Cybersecurity in Uzbekistan: Legal Regulation and Protection Mechanisms

The digitalization of social relations and the expanded use of information technologies generate new threats requiring comprehensive legal regulation. Cyber threats affect not only the interests of individuals and organizations but also national security as a whole. In this regard, the adoption of the Law of the Republic of Uzbekistan “On Cybersecurity” (No. ZRU-764 of April 15, 2022) became an important step in establishing a national system for combating cybercrime and strengthening the legal foundations for protecting critical information infrastructure.

The law defines cybersecurity as the state of protection of the interests of individuals, society, and the state against external and internal threats in cyberspace. The purpose of regulation is to establish legal mechanisms for the prevention, detection, and elimination of cyberattacks, as well as the minimization of the consequences of cybersecurity incidents.

Key Principles of Cybersecurity

The law establishes several key principles, including:

• Legality and supremacy of the Constitution
• Priority of protecting the interests of individuals, society, and the state
• Unified approach to regulation and the formation of a national cybersecurity system
• Priority for domestic producers in technology development
• Openness to international cooperation

These principles reflect a balance between the country’s internal priorities and the need for integration into global cyberspace.

Institutional System

A key role in the field of cybersecurity is performed by the State Security Service of the Republic of Uzbekistan, defined as the authorized state body. Its powers include:

• Developing normative acts and state programs
• Organizing monitoring and investigation of incidents
• Certification and accreditation of critical information infrastructure (CII) facilities
• International cooperation and coordination of law enforcement agencies

Rights and Obligations of Cybersecurity Entities

Cybersecurity entities are recognized as legal entities and individual entrepreneurs who own or protect information systems. Their obligations include:

• Preventing unauthorized access and data leakage
• Notifying the authorized body of cyber incidents
• Ensuring data backup and recovery
• Using certified protection tools

Critical Information Infrastructure (CII)

Particular attention is paid to critical information infrastructure facilities, such as public administration, energy, transport, banking, healthcare, and other strategically significant sectors. Mandatory requirements are set for certification, accreditation, and continuous monitoring. In addition, a unified state register of CII facilities operates.

The law emphasizes Uzbekistan’s openness to international cooperation in combating cyber threats, including experience sharing, participation in global initiatives, and prevention of the use of national cyberspace for terrorist or other unlawful activities.

The legislation also provides for state support of cybersecurity entities through tax benefits, subsidies, encouragement of innovative activities, development of human resources, and research projects. This underlines the state’s strategic focus on the long-term development of the sector.

Law No. ZRU-764 is a fundamental act that shapes the national cybersecurity system in Uzbekistan. Its provisions ensure a balance between citizens’ rights, business interests, and the need for state protection of critical infrastructure. At the same time, the effectiveness of the law’s implementation largely depends on practical coordination between government bodies, business, and the international community.

Rights and Obligations in Cybersecurity Field