Cybersecurity regulation in Tajikistan (2026)

There is no single overarching cybersecurity act. Information security is regulated through several separate laws — the Law on Informatization (2001), the Law on Protection of Information (2002) and related decrees — rather than a unified framework.

Crimes against information security are codified in Section XII, Chapter 28 of the Criminal Code, including illegal access (Art. 298), illegal interception (Art. 301-1), data/system interference (Arts. 299–300) and misuse of devices (Arts. 302–303). Implementation of several Budapest Convention offences is only partial.

The Law on Personal Data Protection (No. 1537, 3 Aug 2018) requires operators to secure personal data and is the main source of a breach-notification duty; the authorized data-protection state body is designated by the President.

Under the personal data law, operators must notify the relevant authority and affected individuals in the event of a data breach. There is no published, generally-applicable critical-infrastructure incident-reporting regime or national CERT obligation comparable to NIS2.

A Concept of Information Security and the National Strategy 'ICT for Development of the Republic of Tajikistan' (Presidential Decree No. 1174, 5 Nov 2003) provide the strategic basis, but these are policy instruments rather than binding sectoral cybersecurity duties on operators.

The Communication Service acts as sector regulator while individual state bodies hold parallel powers in their domains. Since 2001 operators must install operational-search (SORM-style) capabilities granting the state access to communications data.