This is reflected in a draft law on amendments to the Code of Administrative Offenses, discussed at today's session of the Milli Majlis.
According to the draft, for failure to take measures to ensure cybersecurity of information infrastructure by computer incident response centers, security operations centers, as well as information infrastructure entities, including owners of internet information resources, internet providers, and hosting providers, specifically for:
- failure to comply with instructions of the body (institution) determined by the relevant executive authority on ensuring cybersecurity of information infrastructure (prevention of cyber threats, cyber attacks, and cyber incidents and elimination of their consequences), as well as on conducting digital investigation and submitting information on its results;
- failure to immediately provide the body (institution) determined by the relevant executive authority with information on cyber threats, cyber attacks, and cyber incidents targeting information infrastructure, as well as information obtained as a result of continuous real-time monitoring of cyber incidents and cyber attacks and implementation of initial technical response measures;
- failure to respond to requests from the body (institution) determined by the relevant executive authority, sent for the purpose of studying the state of cybersecurity of information infrastructure and conducting proactive cybersecurity research, within 24 hours, and for requests related to conducting digital investigation, within 5 working days;
- failure to carry out continuous real-time monitoring of cyber incidents and cyber attacks and initial technical response measures;
- violation of general and special cybersecurity requirements for information infrastructure performing socially significant functions by information infrastructure entities, including internet providers, hosting providers, and owners of internet information resources;
- failure to create conditions for conducting digital investigation and proactive cybersecurity research, as well as allowing alteration, deletion, or falsification of data obtained during digital investigation and failure to ensure its integrity;
- officials will be fined from 500 to 1,000 manats, legal entities from 1,000 to 2,000 manats.
For carrying out activities as a computer incident response center and security operations center without being entered into the relevant register of computer incident response centers and security operations centers, officials will be fined from 1,000 to 1,500 manats, legal entities from 1,500 to 2,500 manats.
The above provisions will not apply to critical information infrastructure, state bodies (institutions), including the Central Bank, intelligence and counterintelligence entities, entities whose activities in financial markets are regulated (banks, insurers, reinsurers, licensed securities market participants, joint-stock investment funds and investment fund managers, payment service providers, etc.), as well as to the information infrastructure of protected persons, protected and strategic facilities, and to computer incident response centers and security operations centers established by the body (institution) determined by the relevant executive authority and the Central Bank.
If adopted, the law will enter into force on July 1, 2027.
The draft law was put to a vote after discussions and adopted in the first reading.