Skip to content
World Watch/Kazakhstan/Cybersecurity

Cybersecurity ยท Kazakhstan

Cybersecurity law & regulation in Kazakhstan (2026)

Comprehensive lawLaw on Informatization No. 418-V ZRK (24 November 2015); Law on Personal Data and its Protection No. 94-V (21 May 2013, as amended); Law No. 44-VIII ZRK on Amendments to Legislative Acts on Information Security, Informatization and Digital Assets (11 December 2023, effective 11 February 2024 / 1 July 2024); Concept for Digital Transformation, ICT Development and Cybersecurity 2023-2029 (Government Resolution No. 269, 28 March 2023); supervised by the Committee for Information Security, Ministry of Digital Development, Innovations and Aerospace Industry (MDDI), and KZ-CERT / National Coordination Centre for Information Security (NCCIS)Country index 94 ยท A+

Kazakhstan shaded by its cybersecurity status

Cybersecurity in Kazakhstan: comprehensive law, anchored by Law on Informatization No. 418-V ZRK (24 November 2015); Law on Personal Data and its Protection No. 94-V (21 May 2013, as amended); Law No. 44-VIII ZRK on Amendments to Legislative Acts on Information Security, Informatization and Digital Assets (11 December 2023, effective 11 February 2024 / 1 July 2024); Concept for Digital Transformation, ICT Development and Cybersecurity 2023-2029 (Government Resolution No. 269, 28 March 2023); supervised by the Committee for Information Security, Ministry of Digital Development, Innovations and Aerospace Industry (MDDI), and KZ-CERT / National Coordination Centre for Information Security (NCCIS).

Kazakhstan operates a comprehensive, cross-sectoral cybersecurity regime anchored in the 2015 Law on Informatization, which obliges all operators of information systems to implement information-security measures, undergo audits, and report incidents. The December 2023 omnibus amendments (Law No. 44-VIII) materially tightened obligations, introducing a statutory definition of a personal-data security breach, a one-business-day breach-notification duty to the MDDI, and expanded state-oversight powers. The overarching strategic framework is the Cyber Shield of Kazakhstan concept (first adopted 2017, updated 2022) now embedded in the 2023-2029 Cybersecurity Development Concept.

Key points

Primary cybersecurity law

The Law on Informatization (No. 418-V ZRK, 2015) imposes binding information-security requirements on all legal entities operating information systems in Kazakhstan, including mandatory security measures, vulnerability management, and incident reporting to KZ-CERT; it applies across all sectors, not only critical infrastructure.

2023 omnibus amendments (Law No. 44-VIII)

Enacted 11 December 2023 and in force from 11 February 2024 (most provisions) and 1 July 2024 (breach-notification duties), Law No. 44-VIII amended the Law on Informatization, the Personal Data Law, and other acts to codify a definition of 'breach of personal data security', introduce mandatory 1-business-day breach notification to the MDDI, and expand the MDDI's inspection and enforcement powers.

Breach-notification obligation

From 1 July 2024, data controllers (owners/operators) must notify the MDDI within one business day of discovering any unauthorized access, alteration, destruction, or distribution of personal data; this is the primary statutory incident-reporting duty for private-sector entities under the Personal Data Law (No. 94-V).

Critical infrastructure rules

Separate subordinate regulations set specific security requirements for entities designated as critical information and communication infrastructure (CICI), including mandatory risk assessments, regular cybersecurity audits, and incident reporting to KZ-CERT; the MDDI Committee for Information Security enforces these rules and can impose administrative fines.

KZ-CERT & national CERT structure

KZ-CERT, operating under the NCCIS within the MDDI, holds nationwide responsibility for cyber-incident detection, coordination, and response; it is a FIRST member and logged 68,100 incidents in 2024 (up 97% year-on-year), underscoring active operational use of the reporting framework.

Cyber Shield strategic concept & data localisation

The Cyber Shield of Kazakhstan (2017, updated 2022) and the 2023-2029 Cybersecurity Development Concept (Government Resolution No. 269/2023) set national targets and obligations covering 100% of state and state-integrated information systems. Separately, from 8 January 2025 personal data stored in electronic databases must be physically located on servers within Kazakhstan.

Timeline - major decisions & events

Jul 1, 2026law
Digital Code of Kazakhstan enters into force

The Digital Code consolidates the Law on Informatization, the Law on Electronic Documents, and the Law on Electronic Digital Signature into a single unified instrument, mandating cybersecurity audits for critical infrastructure and high-risk AI systems, reinforcing data-localization rules, and establishing a 'Digital Sovereignty' principle ensuring state control over critical digital infrastructure. It is the most comprehensive digital regulatory overhaul in Kazakhstan's history.

Interfax Kazakhstan โ†—
Dec 25, 2025law
Parliament approves Digital Code of Kazakhstan on second reading

The Senate approved the Digital Code, after the President instructed Parliament in September 2025 to fast-track the legislation; the Code introduces mandatory public disclosure of cybersecurity-audit results, criminal and administrative penalties for large-scale data breaches, and biometric SIM-card registration starting 2026 to combat telecom fraud.

Qazinform โ†—
Jun 16, 2025incident
Largest data breach in Kazakhstan's history: 16.3 million personal records leaked

Personal data of approximately 16.3 million residents, names, Individual Identification Numbers (IINs), addresses, phone numbers, and nationality details, were exposed from private (non-government) databases, affecting over three-quarters of the population. The government launched an investigation, detained over 140 suspects, seized 400-plus devices, and proposed raising the maximum fine for information-security violations to approximately US$42,500, while accelerating criminal-liability proposals for mass data leaks.

Tengrinews โ†—
Feb 11, 2024law
Information-security amendments (Law No. 44-VIII ZRK) enter into force

The law signed on 11 December 2023 took effect, requiring all data controllers to notify the Ministry of Digital Development of any personal data breach within one business day of discovery and explicitly mandating that personal data of Kazakhstani citizens be stored and processed on servers physically located inside Kazakhstan, the strictest enforcement of data localization to date.

Grata International (law firm) โ†—
Oct 26, 2022decisionofficial
Government Resolution No. 849 amends critical-infrastructure classification rules

Kazakhstan updated the criteria under which information and communication infrastructure objects are designated as Critical Information and Communication Infrastructure Facilities (CICIF), refining the scope of entities, spanning energy, finance, healthcare, transport, and government, subject to mandatory security assessments, vulnerability management, and incident notification.

Adilet โ€” Kazakhstan Legal Information System โ†—
Dec 1, 2020enforcement
Kazakhstan's third attempt to mandate government HTTPS interception certificate

Kazakhtelecom again instructed users to install the government-issued Qaznet Trust Certificate to enable state-level HTTPS decryption; the attempt failed because Mozilla, Google, and Apple had already hard-coded a block of the certificate in their browsers in August 2019, making the mandate technically ineffective for the majority of internet users.

Wikipedia (citing Mozilla Bug 1567114 and browser vendor announcements) โ†—
Aug 21, 2019decision
Mozilla, Google, and Apple hard-block Kazakhstan's Qaznet Trust Certificate in browsers

All three major browser vendors simultaneously announced that Firefox, Chrome, and Safari would refuse the Kazakh government's national security certificate regardless of any manual user installation, neutralising the state's mass HTTPS-interception mandate and setting a landmark precedent for browser-enforced resistance to government surveillance certificates.

Mozilla Bugzilla โ†—
Oct 28, 2017decisionofficial
Action Plan for 'Cyber Shield of Kazakhstan' until 2022 approved (Decree No. 676)

The government issued a two-stage implementation roadmap (Stage 1: 2017-2018; Stage 2: 2019-2022) for the national cybersecurity strategy, covering KZ-CERT capacity expansion, standards development for critical-infrastructure operators, public-sector penetration-testing requirements, and cybersecurity workforce training, helping Kazakhstan rise from 103rd to 31st in the ITU Global Cybersecurity Index by 2020.

Prime Minister of the Republic of Kazakhstan โ†—
Jun 13, 2017decisionofficial
Cybersecurity Concept 'Cyber Shield of Kazakhstan' adopted (Government Decree No. 407)

Kazakhstan adopted its first standalone national cybersecurity strategy, defining state policy for protecting electronic information resources, information systems, and telecommunications networks, and formally institutionalising the KZ-CERT national computer emergency response team as the central coordination body for cyber-incident response.

ITU (International Telecommunication Union) โ†—
Nov 24, 2015lawofficial
Law on Informatization (No. 418-V ZRK) enacted, foundational cybersecurity obligations

Kazakhstan's core ICT and cybersecurity statute replaced the 2007 Law on Informatization and established binding obligations for all information-system operators: risk assessments, vulnerability management, mandatory cybersecurity audits, and incident reporting; it also required .KZ and .าšะะ— domain websites to use SSL certificates and host infrastructure within Kazakhstan, creating the first statutory data-localisation obligation.

Adilet โ€” Kazakhstan Legal Information System โ†—
May 21, 2013lawofficial
Law on Personal Data and Its Protection (No. 94-V) enacted

Kazakhstan enacted its primary personal data law establishing rules for collection, processing, and storage of personal data by public and private entities, classifying electronic databases containing personal data as confidential and limiting processing to declared purposes; it forms the cornerstone of the country's data-security framework and has been amended multiple times, most significantly in 2021 and 2023.

Adilet โ€” Kazakhstan Legal Information System โ†—

Kazakhstan - other topics

Cybersecurity in other countries

Last verified 5/24/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ†’