilla, Google, and Apple had already hard-coded a block of the certificate in their browsers in August 2019, making the mandate technically ineffective for the majority of internet users.
Wikipedia (citing Mozilla Bug 1567114 and browser vendor announcements) โAll three major browser vendors simultaneously announced that Firefox, Chrome, and Safari would refuse the Kazakh government's national security certificate regardless of any manual user installation, neutralising the state's mass HTTPS-interception mandate and setting a landmark precedent for browser-enforced resistance to government surveillance certificates.
Mozilla Bugzilla โThe government issued a two-stage implementation roadmap (Stage 1: 2017-2018; Stage 2: 2019-2022) for the national cybersecurity strategy, covering KZ-CERT capacity expansion, standards development for critical-infrastructure operators, public-sector penetration-testing requirements, and cybersecurity workforce training, helping Kazakhstan rise from 103rd to 31st in the ITU Global Cybersecurity Index by 2020.
Prime Minister of the Republic of Kazakhstan โKazakhstan adopted its first standalone national cybersecurity strategy, defining state policy for protecting electronic information resources, information systems, and telecommunications networks, and formally institutionalising the KZ-CERT national computer emergency response team as the central coordination body for cyber-incident response.
ITU (International Telecommunication Union) โKazakhstan's core ICT and cybersecurity statute replaced the 2007 Law on Informatization and established binding obligations for all information-system operators: risk assessments, vulnerability management, mandatory cybersecurity audits, and incident reporting; it also required .KZ and .าะะ domain websites to use SSL certificates and host infrastructure within Kazakhstan, creating the first statutory data-localisation obligation.
Adilet โ Kazakhstan Legal Information System โKazakhstan enacted its primary personal data law establishing rules for collection, processing, and storage of personal data by public and private entities, classifying electronic databases containing personal data as confidential and limiting processing to declared purposes; it forms the cornerstone of the country's data-security framework and has been amended multiple times, most significantly in 2021 and 2023.
Adilet โ Kazakhstan Legal Information System โKazakhstan - other topics
Cybersecurity in other countries
Last verified 5/24/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ