Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Back
Oct 2022
LinkedIn Created with Sketch. Twitter Created with Sketch.

Uzbekistan: Cybersecurity

Cybersecurity
Quardia / Essentials collection / istockphoto.com

1. GOVERNING TEXTS

1.1. Legislation

In Uzbekistan, there was no specific law on cybersecurity until 15 April 2022. General issues of cybersecurity, such as security in telecoms and the internet, were mentioned in several laws already in force. At the time of publication, Law of the Republic of Uzbekistan of 15 April 2022 No. RK-764 on Cybersecurity (only available in Uzbek and Russian here) ('the Law on Cybersecurity') has not yet consolidated the provisions on cybersecurity of several sector-specific laws.  

The Law on Cybersecurity mostly regulates the State Security Service of the Republic of Uzbekistan's ('DXX') powers without further developing particular mechanisms of exercising such powers and duties. It directly states that either such mechanisms are regulated 'in accordance with legislation', or 'developed by [the Regulatory authority]'. It should be also noted that the Law on Cybersecurity introduced substantial notions, which are  analysed below, and consolidated the bare minimum of cybersecurity legislation which was scattered among several sector-specific laws, as well as presidential and government by-laws.

Article 10 of the Law of the Republic of Uzbekistan No. 512-XII of 13 January 1992 on Communication (only available in Russian here) ('the Law on Communications') restates the principle of privacy of correspondence, as provided for in the Constitution of the Republic of Uzbekistan of 8 December 1992, and creates administrative and criminal liability on communications workers for violations.

The Law of the Republic of Uzbekistan No. 1006-XII of 28 December 1993 on Certification of Products and Services (only available in Russian here) ('the Law on Certification') indirectly regulates issues of security, namely:

  • Article 10 on the situation when the Standardisation Agency elaborates and implements security and safety requirements for products if such requirements have not been elaborated; and
  • Article 14 on customs authorities not permitting customs treatment for products which are not in compliance with safety requirements.

Based on the above two provisions, the current legislation imposes compulsory certification of (imported) information services (Item 15 of Decree of the Cabinet of Ministers No. 137 of 26 March 1999 (only available in Russian here) ('the Decree of the Cabinet of Ministers No. 137')).

Article 12 of the Law of the Republic of Uzbekistan No. 221-I of 26 April 1996 on Consumer Protection (only available in Russian here) ('the Law on Consumer Protection') relates to the consumers' right to the safety of goods (works, services), i.e. that such goods are manufactured (executed) in compliance with, among other things, radiological norms and rules and are safe for consumption and do not cause harm to consumer property.

Moreover, a service provider is obliged to ensure the safety of its services during the established period of its service and if it is not established within ten years from the date of providing services to the consumer. If the safe use of the services requires compliance with special rules, the service provider is required to develop such rules and bring them to the attention of the consumer. If it is impossible to eliminate the causes of harm, the service provider is obliged to stop the provision of services.

The Law of the Republic of Uzbekistan No. 400-I of 24 April 1997 on Guarantees and Freedom of Access to Information (only available in Russian here) ('the Law on Access to Information'). This law and subsequent legislation (namely, the Law on Principles of Freedom of Information, mentioned below) further develop the constitutional principle of freedom of information. Public authorities and their officers cannot disclose information which contains state or other secrets protected by legislation. Within the context of the applicable legislation, 'other secrets' comprise official, commercial, or any other secrets of legal entities and persons which has become known to state officers within the course of consideration of their applications (Article 9 of the Law on Access to Information).

Under the Law of the Republic of Uzbekistan No. 725-I of 25 December 1998 on Radio Frequency Spectrum (only available in Russian here) ('the Law on the Radio Frequency Spectrum'), users of radio frequency spectrum should take the following security measures to protect information, including (Article 18-1 of the Law on the Radio Frequency Spectrum):

  • the exclusion of unauthorised access to transmitted information, uncontrolled use and interruption of communication systems, as well as their use for purposes detrimental to the individual, society, and the state;
  • confidentiality and integrity of information (data) in the process of its transmission; and
  • the invariability of the communication operation mode in case of attempts of unauthorised or unintentional interference.

Furthermore, the Law on the Radio Frequency Spectrum imposes several prohibitions during the use of radio communications, such as on:

  • the interception of radio broadcasts (radio communications) not intended for general use by the population;
  • disclosure of the existence or content of radio broadcasts, or the publication or use without permission of any information received as a result of accidental reception (radio interception) of radio broadcasts not intended for them (radio conversations);
  • the transmission of messages directly or indirectly relating to information constituting state, military, official, or commercial secrets; and
  • the use of radio equipment that is not licensed to operate radio frequency equipment.

In the case of receiving a radio communication intended for another person, its possession, disclosure, distribution, or modification of its content and the fact of its presence are prohibited, with the exception of cases provided by law (Article 18-2 of the Law on the Radio Frequency Spectrum).

Monitoring of the radio frequency spectrum by the Ministry for Development of Information Technologies and Communications ('MITC') and the relevant authorities (Ministry of Defence and State Security Service) is not a violation of the confidentiality of radio communications (Article 19 of the Law on the Radio Frequency Spectrum).

The Law of the Republic of Uzbekistan No. 439-II of 12 December 2002 on Principles and Guarantees on Freedom of Information (only available in Russian here) ('the Law on Principles of Freedom of Information') elaborates the test to determine which information should be protected. According to the Law on Principles of Freedom of Information, any information, unlawful treatment of which may cause damage to its owner, possessor, user, or other persons, is subject to protection. This protection is carried out in order (Article 11 of the Law on Principles of Freedom of Information):

  • to prevent threats to the security of individuals, society, and the state in the field of information;
  • to maintain confidentiality of information, preventing its leakage, theft, or loss; and
  • to prevent any distortion or falsification of information.

The information security of persons is ensured by creating the necessary conditions and guarantees of free access to information, protecting privacy secrets, and protecting against illegal information influences. It is forbidden to use information about individuals in order to cause them material damage or moral harm, or for obstructing the exercise of their rights, freedoms, and legitimate interests (Article 13 of the Law on Principles of Freedom of Information).

Legal entities and individuals receiving, owning, and using information about citizens bear statutory responsibility for violating the terms of use of such information.

The information security of the State is ensured by (Article 15 the Law on Principles of Freedom of Information):

  • implementation of economic, political, organisational, and other measures to counter security threats in the field of information; and
  • protection of state secrets and state information resources against unauthorised access to it.

Under the Law of the Republic of Uzbekistan No. 560-II of 11 December 2003 on Informatisation (only available in Russian here) ('the Law on Informatisation'), information resources and information systems are protected in order to (Article 19 of the Law on Informatisation):

  • ensure information security of the individual, society, and the state;
  • prevent leakage, theft, loss, distortion, blocking, falsification of information resources, and any other unauthorised access to such resources;
  • prevent unauthorised actions to destroy, block, copy, distort information, and other forms of interference in information resources and information systems; and
  • preserve state secrets and confidential information contained in information resources.

Information resources and information systems are subject to protection, the improper handling of which could harm their owners, possessors, or other legal entities and individuals. State bodies, legal entities, and individuals shall ensure the protection of information resources and systems containing information on state secrets and confidential information.

The procedure for organising the protection of information resources and information systems containing information on state secrets and confidential information is determined by the Cabinet of Ministers of the Republic of Uzbekistan (Article 20 of the Law on Informatisation).

State bodies, legal entities, and individuals may include their information systems in international information networks and in the global internet information network in the manner prescribed by law. The inclusion of information systems containing information resources of limited access in international information networks and in the global internet information network is carried out only after the adoption of the necessary protective measures (Article 21 of the Law on Informatisation).

The Law of the Republic of Uzbekistan No. 611-II of 29 April 2004 on Electronic Document Management (only available in Russian here) ('the Law on Electronic Document Management') extends the general principle of protection of paper-based documents to their electronic versions. This protection is carried out in order to prevent damage to the participants of electronic document management or other legal entities and individuals in the manner prescribed by legislation (Article 17 of the Law on Electronic Document Management).

According to the Law of the Republic of Uzbekistan No. 613-II of 29 April 2004 on Electronic Commerce (only available in Russian here) ('the Abrogated Law on E-Commerce'), it is prohibited to use personal data for purposes other than those of the contract in electronic commerce, and their transfer to third parties is also prohibited, unless otherwise provided by agreement of the parties and/or legislation. It is prohibited to use personal data without the consent of its owner to distribute offers and/or advertising, including by mass mailing of electronic documents or electronic messages (Article 18 of the Abrogated Law on E-Commerce). The Abrogated Law on E-Commerce was repealed by the new edition of the Law No. ZRU-792 of 29 September 2022 on Electronic Commerce (only available in Russia and Uzbek here). This new Law does not contain special provisions on the regulation of the personal data. It only indirectly refers to the Law of the Republic of Uzbekistan of 2 July 2019 No. ЗРУ-547 on Personal Data (only available in Russian here) ('the Law on Personal Data').

The Law of the Republic of Uzbekistan No. 660-II of 26 August 2004 on Countering Legalisation of Proceeds from Crime, the Financing of Terrorism and the Financing of the Proliferation of Weapons of Mass Destruction (only available in Russian here) ('the AML/CFT Law') exemplifies exceptional cases in which providing information on financial or proprietary transactions of legal entities and individuals, or other information, in the established manner, to a specially authorised state body is not a violation of commercial, banking, or other types of secret protected by law (Article 18 of the AML/CFT Law). A specially authorised state body and its employees are required to ensure the confidentiality and safety of any information shared with them, which constitutes commercial, banking, and other secrets (Article 19 of the AML/CFT Law).

Organisations conducting transactions with money or other property (i.e. banks and other financial (investment) institutions), the specially authorised state body, and other bodies involved in countering the financing of criminal activities (i.e. law enforcement agencies), should restrict access to information related to the fight against money laundering, financing of terrorism, and financing of proliferation of weapons of mass destruction, in accordance with the procedures established by law (Article 20 of the AML/CFT Law).

Under the Law of the Republic of Uzbekistan No. ZRU-374 of 11 September 2014 on Trade Secrets (only available in Russian here) ('the Law on Trade Secrets'), state bodies are obliged to create conditions ensuring the confidentiality of trade secrets provided to them by its owner or entrusted persons. Employees of state bodies shall not have the right to disclose or transfer trade secrets to other persons, including state bodies, which has become known to them in connection with the performance of official duties, except as otherwise provided by law, and also to use such trade secrets for personal or other purposes (Article 16 the Law on Trade Secrets).

Under the Law on Personal Data, cybersecurity issues concerning the use of personal data are governed by the Law on Personal Data, according to which the State guarantees the confidentiality of personal data. Confidentiality of personal data is a requirement on the owner or operator of personal data and third persons with access to personal data. Furthermore, the owner or operator of the personal data and third parties must take all legal, organisational, and technical measures to protect personal data, ensuring (Article 27 of the Law on Personal Data):

  • protection from interference in private life;
  • the integrity and safety of personal data;
  • maintaining the confidentiality of personal data; and
  • prevention of unlawful processing of personal data.

Owners and third parties must ensure the inadmissibility of disclosure and distribution without the consent of the subject of the personal data (i.e. the person whose data is processed) or any other legal grounds and shall not disclose or disseminate personal data without the consent of the subject (Article 28 of the Law on Personal Data).

The Law of the Republic of Uzbekistan No. ZRU-578 of 1 November 2019 on Payments and Payment Systems (only available in Russian here) ('the Law on Payment Systems') enumerates the protective measures that payment system operators and payment service providers must provide to users of these systems and customers of these services, including (Article 53 the Law on Payment Systems):

  • continuous protection of payment information at all stages of its formation, processing, transmission, and storage;
  • a security regime sufficient to protect the confidentiality and integrity of information, including personal data of the payment services user;
  • protection of information networks, including the internet, as well as servers and communication channels, against possible attacks;
  • monitoring access to confidential data on payments and critical logistical and physical resources (such as information networks, information systems, databases, additional information protection products);
  • application of organisational and technical measures of information protection aimed at identifying security incidents, and ensuring the protection of information during the process of executing payments and money transfers;
  • taking measures to respond to identified incidents of violations of information protection; and
  • the analysis of the causes of identified incidents of violations of information security requirements, and the assessment of responses to such incidents and their results.

The State Standards of Uzbekistan (only available in Russian here), which were adopted in accordance with the International Standards, establish the requirements in relation to the implementation of the information security management system and all related requirements on information security.

1.2. Regulatory authority 

1.2.1. GIS' jurisdiction in the field of cybersecurity

Before the enactment of the Law on Cybersecurity, the State Inspection on Control in the Field of Information and Telecommunications of the Republic of Uzbekistan ('GIS') was the regulatory authority. This inspection still exists and its several powers and jurisdiction intersect with the ones of the DXX stated in the Law on Cybersecurity. However, the former lacks investigative and 'rapid response' functions, which are conferred upon and at the core of the DXX stated in the Law on Cybersecurity.

As per the Schedule 1 of Presidential Decree No. PP-4024 of 21 November 2018 on Measures to Improve the Control System for the Implementation of Information Technologies and Communications and the Organisation of their Protection (only available in Russian here) ('the Decree on ICT'), among the main tasks of the GIS is State (Governmental) control over:

  • compliance with the requirements of legislative acts, regulatory documents, and state standards (hereinafter referred to as 'laws') in the field of communications, informatisation, and telecommunication technologies (hereinafter referred as to 'telecommunications'); and
  • the efficiency of automation of work and management processes, the implementation and use of integrated information systems, interdepartmental data transmission and exchange networks, and the integration of state information resources, including the provision of electronic government services.

In accordance with the assigned tasks, the GIS carries out the following functions:

  • in relation to monitoring compliance with laws in the field of telecommunications:
  • identifies, studies, and verifies business entities operating in the field of telecommunications in violation of licensing requirements and conditions, as well as those operating without the appropriate licence;
  • monitors and verifies the implementation of laws in the provision of telecommunication services, postal services, as well as in the design, construction, reconstruction, expansion, and operation of telecommunication networks, including mobile communications, electronic equipment, high-frequency devices, and telecommunication systems;
  • carries out control, analysis, and verification of compliance with the established procedure for acquisition (transfer) in the territory of the Republic of Uzbekistan and the importation from abroad of electronic equipment, high-frequency devices, and telecommunication systems, and the use of certified equipment on networks and mail and telecommunications facilities;
  • controls, verifies, and monitors the parameters of radio emissions of radio electronic devices and high-frequency devices, and that these comply with the rules of using the radio frequency spectrum, and interacts with law enforcement agencies and other state bodies in monitoring, detecting, and prosecuting offences in the field of communications, information, and telecommunication technologies, using the radio frequency spectrum and electronic digital signatures;
  • in the prescribed manner, monitors, studies, and verifies the compliance of operators and postal service providers with the rules of internal control as established by law to combat the legalisation of proceeds from crime and the financing of terrorism, as well as financing of the proliferation of weapons;
  • makes appropriate decisions based on the results of monitoring and inspections of revealed violations, issues instructions and sets deadlines for their elimination, as well as makes proposals to the licensing authority on the suspension or termination of licences of business entities, transfers materials on violations beyond the jurisdiction, and the powers of the GIS to the relevant competent state authorities according to established order;
  • analyses and summarises the results of the monitoring, prepares proposals for the elimination of identified deficiencies and violations, and submits them to the relevant state authorities;
  • interacts with state authorities (which monitor business entities operating in the field of telecommunication, information security, including the protection of restricted access information) on issues of compliance with terms and conditions of license agreements for the type of services and product quality standards in the field of cryptographic information protection; and
  • imposes administrative penalties in accordance with the applicable law.

In the field of monitoring the effectiveness of the automation of work and management processes, implementation and use of integrated information systems, interdepartmental data transmission and exchange networks, integration of state information resources, including the provision of electronic public services, the GIS:

  • conducts analysis, assessment, and verification of the state of automation of work and management processes, implementation and use of integrated information systems, interdepartmental data transmission and exchange networks, and integration of state information resources;
  • analyses and summarises the results of studies of monitoring and verification of the processes of implementation and development of information and communication technologies in state and economic administration bodies, as well as local government bodies, and prepares relevant conclusions and proposals to eliminate any shortcomings identified; and
  • conducts research, verification, and monitoring of compliance with the reliability and timeliness of information provided on the state and development of information and communication technologies by state and economic management bodies, and local government bodies.

1.2.2. DXX and the Cybersecurity Centre's jurisdiction as per the Law on Cybersecurity

The DXX is the authorised state body in the field of cybersecurity according to Article 10 of the Law on Cybersecurity. It may also create 'a working body' which 'insures cybersecurity' by transferring part of its powers to such working body. We believe that the State Unitary Enterprise 'Cybersecurity Centre' under the DXX ('the Centre') is such working body, as before the enactment of the Law on Cybersecurity, Item 3 of Decree of the President of the Republic Of Uzbekistan, dated 14.09.2019 No. PQ-4452 on Additional Measures to Control the Introduction of Information Technologies and Communications, to Improve the System of their Protection (only available in Uzbek here) ('Decree No. 4452') granted upon the Centre certain analytical and monitoring functions that the Centre carries out. As Decree No. 4452 is officially published by extracts, we cannot establish the exact contours of the Centre's inherent powers which it could have had before the enactment of the Law on Cybersecurity. The Centre itself represents that it has the following main tasks:

  • collection, analysis, and accumulation of data on modern threats to information security, development of recommendations and proposals for the prompt adoption of effective organisational, and software and hardware solutions that ensure the prevention of acts of illegal penetration into information systems, resources, and databases of state bodies and organisations;
  • interaction with operators and providers of telecommunications networks, law enforcement agencies in the framework of analysis, identification of violators, methods and means used in the implementation of unauthorised or destructive actions in the information space;
  • carrying out attestation, examination and certification of hardware and software products, ICT, telecommunications equipment, and other technical means at informatisation objects (with the exception of state secrets);
  • assistance in the development and implementation of the information security policy of information systems and resources of state bodies and organisations;
  • development of proposals for improving the regulatory framework in the field of information security of state information systems and resources, as well as the national segment of the internet; and
  • timely notification of national internet users about emerging threats to information security in the national segment of the internet, as well as the provision of consulting services for information security.

This means that the DXX has already transferred its per se analytical, normative, and gate-keeping powers (functions) within the cyberspace to the Centre and the Law on Cybersecurity merely acknowledged the regulatory framework created by and existing under the by-laws.

The DXX inter alia has the following wide range of powers, conferred upon it under Article 11 of the Law on Cybersecurity ('Article 11 Powers'):

  • Analytical and organisational powers:
    • cyber protection of information systems and resources in emergency situations;
    • organisation of work to ensure cybersecurity and eliminate the consequences of cyber attacks on critical information infrastructure facilities;
    • organisation of work on cybersecurity certification of hardware and software in information systems and resources;
    • organisation of research and monitoring in the field of cybersecurity;
    • development and implementation of prevention plans in case of cyber attacks on critical information infrastructure facilities;
    • organisation of work on the implementation of means for detecting, preventing, and eliminating the consequences of cyber attacks, as well as taking measures regarding cybersecurity incidents at critical information infrastructure facilities; and
    • organising work to identify, collect, and analyse data on existing vulnerabilities and possible threats at critical information infrastructure facilities.
  • Investigative powers:
    • monitoring the implementation of laws and regulations on cybersecurity;
    • conducting operational-search activities, pre-investigation checks, and investigative actions on cybersecurity incidents;
    • taking measures to protect the rights and legitimate interests of users of information systems and resources;
    • conducting studies and inspections of information systems and resources of cybersecurity subjects, as well as at critical information infrastructure facilities;
    • regulation of the activities of cybersecurity units, services and groups of independent experts, and interaction with law enforcement agencies in the field of countering cyber threats;
    • involvement of law enforcement agencies and subjects of critical information infrastructure in the joint investigation of cybersecurity incidents at critical information infrastructure facilities; and
    • detection and prevention of cybersecurity incidents and taking appropriate measures, including to eliminate their consequences.
  • Normative powers:
    • development of regulations and government programs in the field of cybersecurity;
    • formation and maintenance of a unified register of critical information infrastructure objects;
    • determination of requirements for ensuring cybersecurity of critical information infrastructure facilities;
    • determination of the procedure for cybersecurity attestation of informatisation objects and critical information infrastructure objects;
    • determination of mechanisms for conducting an examination for compliance with cybersecurity requirements;
    • determination of methods for evaluation and evaluating the implementation of cybersecurity of cybersecurity objects and critical information infrastructure;
    • categorisation of critical information infrastructure objects; and
    • classification of cybersecurity objects according to the level of cybersecurity provision.
  • Certification and gate-keeping powers:
    • licensing of activities for the development, production, and sale of means of cryptographic information protection;
    • implementation of training activities in the field of cybersecurity; and
    • conducting certification of employees involved in ensuring the cybersecurity of cybersecurity subjects, in the manner prescribed by law.

When exercising its Article 11 Powers, the DXX has statutory rights and duties stated in Articles 12 and 13 of the Law on Cybersecurity.

1.3. Regulatory authority guidance

The Centre has published its guidance (recommendations) in the form of an FAQ (only available in Uzbek here) ('the Centre's Guidance'). The Centre answers to the following questions:

  • What technical tasks does the Centre examine?
  • How and when is the training of a cybersecurity officer carried out?
  • When and who carries out evaluation in the information and cybersecurity monitoring system?
  • How often and under which conditions is the organisation's information security policy reviewed?
  • The information security policy of the organisation is developed based on which regulatory document and agreed with which organisations?
  • Which regulatory document is the basis for the examination (audit) of information security objects of the organisation?
  • Which regulatory document is the basis for the information and cybersecurity compliance examination of the organisation's official website?
  • What does the applicant submit to the certification body to obtain a software conformity certificate?
  • For compliance with the requirements of what regulatory documents certification tests of software products are carried out?
  • Does an organisisation need to re-certify the software product if the version is updated?
  • How much does software certification cost?
  • How long does it take to obtain a certificate of conformity?
  • What are the benefits of a certificate of conformity?
  • How are certification schemes different?
  • Does the Centre examine tender documentation and documents on the procurement of information and communication technologies, hardware and software products, protection equipment?

2. SCOPE OF APPLICATION

The personal scope

The Laws listed above are applicable to legal entities and individuals, to foreign legal entities, to citizens and stateless people. The scope of application also covers the State bodies. What is regard to the State Standards of Uzbekistan, they are intended for the usage to all types of organisations (commercial enterprises, government agencies, non-profit organisations) of all sizes.  

The Law on Cybersecurity defines its personal scope by the notion of a 'subject of cybersecurity' which means 'a legal entity or an individual entrepreneur that has certain rights and obligations related to the possession, use and disposal of national information resources and the provision of information electronic services for their use, information protection and cybersecurity, including subjects of critical information infrastructure'.

The territorial and exterritorial scope

The aforementioned laws, including the Law on Cybersecurity, are applicable to the entire territory of the Republic of Uzbekistan. The cybersecurity provisions of the laws have nothing to mention about the applicability of laws outside of the territory of Uzbekistan. Exterritorial scope of the Law on Cybersecurity can be inferred from the notion of 'cyberspace' which has no indication of the territorial boundaries and broadly defined as a 'virtual environment created with the help of information technologies' (Article 3 of the Law on Cybersecurity).

The material scope

Before the enactment of the Law on Cybersecurity, the cybersecurity laws and regulations did not contain a systematic division of the types of information that were covered, adopting more of a piecemeal approach.  

Except for 'the cybersecurity of the system of operational-search activities on telecommunications networks and communication channels' (Part 2 of Article 2), the Law on Cybersecurity does not define its material scope. This can be inferred from the Article 11 Powers of the DXX which are the centre of gravity of the Law on Cybersecurity. In this regard, the Law on Cybersecurity regulates 'object of informatization' and 'object of cybersecurity'. The former means 'information systems of various levels and purposes, telecommunications networks, technical means of information processing, premises where these means are installed and operated'. The Law on Cybersecuirty defines the latter as 'a complex of information systems used in activities to ensure cybersecurity of information and cybersecurity of national information systems and resources, including objects of critical information infrastructure'. The information system is defined in the Law on Informatisation as 'an organizationally ordered set of information resources, information technologies and means of communication, which allow collecting, storing, searching, processing and using information' where information resource means 'information, databank, database in electronic form as part of an information system, including audio, video, graphic and textual information posted or published in information systems with open access' and information technology means 'a set of methods, devices, and processes used to collect, store, search, process and disseminate information' (Article 3 of the Law on Informatisation).

3. DEFINITIONS

Information security program

Even after the enactment of the Law on Cybersecurity, the legislation does not have an exact term 'information security program'. Instead, the Law on Principles of Freedom of Information contains the general term 'information security'. Accordingly, information security is the state of protection of the interests of the individual, society and the State in the information sphere. Article 11 Powers of the DXX merely includes 'organization of work on cybersecurity certification of … software in information systems and resources'. The Centre's Guidance defined the scope of regulatory documents for the compliance of which the Centre carries out certification tests of software products.

Database

According to the State Standard of Uzbekistan (O'z DSt 1135:2007) on databases and state authorities information exchange by information between the organ of state management and state authorities on places requirements, a database is a collection of data, organized according to certain rules that provide for general principles of describing, storing and manipulating data, regardless of application programs (only available in Russian here) ('the State Standard on Databases').

Cybersecurity incident

Before the enactment of the Law on Cybersecurity, the legislation had not contained the definition of 'cybersecurity' and all related definitions such as 'cybersecurity incidents'. Instead, the legislation preferred to use the term 'information security' that had the equal meaning to 'cybersecurity'. Accordingly, it could be said that, the term 'cybersecurity incident' was equal to the term 'information security incident' that carried the meaning as a single event or a series of undesirable or unforeseen information security events, due to which there was a high probability of compromising a business operation and a threat to information security (only available in Russian here).

Article 3 of the Law on Cybersecurity expressly defines 'cybersecurity incident' as 'an event in cyberspace that led to failures in the operation of information systems and (or) violations of the availability of information in them, integrity and its unimpeded use'. Such incident triggers the duty of the owner of an information resource or system in which a cybersecurity incident occurred shall notify the DXX on the results of its own investigation, provided that such owner had necessary resources and technical capabilities to conduct the investigation (Part 2 of Article 22). In cases of incidents, the owner takes the following measures:

  • prevent vulnerabilities and errors in software and hardware;
  • destruct malicious programs, limit their distribution and the source of cyber attacks;
  • isolate informatisation objects from real cyber threats; and
  • inform law enforcement agencies about cybersecurity incidents (Article 23 of the Law on Cybersecurity).

The owner of the information resource cannot use the information about the identified cyber threats and vulnerabilities for purposes other than an elimination of such threats and vulnerabilities and prevention of illegal activities (Article 24 of the Law on Cybersecurity). Nevertheless, the Law on Cybersecurity is silent on whether the owner which carried out its own investigation can disclose the occurrence of the cybersecurity incident after taking the foregoing security measures. Without doubt, the DXX can disclose such information with the consent of the subject of cybersecurity.

Network and Information Systems

The equivalent term in the current legislation is 'telecommunications network,' which means a set of telecommunications facilities that provide one or more types of transmission: telephone, telegraph, facsimile data, and other types of documentary messages, and the broadcasting of television and radio programmes.

The second definition, which may cover the meaning of the 'network and information systems', is 'information system'. This is an organisationally ordered set of information resources, and information technologies and communications, allowing the collection, storage, search, processing, and use of information.

Critical Information Infrastructure Operators

Before the enactment of the Law on Cybersecurity, the legislation had not provided a definition of this term. This term was only mentioned once in the Decree on ICT, in paragraph 3 subparagraph 4 of the preamble. Additionally, the GIS published a draft Resolution of the Cabinet of Ministers on Measures to Ensure Cybersecurity of the Critical Information Infrastructure of the Republic of Uzbekistan (only available in Russian here) ('the draft Resolution'). This term carried the meaning as objects of informatisation, including automated systems for various purposes operating in the field of healthcare, science, transport, communications, energy, banking, and other areas of the financial market, fuel and energy complex, in the field of energy, mining, metallurgical, and chemical industries. However, the draft Resolution has never been introduced into the legislation. Article 3 of the Law on Cybersecurity kept the draft Resolution's approach of non-exhaustive listing of the 'objects of critical information infrastructure' and gave objective definition of critical information infrastructure which is 'a complex of automated control systems, information systems and resources of networks and technological processes of great strategic and socio-economic importance'. Based on the Article 11 Powers, it may be inferred that the Law took an approach of exhaustively listing every category of objects of cybersecurity in the separate Unified Register of Critical Information Infrastructure created and maintained by the DXX (Article 25 of the Law on Cybersecurity). To this day, no separate by-laws or regulations on this matter have been introduced.

Although the Law on Cybersecurity does not contain separate provisions regarding the 'critical information infrastructure operators', in our understanding, such operators comprise part of the more general notion of 'subjects of critical information infrastructure' at the core of which is the entitlement to the objects of critical information infrastructure and operation thereof. Namely, the Law on Cybersecuirty states that such subjects are 'State bodies and organizations, as well as legal entities that are entitled to objects of critical information infrastructure on the basis of ownership, lease or other title, including legal entities and/or individual entrepreneurs that ensure the operation and interaction of objects of critical information infrastructure' (Article 14 of the Law on Cybersecurity). Such subjects' own systems for ensuring the cybersecurity of critical information infrastructure objects, based on the decision of the DXX, is connected to the DXX's system for monitoring and managing cybersecurity incidents of critical information infrastructure objects (Articles 29 and30 of the Law on Cybersecurity). Among others, these subjects have statutory duties to:

  • ensure the continuous functioning of information systems of critical information infrastructure facilities;
  • install and operate monitoring systems in compliance with the technical requirements for the operation of hardware and software to prevent cyber attacks, eliminate their consequences, as well as take measures in relation to cyber security incidents at critical information infrastructure facilities;
  • provide the authorised state body with access rights to monitoring systems or to critical information infrastructure facilities for the implementation of organisational and technical measures for monitoring the state of ensuring cybersecurity; and
  • notify the authorised state body when changing information about the object included in the unified register of critical information infrastructure objects (Article 28 of the Law on Cybersecurity).

Operator of Essential Services

Even after the enactment of the Law on Cybersecurity, the legislation does not expressly describe the providers of essential services. The Labour Code of the Republic of Uzbekistan of 21 December 1995 (only available in Russian here) ('the Labour Code') mentions the type of labour activity, suspension of which is impossible due to production, technical, and other conditions. The Law on Cybersecurity does not have differential regulation for the operators and owners, and they come under the single heading of 'subjects of critical information infrastructure'.

Cloud Computing Services

The current legislation does not contain this term. However, the meaning of this term can be covered by the term 'means of information exchange', which is a definition for information systems and communication networks used in information exchange.

Digital Service Providers

The equivalent of this term in the current legislation is 'telecommunications service provider' (i.e. a legal person who provides telecommunications services to users through a network of operators).

The term 'telecommunication' means the transmission, reception, processing of signals, signs or texts, images, sounds, or other types of information using wired, radio, optical, or other electromagnetic systems.

The term 'owner of information resources or information systems' means a legal entity or an individual who owns, uses, and disposes information resources or information systems.

4. IMPLEMENTATION OF AN INFORMATION MANAGEMENT SYSTEM/FRAMEWORK

Uzbek legislation does not contain any requirements exactly in relation to the implementation of an information management system or framework in general. Instead, in accordance with the Law of the Republic of Uzbekistan No. 1002-XII of 28 December 1993 on Standardisation ('the Law on Standardisation'), 'Uzstandart' Agency establishes and introduces the State Standard of Uzbekistan on Information technology – Security techniques – Information security management systems – Requirements (O'z DSt ISO 27001:2020) (ISO 27001:2013, IDT) ('the State Standard on IT').

The State Standard on information system management and security describes the detailed instruction and requirements for the implementation of the information security management system. Here will be mentioned the main ones. The first initial requirement for entity to implement the information security management system is to determine external and internal issues that affect its ability to achieve the intended outcome(s) of its system. Moreover, it is prominent to determine the boundaries and applicability of the system to establish its scope. The scope shall be available as documented information. The next requirement is to determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the system. What is regard to the planning process, there are a number of requirements for the implementation of system, such as:

  • plan actions to address the risks and opportunities and how to integrate and implement them into its system's processes;
  • define and apply the processes of an information security risk assessment and information security risk treatment; and
  • establish information security objectives at relevant functions and levels.

Importantly, the entity shall keep documented information to the extent necessary to have confidence that the processes have been carried out as planned. The entity also shall ensure that outsourced processes are determined and controlled.

4.1.Cybersecurity training and awareness

The State Standard of Uzbekistan Information technology safety practices: Rules of thumb for managing information security (O'z DSt ISO/IEC 27002:2016) (only available in Russian here) ('the State Standard on Managing Information Security') navigates that all personnel of the organisation, as well as employees hired under the contract, are required to undergo education and trainings in the field of information security. In addition, employees should regularly receive an updated version of information security policies and procedures adopted in organisations.

The organisation should develop an awareness-raising program in the field of information security, which should be aimed to increase the level of knowledge of personnel in this area. The program should be developed in accordance with the information security policies and relevant procedures of the organisation, as well as taking into account the necessary protection for the organisation's information and the implemented information security tools. Education and training in the field of information security should be conducted with a certain frequency. Employees transferred to another position or role with significantly different information security requirements, along with interns, must undergo initial education and trainings before entering a new position (Clause 7 of the State Standard on Managing Information Security).

The Law on Cybersecurity states that the DXX conducts attestation of employees involved in ensuring the cybersecurity of cybersecurity subjects and employees responsible for ensuring the cybersecurity of critical information infrastructure facilities (Articles 11 and 29 of the Law on Cybersecuirty). The Law on Cybersecurity does not provide procedures of such attestations; rather it states that they are determined by in the separate by-laws, which are yet to be enacted.

4.2. Cybersecurity risk assessments

In accordance with the State Standard on IT, the information security risk assessment shall be performed at planned intervals or when significant changes are proposed or occur. The organisation shall define and apply an information security risk assessment process that:

  • establishes and maintains information security risk criteria that include:
    • the risk acceptance criteria; and
    • criteria for performing information security risk assessment; 
  • ensures that repeated information security risk assessment produce consistent, valid, and comparable results;
  • identifies the information security risks;
    • apply the information security risk assessment process to identify risks associated with the loss of confidentiality integrity and availability for information within the scope of the information security management system; and
    • identify the risk owners,
  • analyses the information security risks; and
  • evaluates the information security risk.

To effectively determine the information security risk, the scope of its action must be clearly defined. The organisation shall retain documented information about the information security risk assessment process and its results (Clause 8 of the State Standard on IT).

Certain Article 11 Powers of the DXX are related to cybersecurity risk assessments (Article 11 of the Law on Cybersecurity). Additionally, the Law on Cybersecuirty generally regulates:

  • Examination for compliance with cybersecurity requirements which is carried out on a mandatory basis or at the initiative of cybersecurity subjects. Examination for compliance with cybersecurity requirements is mandatory for information resources and/or systems of State bodies and information systems included in the category of critical information infrastructure objects (Article 18 of the Law on Cybersecurity).
    • The DXX determines the procedure for conducting an examination for compliance with cybersecurity requirements. The Centre's Guidance in its Answer to Question six (which regulatory document is the basis for the examination (audit) of information security objects of the organization?) makes reference only to a mandatory procedure for conducting examinations (audits) by state bodies and other organisations of informatisation objects for compliance with information requirements (Paragraph 6 of the Decree of the President of the Republic of Uzbekistan No. PP-4751 dated June 15, 2020 (only available in Russian here)).
  • Certification of hardware and software used to ensure cybersecurity of information systems and resources. Hardware and software used to ensure the cybersecurity of information systems and resources of state bodies and organisations, as well as critical information infrastructure facilities, are subject to mandatory certification (Article 19 of the Law on Cybersecurity).
    • The DXX determines the procedure for such certification. The Centre's Guidance only determines the list of State Standards when carrying out their certification (including, the State Standard of the Republic of Uzbekistan on Automated Settlement Systems with Users of Telecommunications Services (O'z DSt 3065 : 2016) (only available in Russian here); State Standard of the Republic of Uzbekistan on Quality Requirements and systems and Software Product Evaluation (O'z DSt ISO / IEC 25051: 2018) (only available in Russian here); and the State Standard on Databases).
  • Attestation of objects of informatisation and objects of critical information infrastructure. Such attestation is a set of organisational and technical measures aimed at determining the compliance of the actual state of protection of informatisation objects with the requirements of State Standards and laws and regulations in the field of cybersecurity (Article 20 of the Law on Cybersecurity). Categories of informatisation objects and critical information infrastructure objects subject to the attestation are determined in accordance with a legislative act (which is yet to be enacted).
    • The DXX determines the procedure for attestation of informatisation objects and critical information infrastructure objects for compliance with cybersecurity requirements.
  • Assessment of the level of ensuring cybersecurity. Such assessment is a set of organisational and technical measures aimed at determining the state of security of information systems and resources, as well as the effectiveness of organisational measures taken (Article 21 of the Law on Cybersecurity). Categories of informatisation objects and critical information infrastructure objects subject to mandatory assessment are determined in accordance with a legislative act (which is yet to be enacted).
    • The DXX determines the procedure for assessing the level of ensuring cybersecurity and issues binding orders to eliminate the deficiencies identified as a result of the assessment.

4.3. Vendor management

Information security policy

In accordance with the State Standard on Managing Information Security, an entity shall coordinate and document information security requirements with vendors, which will minimize the risks associated with vendors' access to the entity's assets. An entity must determine and implement information security management tools, in this regard, the policy should consider the issue of vendor's access to the information of entity. Since the information of entity may be at risk of a security breach at the moment of vendors' accessing due to inadequate security management, the organisation must introduce and apply management tools to administer vendors' access to information processing tools (Clause 15.1.1 of the State Standard on Managing Information Security). In its Guidance, the Centre's answers to the following questions:

  • How often and under which conditions is the organisation's information security policy reviewed? The organisation's information security policy is reviewed annually in case of changes in information infrastructures, as well as unscheduled.
  • The information security policy of the organisation is developed based on which regulatory document and agreed with which organisations? The information security policy of the organisation is developed in accordance with the 'Methodological Guidelines for the Development of Information Security Policy on the Territory of the Republic of Uzbekistan', approved by Annex No. 10 to the Protocol of the Republican Commission for the Coordination of the Development of the National Information and Communication System of the Republic of Uzbekistan for 2013-2020 dated 23 February 2016 No. 7 (not publicly available). The information security policy is coordinated with the Ministry of Digital Technologies of the Republic of Uzbekistan and with the GIS.

Agreements with vendors on information security

The entity must establish appropriate information security requirements and coordinate them with each vendor who may have access to the entity's information and data management processes, store, and transmit information. The agreement must also consider the procedures for continuing the processing of information if vendor is unable to provide its products or services (Clause 15.1.2 of the State Standard on Managing Information Security).

The management of service provided by vendors

Additionally, the organisation must regularly monitor, analyze, and audit the services provided by the vendor. Monitoring and analysis of the services provided by the vendor should ensure compliance with the terms of agreements related to information security, as well as proper management of incidents and information security problems. To monitor the implementation of the requirements of the agreement, in particular, the requirements of information security, it is necessary to allocate personnel with sufficient technical skills and a sufficient amount of resources (Clause 15.1.2 of the State Standard on Managing Information Security).

4.4. Accountability/record keeping

Audit procedures

The State Standard on information system management and security states that an entity shall conduct internal audits at planned intervals to provide information on whether the System:

  • confirms to the organisation's own requirements for its System and the requirements established in State Standard of Uzbekistan; and
  • is effectively implemented and maintained.

The entity shall plan, establish, implement and maintain an audit programme, including the frequency, methods responsibilities, planning requirements and reporting.

Furthermore, the audit program shall take into consideration the importance of the process concerned and the results of previous audits:

  • define the audit criteria and scope for each audit;
  • select auditors and conduct audits that ensures objectivity and the impartiality of the audit process;
  • ensure that the results of the audits are reported to relevant management; and
  • retain documented information as evidence of the audit programmers and the audit results (Clause 9.2 of the State Standard of Uzbekistan).

5. DATA SECURITY

Security policy

Top management of an entity shall establish an information security policy that:

  • is appropriate to the purpose of the organisation;
  • includes information security objectives or provides the framework for setting information security objectives;
  • includes a commitment to satisfy applicable requirements related to information security;
  • includes a commitment to continual improvement of the System.

The information security policy shall:

  • be available as documented information;
  • be communicated within the entity;
  • be available to interested parties, as appropriate (paragraph 5.2 of the State Standard on IT).

The Centre provides a state service on the assistance in the development of an information security policy.

Cryptography

The requirements in relation to the 'cryptography' are mentioned in the Resolution of the President of the Republic of Uzbekistan No.PP-614 of 3 April 2007 on measures for the organisation of cryptographic protection of information in the Republic of Uzbekistan (only available in Russian here) and developed in accordance with the State Standard on Managing Information Security. The Resolution of the President No.PP-614 consists of the Regulation that contains detailed requirements on the development, producing, implementing (distributing), using, exporting and importing to Uzbekistan of the means of cryptographic protection of information. The requirements of this Regulation are mandatory for the cryptographic protection of:

  • information containing data that are classified as state secrets;
  • confidential information owned by state organisations;
  • confidential information in organisations, irrespective of their departmental affiliation and forms of ownership while supplying goods and services for the needs of state organisations.

In other cases, the requirements of the Regulation are of a recommendatory nature. The DXX carries out licensing of means of cryptographic information protection under its Article 11 Powers.

Payment systems

Payment system operators and payment service providers are required to:

  • apply multifactor authentication procedures for a payment service user when sending an order through communication channels;
  • organise a secure communication channel in remote service systems;
  • be able to maintain, store, and analyse relevant event logs; and
  • exchange confidential data through the internet as part of a communication session in encrypted form using licensed cryptographic information protection tools (Article 53 of the Law on Payment Systems).

6. NOTIFICATION OF CYBERSECURITY INCIDENTS

In general, subjects of cybersecurity have the statutory duty to notify the DXX about the cybersecurity incidents and cybercrimes that have occurred, and corresponding duties:

  • to take measures to prevent the loss of relevant digital traces to fully disclose these incidents;
  • to ensure the permanent storage of information necessary for analysing cybersecurity incidents and investigating cybercrime (Paragraph 4 Part 2 Article 16 of the Law on Cybersecurity); and
  • to notify the DXX on the results of investigation of the owner of an information resource or system in which a cybersecurity incident occurred (Part 2 of Article 22 of the Law on Cybersecurity).

In the event and detection of a breach of the information security regime, payment system operators and payment service providers are obliged to promptly inform the Central Bank of the Republic of Uzbekistan ('CBU') of this and the measures taken to minimise its consequences. The CBU maintains a database of violations of the information security regime of payment systems (Article 57 of the Law on Payment Systems).

If irregular use of information exchange tools is detected, such as erroneous commands, as well as commands caused by unauthorised actions of service personnel or other persons, or false information is discovered, the owner of these tools must inform the control authorities for the implementation of the information exchange (Item 11.3 of the Decree of the Cabinet of Ministers No. 137).

7. REGISTRATION WITH AUTHORITY

Not applicable.

8. APPOINTMENT OF A SECURITY OFFICER

The Law on Cybersecurity, in our understanding, indirectly directs to the need of appointment of a security officer in Article 34. In particular, the Law on Cybersecuirty states that 'employees responsible for ensuring the cybersecurity of critical information infrastructure entities must constantly improve their skills in accordance with international and state standards and requirements'. However, the Law on Cybersecuirty does not provide the detailed regulation of such appointment. It merely states that the DXX carries out attestation of 'employees involved in ensuring the cybersecurity of cybersecurity subjects' under its Article 11 Powers. No by-law on such attestation has been enacted.

9. SECTOR-SPECIFIC REQUIREMENTS

Financial Services

Cybersecurity in the financial sector is mainly regulated by the CBU. In 2019, two main laws on the banking system of the country were restated in a new edition. For this reason, the CBU restated its rules concerning cybersecurity in automated systems of banks via the Decree of the Management Board of the Central Bank of the Republic of Uzbekistan No. 3224 10 March 2020 on Approval of the Regulation on the Protection of Information in Automated Systems of Commercial Banks of the Republic of Uzbekistan (only available in Uzbek here) and the Decree of the Management Board of the Central Bank of the Republic of Uzbekistan No. 3260 30 June 2020 on Approval of the Minimum Requirements to Information Security of Microcredit Organisations (only available in Uzbek here).

These provisions do not regulate specific questions concerning blockchain or cryptocurrencies. They may be regarded as internal rules of compliance with cybersecurity which set out minimal or required standards of security, necessary actions in case of breach, and unauthorised third-party access.

At present, Uzbekistan does not have a special law (Parliamentary Act) on blockchain and cryptocurrency. However, a draft law on the digital economy and blockchain technology has been recommended in the Presidential Decree No. PP-3832 3 July 2018 on Measures for the Development of the Digital Economy in the Republic of Uzbekistan (only available in Uzbek here). At the moment, the destiny of this draft law is unknown. However, recently the National Agency of Perspective Projects of the Republic of Uzbekistan ('NAPP') (the successor of the National Agency of Project Management) restated Rules for Trading Crypto-Assets on the Crypto-Exchange (only available in Uzbek and Russian here) which can regulate the fundamental institutions of crypto assets.

Nevertheless, the government aims to create special testing mechanisms before the enactment of the law on blockchain. Namely, in 2020 the National Agency of Project Management (NAPM) proposed to create a 'regulatory sandbox' for the development of digital technologies 'Uzbekistan Blockchain Valley' in the draft Resolution No. ID-12538 on measures for the further development of the sphere of turnover of crypto assets in the Republic of Uzbekistan (draft only available in Russian here). The main object of such proposal was to test and implement pilot projects on the introduction of blockchain technology and the turnover of crypto assets. The project implementation period is no more than three years starting from 2020. As in the case with the law, the destiny of this draft Resolution is also unknown.

From the current legislation on blockchain and cryptocurrencies, one can find provisions mainly concerning the information disclosure and Know Your Customer procedures which should be followed. At the moment, the NAAP prescribes that servers of a functioning electronic system of crypto-exchange trading should be hosted on the territory Uzbekistan. This is also a requirement for obtaining the license to establish crypto-exchange trading under the Order on Approval of the Regulations on the Procedure for Licensing the Activities of Service Providers in the Field of Circulation of Crypto-Assets (only available in Uzbek and Russian here).

Health

Uzbekistan does not have special laws or regulations concerning cybersecurity in the health sector. However, fundamental concepts of cybersecurity and information disclosure can be found in the Law on Protection of Healthcare of Citizens of 29 August 1996 No. 265-I ('the Law on Protection of Healthcare of Citizens') (only available in Uzbek here), namely that: citizens have the right to receive information on factors affecting health, including information on sanitary and epidemiological well-being of the residential territory, rational nutritional standards, products (safety thereof), and on compliance with sanitary regulations (Article 15 of the Law on Protection of Healthcare of Citizens); and general prohibition on disclosure of information which constitutes medical secret (Article 45 (2) of the Law on Protection of Healthcare of Citizens).

10. PENALTIES

An individual who unlawfully has received, disseminated, or used undisclosed information is obligated to compensate the person who lawfully possesses this information for damages caused by such unlawful use (Article 1096 of the Civil Code of the Republic of Uzbekistan (only available in Russian here) ('the Civil Code').

In economic relations with the consumers, the service providers bear civil (contractual and delictual) liability before consumers for the harm caused. The service provider is exempt from liability where the harm is caused as the result of unforeseen events (force majeure) or as the result of the violation the established rules for the use. The burden of proof of the two foregoing exemptions is on the service provider (Article 20 of the Law on Consumer Protection).

Administrative liability

A fine in amount of from half to two base calculation amount on citizens and from two to five times the base calculation amount on officials (approx. €15 to €55 and €55 to €140) is imposed for the disclosure of information that could cause moral or material damage to a citizen (Article 46 of Code on Administrative Liability (only available in Russian here) ('the Code on Administrative Liability'). For privacy violations, a fine of ten to forty times the base calculation amount (approx. €27,795 to €1,110) may be imposed (Article 46-1 of the Code on Administrative Liability). The base calculation amount is at UZS 300,000 (approx. €28) as of 1 June 2022.

For violations of personal data legislation, fines range from between five to ten times the base calculation amount (approx. 55 to €277) (Article 46-2 of Code on Administrative Liability).

Criminal liability

Further to administrative penalties, violations of confidentiality of correspondence, telephone conversations, telegraphic, or other messages may also incur criminal liability punishable by a fine of up to 25 times the base calculation amount (approx. €690), by deprivation of a certain right for up to three years, or by compulsory community service for up to 360 hours or corrective labour of up to three years (Article 143 of the Criminal Code of the Republic of Uzbekistan (only available in Russian here) ('the Criminal Code')).

Disclosure of state secrets is punishable by restriction of certain liberties from three to five years or imprisonment from three to eight years (Article 162 of the Criminal Code). Restriction of liberty may include, inter alia, prohibitions on:

  • visiting certain places;
  • engaging in certain activities;
  • changing place of residence, work, or study;
  • establishing contacts with certain individuals; and
  • using communications equipment, including the internet.

The court may impose on a person sentenced to restriction of liberty the obligation to compensate for the material and moral damage caused by him/her, to get a job or study, as well as other duties that contribute to his/her correction.

Unlawful collection, disclosure, or use of information is punishable by a fine of up to 100 times the base calculation amount (approx. €2,700) or compulsory community service for up to 300 hours or corrective labour for up to two years (Article 191 of the Criminal Code).

11. OTHER AREAS OF INTEREST

Code on Information (Axborot Kodeksi)

According to Schedule 2 of the Presidential Order No. PF-6012 22 June 2020 on National Strategy of the Republic of Uzbekistan on Human Rights (only available in Russian here), the MITC, along with other state agencies, should elaborate on the draft Code on Information until 20 January 2022. The aim of this Code will be 'systematization of access to information as one of the most important factors in the development of civil and information society, protection of freedom in the information space, cyber security, adherence to media culture and online hygiene.'

The development of Legislation on Cybersecurity in Uzbekistan

According to the Decree of the President of the Republic of Uzbekistan No.UP-5953 of 2 March 2020 on the State Program for the Implementation of the Action Strategy for the Five Priority Areas of Development of the Republic of Uzbekistan in 2017-2021 in the Year of Development of Science, Education and the Digital Economy (only available in Uzbek here), it is planned to further improve the cybersecurity system and the basics of the state's information policy. By 1 September 2021, Uzbekistan plans to take measures to form the legal framework for cybersecurity, including development of a National Cybersecurity Strategy for 2020-2023 and a Draft Law on Cybersecurity.

The National Cybersecurity Strategy for 2020-2023 will include:

  • regulation of the fight against crime in the national cyberspace;
  • formation of the unified cybersecurity system and a regulatory framework for the protection of critical infrastructure objects from cyber-attacks;
  • strengthening cybersecurity measures in the country.

The Draft Law on Cybersecurity aimed to determine:

  • mechanisms for protecting information and communication technologies from modern cyber threats, the introduction of modern cybersecurity measures for systems of various levels;
  • the rights of state bodies, enterprises and organisations in the field of cybersecurity and will determine their responsibilities in this area;
  • unification of regulatory legal acts in this area.

The planned Draft Law on Cybersecurity became the Law on Cybersecurity.

Moreover, the development of cybersecurity also takes place in the judicial field of Uzbekistan. The Resolution of the President No.PP-4818 of 3 September 2020 on measures to digitalize the activities of judicial authorities ('the Resolution') (only available in Russian here), underlines that the task of the State Unitary Enterprise Center for Scientific, Technical and Marketing Research UNICON.UZ is to develop, ensure information and cybersecurity information systems planned for implementation in the activities of judicial authorities. The Resolution established the program of digitalization of the activities of judicial authorities in 2020-2023. The aim of this program is to strengthen the measures to ensure information and cybersecurity of information systems databases and other software products, comprehensive protection of official information and data of court bodies. The deadline of program implementation is from 31 December 2022 to 1 July 2023.

Cybersecurity (2019 Results)

The Cybersecurity Centre published its cybersecurity results of 2019 (only available in Russian here). As per their data, "268 cybersecurity incidents were identified on the websites of the national segment of the Internet, of which 222 related to unauthorised downloading of content, 45 to defacement and 1 to hidden mining. 27 of the total number of incidents identified, are reported on government agencies' websites."

Cybersecurity (2020 Results)

The Cybersecurity Centre published its cybersecurity results for 2020 (only available in Russian here). As per their data, "342 cybersecurity incidents were identified on the websites of the domain zone "UZ", of which 306 related to unauthorised downloading of content, and 36 to unauthorised modification of the main page". Additionally, websites of public sectors (81 incidents) are 3 times less likely to be attacked compared to the private sector (261 incidents).

Leak of 50,000 Uzbek citizens' data to the 'darknet'

Telegram Messenger has the biggest pool of active users in Uzbekistan. In July 2020, databases which contained information on 50,000 Uzbek citizens were leaked to the 'darknet'. In particular, they contained information on the name, last name, phone number, user ID, and nickname of users. Almost 70% of the leaked accounts in the database are users from Iran and 30% are from Russia. Furthermore, the press service of the messenger informed that most of the leaked accounts are no longer active. This may indicate that last year's efforts of the messenger significantly reduced the scale and speed of this kind of abuse. As a preventive measure, the Cybersecurity Centre gave its recommendations on securing the telegram accounts.

Limited use of a number of social networks

In connection with the violation of Article 27-1 requirements of the Law on Personal Data, when processing personal data of citizens of the Republic of Uzbekistan, the several social networks have been included in the Register of Violators of the Rights of Personal Data Subjects since 2 July 2021 and their use is limited until the deficiencies are eliminated. As of 14 October 2022, only TikTok is listed in the foregoing Register of Violators of the Rights of Personal Data Subjects.

Aziz Aripdjanov Lawyer
[email protected]
Abdulaziz Jurajonov Junior Associate
[email protected]
Azizov & Partners, Tashkent

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.
Feedback