Uzbekistan adopted its first Law “On Cybersecurity” (No. ORQ-764 dated 15 April 2022) (the Law), which comes into force on July 17, 2022. We previously informed you that the draft law was under discussion in Uzbekistan’s parliament, the Oliy Majlis.
The full text of the Law is available here (in Uzbek and Russian).
Is it relevant for my business?
The new requirements may affect your business if you possess (under the right of ownership, lease or other legal ground), operate or interoperate information systems used in the following areas (“critical facilities”):
- Public administration and the provision of public services
- National security
- Law enforcement
- Fuel and energy industries (including nuclear energy)
- Chemical, petrochemical industries
- Water management and water supply
- Public health
- Housing and utility services
- Banking and finance
- Information and communication technologies
- Ecology and environmental protection
- Extraction and processing of minerals of strategic importance
- Other sectors of the economy and the social sphere.
Who is the cybersecurity regulator?
The State Security Service of the Republic of Uzbekistan is the regulator in the field of cybersecurity. The Office of the President of the Republic of Uzbekistan sets out a unified public policy related to cybersecurity.
How can these changes affect your business?
Operators of critical facilities will have the following obligations:
- Comply with cybersecurity requirements defined by the regulator,
- Implement above-standard cybersecurity requirements once approved by the regulator,
- Ensure continuous operation of critical facilities,
- Ensure the storage of data of critical facilities (by creating a backup copy) for at least the last three months,
- Provide the regulator with access rights to monitor the state of cybersecurity and connect the corporate cybersecurity system with the regulator’s cybersecurity incident monitoring and management system,
- Certify the hardware, firmware and software,
- Install and operate monitoring systems to prevent cyber-attacks, eliminate their consequences, and respond to cybersecurity incidents,
- Comply with the regulator’s instructions to eliminate detected violations,
- Prevent illegal distribution, theft, loss, violation of the completeness, blocking and falsification of data, as well as other types of unauthorized access (entry), to take timely appropriate measures when detecting such incidents
- If applicable, conduct a cybersecurity certification, cybersecurity compliance review and cybersecurity assessment,
- With respect to a cybersecurity incident:
- Ensure the functioning of Computer Attack Detection and Response Centers, and in their absence, outsource such services with the regulator’s permission,
- Notify the regulator about incidents and cybercrimes,
- Take measures to prevent the loss of relevant digital traces to fully uncover incidents,
- Provide permanent storage of information needed for cybersecurity incident analyses and cybercrime investigations,
- Take actions to minimize the negative consequences and measures to restore access promptly.
What actions should be taken?
If you think your business qualifies as a critical facility, you need to be prepared with an action plan in the event the regulator lists your business in the single register of critical facilities. Such qualification may lead to certain financial costs (e.g., buying hardware and software approved by the regulator) as well as organizational changes (e.g., creating a special cybersecurity team of specialists duly certified by the regulator, liaising with the regulator).