President Shavkat Mirziyoyev signed the Cyber Security Bill into Law. The draft was not posted on the portal for discussing draft regulations. The Law establishes that the State Security Service shall become responsible in the field of cybersecurity. It will conduct operational-search activities, pre-investigation checks and investigations on cybersecurity incidents, i.e. failures in the operation of information systems and (or) violations of the availability of information in them, integrity and its free use.
The objects of critical information infrastructure (OCII) are informatization systems in the field of public administration and the provision of public services, defense, state security, Law enforcement, the fuel and energy complex (nuclear energy), chemical, petrochemical industries, metallurgy, water use and water supply, agriculture, healthcare, housing -public services, banking and financial system, transport, information and communication technologies, ecology and environmental protection, mining and processing of minerals of strategic importance, manufacturing and other sectors of the economy and the social sphere.
The Law provides for three categories of objects: high, medium and low level. The criteria for referring to the levels will be determined by the authorized body - the State Security Service.
The State Security Service will form a unified register of critical information infrastructure facilities, determine the security requirements for OKII facilities, organize the certification of hardware, hardware, software and software in information systems and resources, license activities for the development, production and implementation of cryptographic information protection tools, and train personnel. The regulator has many other functions.
The cybersecurity regulator has the right to visit government agencies and other organizations, get acquainted with the necessary documents and materials, as well as request and receive information and other necessary documents and materials from organizations and citizens, identify them and use them in investigative actions on cybersecurity incidents.
The Law also guarantees the State Security Service unhindered access and connection in the prescribed manner to information systems and resources of state bodies and organizations, critical information infrastructure facilities.
The regulator has been given the right to freely enter, if necessary, with damage to locking devices, residential premises and other objects of individuals and legal entities, when pursuing persons suspected of committing crimes in the field of information technology, with subsequent notification of this to the prosecutor within twenty-four hours, and as well as compensation for damages.
State bodies are obliged to ensure the cybersecurity of their information systems and resources and to warn the State Security Service about cyber attacks. Also, government agencies must use certified hardware, hardware and software and software for cyber defense.
The Law established the priority of domestic producers: when purchasing goods, works and services necessary to ensure the cybersecurity of state and economic administration bodies, khokimiyats, goods, works and services produced in Uzbekistan are given priority over foreign products.
Information about cyber threats and cyber attacks detected in information systems can be disclosed with the permission of the cyber security subject after taking measures to protect them.
Article 5 emphasizes the principle of legality: any deviation from the exact execution and observance of the requirements of the Law, whatever the motives, is a violation of the Law and entails the established responsibility.
The Criminal Code and the Code of Administrative Responsibility have not yet been supplemented with regulations on offenses in the field of cybersecurity.
The Law will take effect on July 15.