Cybersecurity · Kazakhstan
Cybersecurity regulation in Kazakhstan (2026)
Kazakhstan shaded by its cybersecurity status
Kazakhstan operates a comprehensive, cross-sectoral cybersecurity regime anchored in the 2015 Law on Informatization, which obliges all operators of information systems to implement information-security measures, undergo audits, and report incidents. The December 2023 omnibus amendments (Law No. 44-VIII) materially tightened obligations—introducing a statutory definition of a personal-data security breach, a one-business-day breach-notification duty to the MDDI, and expanded state-oversight powers. The overarching strategic framework is the Cyber Shield of Kazakhstan concept (first adopted 2017, updated 2022) now embedded in the 2023-2029 Cybersecurity Development Concept.
Key points
The Law on Informatization (No. 418-V ZRK, 2015) imposes binding information-security requirements on all legal entities operating information systems in Kazakhstan, including mandatory security measures, vulnerability management, and incident reporting to KZ-CERT; it applies across all sectors, not only critical infrastructure.
Enacted 11 December 2023 and in force from 11 February 2024 (most provisions) and 1 July 2024 (breach-notification duties), Law No. 44-VIII amended the Law on Informatization, the Personal Data Law, and other acts to codify a definition of 'breach of personal data security', introduce mandatory 1-business-day breach notification to the MDDI, and expand the MDDI's inspection and enforcement powers.
From 1 July 2024, data controllers (owners/operators) must notify the MDDI within one business day of discovering any unauthorized access, alteration, destruction, or distribution of personal data; this is the primary statutory incident-reporting duty for private-sector entities under the Personal Data Law (No. 94-V).
Separate subordinate regulations set specific security requirements for entities designated as critical information and communication infrastructure (CICI), including mandatory risk assessments, regular cybersecurity audits, and incident reporting to KZ-CERT; the MDDI Committee for Information Security enforces these rules and can impose administrative fines.
KZ-CERT, operating under the NCCIS within the MDDI, holds nationwide responsibility for cyber-incident detection, coordination, and response; it is a FIRST member and logged 68,100 incidents in 2024 (up 97% year-on-year), underscoring active operational use of the reporting framework.
The Cyber Shield of Kazakhstan (2017, updated 2022) and the 2023-2029 Cybersecurity Development Concept (Government Resolution No. 269/2023) set national targets and obligations covering 100% of state and state-integrated information systems. Separately, from 8 January 2025 personal data stored in electronic databases must be physically located on servers within Kazakhstan.
Kazakhstan - other topics
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →