Cybersecurity regulation in Uzbekistan (2026)

The Law 'On Cybersecurity' (signed 15 April 2022, ZRU-764) consists of 8 chapters and 40 articles covering the legal basis of cyber protection, roles of state bodies, CII registration, certification requirements for hardware/software, and liability for violations.

The State Security Service (SSS) is the authorised state body for cybersecurity policy and maintains the unified register of CII facilities. The Inspectorate for Control in the Sphere of Information and Telecommunications under the Ministry of Digital Technologies serves as the operational/executive arm.

Presidential Resolution No. PP-167 (31 May 2023) requires operators of CII facilities (spanning banking, energy, telecoms, agriculture, health, defence, IT, and mining) to establish dedicated cybersecurity units or engage registered outsourcing providers, and to implement multi-factor authentication and secure connections for public-facing systems.

Presidential Decree No. PQ-153 (30 April 2025) introduced compulsory breach-notification obligations with particular emphasis on the financial sector, legal liability for data incidents, and a requirement to report significant cyber-incidents within 24 hours to the regulator; non-compliance can trigger administrative investigation and suspension of digital operations.

UZCERT (uzcert.uz) functions as the national computer emergency response team for coordinating incident response. The Central Bank operates a dedicated CERT-CBU for the banking sector, reflecting a layered incident-handling architecture.

Presidential Decree UP-38 (signed 10 March 2026) adopted a five-pillar Cybersecurity Strategy covering national cyber resilience, CII protection, cybercrime combat, AI-based cybersecurity development, and international cooperation; it mandates dedicated cybersecurity units across all government agencies from 1 April 2026 and a 'Zero Trust' framework for large-scale public-data operators.