The government has recently approved a legislative package establishing a regulatory body for information systems, tasked with identifying and preventing cyber incidents, coordinating responses, and mitigating damage in both public and private sectors. The legislative package has been submitted to the National Assembly.
According to the Minister of High-Tech Industry, Mkhitar Hayrapetyan, the “Cybersecurity Law” designates critical sectors and infrastructure, mandates the application of risk assessment criteria, and requires compliance with ISO 27001 and other international standards. The development of national standards is permitted, provided they are competitive and aligned with local needs.
The project envisions the creation of an autonomous body responsible for ensuring the availability of public information, technical protection of state systems, and cybersecurity measures. This body will have the authority to designate information for official use, develop risk and cyber incident assessment criteria, and conduct ongoing monitoring and compliance checks.
The new body will include a commission, with members elected by the National Assembly, and will effectively serve as an operational center for the security of state systems, collaborating with ministries and private companies providing cybersecurity services. Preventive measures are also outlined, including annual cyber exercises, transparent operations, and yearly reports on cyber hygiene submitted to the National Assembly. According to the draft law, service providers are required to implement internal cybersecurity policies, conduct risk assessments, and develop incident prevention programs within 18 months of the law’s enactment.
The law represents a significant step forward for Armenia’s information security. The new body will enable rapid responses to incidents and enhance the country’s international cybersecurity ranking. The project also emphasizes the importance of public awareness, educational programs, and the adoption of international best practices, which will improve cyber hygiene. Businesses will receive guidelines and support in critical sectors, reducing damage from cyberattacks. The law also ensures compliance with international standards, facilitating integration with the EU and other international organizations.
However, there are certain risks: mandatory audits and risk assessment processes may impose additional costs on businesses. Establishing the new commission requires financial resources and qualified specialists, while stricter oversight could create bureaucratic hurdles. Planned ongoing monitoring also poses risks of breaching personal data privacy.