Cybersecurity · Mongolia

Cybersecurity regulation in Mongolia (2026)

Comprehensive lawLaw on Cyber Security of Mongolia (adopted 17 December 2021, State Great Khural); implemented by the Ministry of Digital Development, Innovation and Communications (MDDIC) and the General Intelligence Agency (GIA)Country index 69 · B

Mongolia shaded by its cybersecurity status

Mongolia enacted a standalone Law on Cyber Security on 17 December 2021 — its first comprehensive cybersecurity statute after a decade of drafting — establishing obligations for operators of critical information infrastructure (CII), mandatory incident reporting, biennial security evaluations, and annual audits. Two national CSIRTs were operationalised in 2023: the National CSIRT under the GIA (covering state/CII sectors) and the Public CSIRT/CC under MDDIC (for the general public and private sector). An Oxford GCSCC Cybersecurity Capacity Review published in February 2025 found the legal framework functional but noted gaps in enforcement, terminology standardisation, and human-resource capacity.

Key points

Comprehensive Cybersecurity Law (2021)

The Law on Cyber Security was approved by parliament on 17 December 2021 and entered into force thereafter. It is the primary instrument governing cybersecurity across all sectors, applying to citizens, legal persons, foreign nationals, and foreign-invested entities operating within Mongolia's information networks.

source 1 ↗source 2 ↗

Critical Information Infrastructure (CII) Protection

The law defines CII as information systems whose failure could harm national security, society, or the economy, covering electricity, water, heating, and other essential sectors. CII operators face heightened obligations including mandatory security evaluations every two years and annual information security audits conducted by state-registered auditors.

source 1 ↗source 2 ↗

Incident Reporting Obligations

Articles 16–19 of the Law on Cyber Security impose mandatory notification duties on CII operators and government institutions to report cyber incidents to the designated competent authorities (National CSIRT/GIA for state sector; Public CSIRT/CC for others). Non-CII legal persons must notify the relevant centre when a cyber-attack or violation occurs or is imminent.

source 1 ↗source 2 ↗

Dual-CSIRT Structure (operational since 2023)

Mongolia established two CSIRTs in 2023: the National CSIRT under the General Intelligence Agency (responsible for government and CII incident response) and the Public CSIRT/CC under MDDIC (serving the broader public and private sector). A Cybersecurity Council provides unified coordination and policy oversight.

source 1 ↗source 2 ↗

Budapest Convention Alignment

Mongolia's Criminal Code Chapter 26 was amended in conjunction with the Cyber Security Law to align cybercrime definitions with the Council of Europe Budapest Convention, to which Mongolia is a party. Related amendments were also made to the Laws on Communications, Infringement, and Criminal Procedure.

source 1 ↗source 2 ↗

2025 Capacity Review & Strategic Plan

An Oxford GCSCC Cybersecurity Capacity Maturity Model review published in February 2025 confirmed the law's functional status but identified implementation gaps: absent national audit standards, weak enforcement mechanisms, and limited skilled personnel. MDDIC's 2024–2028 Strategic Plan (adopted January 2025) commits to strengthening enforcement, awareness, and ethical AI governance.

source 1 ↗source 2 ↗

Mongolia - other topics

Crypto & Digital Assets Artificial Intelligence Data & Privacy Digital Payments & Fintech Digital Nomad & Residency Internet & Online Safety Starting a Business

Read in:Spanish French German Portuguese Hindi

Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →