Cybersecurity 2026 Comparisons

On a supranational level, Armenia is a party to the Council of Europe Convention on Cybercrime (in November 2023, Armenia also signed the Second Additional Protocol on Enhanced Co-operation and Disclosure of Electronic Evidence), which is intended to strengthen international co-operation and enhance the effectiveness of combating cybercrime. The prevention of cybercrime is also supported by the criminalisation of cyber-related offences under the Criminal Code. In particular, the following offences are provided for:

• Computer theft.
• Alteration of computer data.
• Computer sabotage.
• Unlawful interception or acquisition of computer data.
• Violation of the rules or requirements governing the operation of a computer, computer system, or computer network.

Additionally, on a national level, the Republic of Armenia, by Government Decision No 183-L of 11 February 2021, entitled “On Approving the Digitalisation Strategy of Armenia, the Action Plan for the Strategy, and the Performance Indicators for the years 2021-2025”, established the State’s policy framework for the digital transformation of the economy and society. The Decision provides for the modernisation of public administration through the introduction of innovative technologies, the expansion of electronic services, and the development of e-governance mechanisms. Within this framework, cybersecurity is treated as a necessary component of digitalisation, as it ensures the protection, continuity, and secure functioning of digital systems and services.

Further to this strategy, in December 2025 three main laws were adopted:

• the Law on Cybersecurity;
• the Law on the Information Systems Regulatory Body; and
• the Law on Public Information.

For co-ordinating the cybersecurity sector, several amendments were also made to already existing laws, in particular:

• the law on state secrets;
• the law on freedom of information;
• the law on national security bodies; and
• the law on the Structure and Functioning of the Government.

In addition, the transitional provisions of the Law on Cybersecurity stipulate that, within twelve months of the law’s entry into force (entry into force: 4 January 2026), sub-legislative acts are to be adopted to establish a comprehensive regulatory framework for the cybersecurity sector. In this regard, while the Law itself identifies the sectors of vital importance to the State, the types of services within those sectors, as well as identification criteria of the critical information infrastructures operating in these sectors, are to be set by the Government Decisions.

The Law on Cybersecurity is primarily framed around the protection of information systems and critical information infrastructure in vital sectors; however, certain areas are excluded from the scope of the law, including cybersecurity requirements related to information systems used by state authorities in the fields of defence, national security, foreign relations, and foreign intelligence, as well as systems and critical information infrastructures used for processing state secrets. In addition, relations concerning cybercrime are governed by criminal legislation and therefore fall outside the scope of this law.

Armenia’s principal cybersecurity and cyber-risk management framework currently rests on three newly adopted laws, which are the Law on Cybersecurity, the Law on Regulation of Information Systems and the Law on Public information.

The Law on Cybersecurity (the Law)

This is the main act governing cybersecurity and cyber-risk management.

Organisations in scope under the Law on Cybersecurity

To determine whether business entities fall within the scope of the law, and accordingly whether they are subject to the relevant obligations set out therein, it is necessary to assess whether they meet the following requirements.

As a mandatory condition, business entities should provide services in a “sector of vital importance”, which are:

• the energy sector;
• a manufacturing sector (chemical, food, arms and ammunition, medical, electrical, computer, electronic, and optical equipment manufacturing);
• transport;
• water supply and wastewater;
• communications, including telecommunications;
• postal services;
• financial services;
• healthcare;
• information technology, including digital infrastructure;
• radioactive materials, subsoil use and hazardous waste management;
• space activity;
• database management and operation;
• emergency safety; and
• public administration, including digital infrastructure operated by state bodies.

Digital infrastructure includes the following:

• electronic trading platforms;
• online search engines;
• cloud computing services,
• means of creating or verifying electronic digital signatures;
• provision of electronic digital signature certificates and other services related to electronic digital signatures;
• electronic communication services;
• public electronic communication services,
• internet access services,
• a domain registry that is the national top-level domain of Armenia.

However, currently the identification process of service providers cannot yet be carried out, as the Armenian Government still needs to define the types of services/classifiers corresponding to the types of services provided within vital sectors.

Secondly, to fall within the scope of the Law, the business entity should either:

• operate an “information system” (IS): an “information system” covers electronic communications networks, devices or connected groups of devices, and technical/software-hardware means that it can perform automated processing of digital data, as well as the digital data processed or transmitted through them for use, protection, and maintenance; or
• operate Critical Information Infrastructure (CII): critical information infrastructure is automated control systems, information systems, and equipment (or parts of equipment) used in vital sectors where disruption or destruction could threaten national security, defence, the economy, social welfare, public health, the environment, public order, international relations, or continuity of governance.

It is important to remember that the mere operation of an information system, in and of itself, does not, within the meaning of the Law, lead to qualification as a service provider; however, it grants the regulatory authority in the field of cybersecurity, which is the Information Systems Regulatory Commission (referred to in the Law as the “Autonomous Body”), the right to review the information system, by qualifying it as meeting the identification criteria for CII operated in a vital sector, and to recognise it temporarily as CII within a vital sector.

Micro and small businesses as provided under the Law “On State Support of Small and Medium Entrepreneurship” are generally excluded, unless they operate CII. This means the regime is sector-based and function-based rather than universally applicable across the private sector.

It may therefore be concluded that the obligations established under cybersecurity legislation apply to business entities operating in one or more of the aforementioned sectors of vital importance, provided that they operate an IS or CII.

Meanwhile, the Law applies to all state and local self-governmental bodies.

The Law on the Information Systems Regulatory Body

This Law establishes the legal status of the competent state authority in the field of cybersecurity and regulates its powers and responsibilities (a more detailed description is provided in 1.3 Cybersecurity Regulators).

The Law on Public Information

This Law regulates the collection, processing, management, storage, and disclosure of public information by state and local self-governmental bodies and establishes rules for ensuring public access to information, including through digital and cloud-based systems, promotes transparency and public oversight of governmental activities, and defines mechanisms for controlling and supervising public information and related databases.

Under the definition of this law, public information is any data which is collected, registered or processed by public or local self-governmental bodies while exercising their duties.

Organisations in scope under the law on public information

The Law applies to:

• State and local-self governmental bodies;
• Legal entities operating in the sectors of energy, water, telecommunications, postal services, railway services, and the mandatory technical inspection of vehicles;
• Legal or physical persons that process information systems involving the identification of individuals.

The field of cybersecurity is also regulated by the Law on Personal Data Protection, which sets out the obligations of personal data processors. (A more detailed description is provided in 3.5 International Data Transfers and 6.1 Cybersecurity and Data Protection).

The Central Bank’s decisions also play an important role in ensuring cybersecurity in the financial system (a more detailed description is provided in 3. Operational Resilience in the Financial Sector).

Territorial reach

Article 1 of the Law defines the subject matter and scope of the law but does not expressly determine its territorial reach. The law provides that the Autonomous Body monitors website domains within the Armenian Internet Protocol (IP) address space and, in connection with Armenia’s country code, analyses cyber incidents occurring in information systems or critical information infrastructures and their potential impact on the country’s economy, environment, and human life and health.

Overall, a comprehensive analysis of the Law suggests that it is applicable to CII and IS operating in the territory of Armenia by service providers that are established and operating in Armenia. At the same time, the Autonomous Body may co-operate with foreign computer emergency response teams and international organisations, in accordance with the international treaties of the Republic of Armenia and the law, for the purposes of detecting, preventing, and responding to cyber incidents and mitigating their consequences.

Oversight of compliance with cybersecurity legislation is primarily carried out by the following state bodies.

The Autonomous Body (Information Systems Regulatory Commission)

The Autonomous Body serves as the central authority responsible for cybersecurity oversight in Armenia.

The Autonomous Body’s main functions are as follows:

• responding to cyber incidents and setting response priorities.
• registering and analysing cyber incidents, including maintaining the cyber-incident registry;
• developing and approving minimum cybersecurity requirements for service providers’ information systems and for critical information infrastructure.
• establishing the rules governing incident notification, reporting, and cybersecurity audits.
• monitoring service providers’ compliance with the requirements of the Law.
• exercising supervisory functions and supporting enforcement, including by referring matters for liability measures where appropriate.
• providing methodological guidance and risk-assessment support to service providers;
• establishing and managing the National Cybersecurity Monitoring Operational Centre; and
• providing expert support to the Government and co-operating with other national and foreign competent bodies.

Most importantly, upon prior notification, the Autonomous Body has the authority to carry out vulnerability assessments and penetration testing, with service providers operating critical information infrastructure in order to assess the resilience of the service providers’ information systems or critical information infrastructure against external risks and informing the respective service provider of any identified vulnerabilities.

In addition to these functions, the Commission has other supervisory and enforcement powers, such as conducting compliance checks via access to information systems of the entities under supervision.

Furthermore, the Commission may initiate administrative proceedings in relation to violations in the field of cybersecurity and, in the cases and manner prescribed by law, apply liability measures, including by ordering the responsible entity to remedy the violation within the deadline set by the Commission and to prevent its recurrence.

At the same time, the Law envisages the formation of the National Computer Emergency Response Team (CERT) within the structure of the Autonomous Body, as well as the formation of National Cyber Defence Centre being envisaged within the structure of the National Security Service.

The Authorized Body (Ministry of High-Tech Industry)

The Ministry of High-Tech Industry acts as the Competent Authority and primarily performs strategic, policymaking, programmatic, and advisory functions in the field of cybersecurity:

• develops and guides national cybersecurity policy approaches and strategic planning.
• contributes to the development of cybersecurity standards and frameworks, including alignment with Armenia’s international obligations.
• provides recommendations and expert input to the Government on cybersecurity matters and overall cyber-resilience.
• may, where necessary, perform a co-ordinating and supportive role during emergency situations, aimed at ensuring the continuity and security of critical information systems.

National Security Bodies

National security bodies act within their competence; they:

• ensure information security (including cybersecurity) of state bodies’ official websites, electronic platforms, other information systems, and critical information infrastructure.
• co-ordinate cyber-incident response activities relating to information systems and critical information infrastructure in cases provided under Armenian legislation.
• participate in the development of information security (including cybersecurity) norms for state and local self-government information systems and infrastructures, as well as information infrastructures of strategic importance for national security.
• perform oversight functions regarding compliance with information security (including cybersecurity) norms applicable to state bodies’ information systems and infrastructures and nationally strategic information infrastructures.
• co-ordinate the field of cryptographic and technical protection of information protected under Armenian legislation, under a procedure approved by Government decision.

It is extremely important to note that the Law provides that the Government will also approve a list of critical information infrastructure for the purpose of carrying out state governance and regulation in the field of cybersecurity. In turn, the National Security Service will have the competence, in relation to the information systems and critical information infrastructure approved in the list established by the Government, to exercise the powers and functions authorised by the Law and reserved to the Autonomous Body and Authorised Body.

Personal Data Protection Agency

The Personal Data Protection Agency, within its mandate, is responsible for ensuring that the processing of personal data is carried out lawfully, thereby safeguarding the legal interests of data subjects and promoting compliance with the provisions of the Personal Data Protection Law of Armenia.

Central Bank of Armenia

Although the Central Bank is regulator of the financial system and plays an important role in ensuring cybersecurity in that sector, including by setting information security requirements for financial organisations, it is not designated as a supervisory authority under the Law on Cybersecurity.

Armenian Law does not differentiate between essential or critical entities. It recognises as critical information infrastructure, within critical sectors, the following, that are operated:

• automated control systems;
• information systems;
• equipment or a part thereof,

provided that the disruption or destruction of the foregoing must create threats to national security, defence, the economy, social welfare, public health, the environment, public order, international relations, and continuity of governance (governance continuity), for the infrastructure to be qualified as critical.

It is important to remember that the definition alone, in and of itself, will not serve as a basis for determining the conditions for qualifying infrastructure as critical. It has been established that identification criteria for critical information infrastructure operated in a critical/vital sector will be developed and approved by the Government, on the basis of which the infrastructure will be qualified, or not qualified, as critical. Hence, it is currently impossible to identify accurately which digital services are covered. In addition, the Government will also approve the list of identified critical information infrastructures in vital sectors, the service providers operating them, and the state bodies responsible for ensuring and supervising cybersecurity requirements.

Notwithstanding the above, the following are considered CII without the application of identification criteria, by virtue of the Law:

• Information systems operated for the provision of qualified trust services.
• Information systems operated for the provision of top-level domain (TLD) name registry services.
• Information systems operated for the provision of Domain Name System (DNS) services.
• Information systems operated for the provision of public services by state bodies, communities enlarged in accordance with the law, and the communities of Yerevan and Gyumri.
• Information systems operated for the provision of electronic communication services or internet access services, provided that the legal entities operating them meet the classification criteria for medium-sized businesses as defined by the Law 'On State Support for Small and Medium-Sized Entrepreneurship'."

The list of vital sectors is provided in 1.2 Cybersecurity Laws.

Even though the minimum cybersecurity requirements applicable to the CII are not yet established by the Autonomous Body, by virtue of the Law, the service providers have several obligations aimed at ensuring cybersecurity, listed as follows in general terms:

• Adoption of internal acts on cybersecurity.
• Implementation of organisational and technical measures to ensure the continuous identification and management of cyber threats, the prevention, detection, blocking, and resolution of cyber incidents, as well as the uninterrupted operation of the IS and CII.
• Carrying out risk assessments and managing identified risks.
• Notifying the “Autonomous Body” of cyber incidents and complying with the legal requirements relating to such incidents, including following the instructions of the Autonomous Body and granting it access to the relevant system.
• Taking measures to mitigate the consequences of a cyber incident and prevent its rapid escalation (expansion of the scale of impact), implementing, if necessary, the full or partial restriction of the operation, availability, or access to the IS or CII,
• Appointment of a cybersecurity specialist, or delegation of that function to a cybersecurity services company that complies with the requirements of the Law.
• Undergoing a mandatory cybersecurity audit every three years.
• Granting the Autonomous Body access to information systems for the purpose of conducting a compliance assessment, etc.

As previously indicated, the Law allows the service provider to outsource the cybersecurity insurance to a cybersecurity services company possessing a compliance certificate with criteria and requirements established by applicable international or national standards in the field of cybersecurity. However, such outsourcing is subject to prior consent of the Autonomous Body (the procedure of prior notification should be adopted by the Autonomous Body).

Mandatory Cyber-Incident Notification

A cyber-incident under the Law is defined as an action or interference occurring within the CII or IS that inevitably compromises or adversely affects the cybersecurity of the CII or IS, as well as their continuous, uninterrupted, and secure operation.

Mandatory cyber-incident notification obligation is provided for:

• where a cyber incident has a material impact on information systems or critical information infrastructure, or
• where that material impact cannot yet be fully assessed or is not immediately apparent but may reasonably be assumed.

A cyber incident is considered to have a material impact where at least one of the following conditions is met:

• The cyber incident threatens human life or health, defence, national security, international relations, the economy, the environment, or public order.
• The cyber-incident is classified as having a high severity level according to the service provider’s risk-assessment scale.
• As a result of the cyber incident, it is impossible to restore the continuous, uninterrupted, and secure operation of the service provided through the information system or critical information infrastructure within the maximum period permitted by law or by contract.
• The cyber incident disrupts the continuity, uninterrupted operation, or secure use of the service of another service provider, etc.

In the event of a cyber incident with material impact, the service provider is required to notify the Autonomous Body of a cyber incident immediately upon becoming aware of it, and in any event no later than within 24 hours. Notwithstanding this obligation, the service provider has the right to notify the Autonomous Body in the case of any cyber incident.

Following the initial notification, within 72 hours of becoming aware of the cyber incident the service providers should submit updated information to the Autonomous Body, including information on the severity and consequences of the incident. Additional updated information may be requested by Autonomous Body.

As part of post-notification, the service provider should, within one month, submit a final report to the Autonomous Body on the likely causes of the cyber incident, the measures taken to resolve it, the severity and consequences of the incident, the scale of its impact, the time and financial resources expended, and the steps and measures taken to prevent similar incidents in the future.

In addition to Autonomous Body notification, the service provider should notify the potentially affected persons, as well as, in the case of criminal nature of a cyber incident, notify the law enforcement bodies (also applies to the Autonomous Body).

For more details on the personal data leakage related notification please refer to 6.2 Cybersecurity and AI.

Voluntary Cyber-Incident Notification

Legal or physical persons who are not classified as service providers under the Law may also notify the Autonomous Body of a cyber incident, cyber attack, cyber threat, or a vulnerability affecting an information system or critical information infrastructure. Where this is done, the Autonomous Body is required to ensure the confidentiality of the notifying entity, except where disclosure to the competent authorities is necessary for the detection, investigation, or prevention of criminal offences.

Where more than one notification is submitted in relation to cyber incidents, the Autonomous Body must give priority to notifications that are subject to mandatory submission under the Law.

The state, primarily through the Autonomous Body (The Information Systems Regulatory commission), is responsible for:

• Setting identification criteria of the CII,
• Overseeing regular compliance via mandatory quarterly vulnerability scans and triennial penetration tests.

• Taking measures to mitigate the consequences of incidents and prevent their escalation, including the power to restrict access, partially or fully, to compromised systems, etc.

In addition, the Law provides that, for the purpose of ensuring cybersecurity, the Autonomous Body is also required to establish the national Computer Emergency Response Team (CERT). The national CERT is a group of experts responsible for the management, co-ordination, analysis, prevention, response, resolution, and consequence mitigation of cyber incidents.

At the same time, the law on the public information requires the state to build and maintain a secure digital environment for public information and state information systems. In particular, the state has undertaken to establish and manage the Information Technology Asset Register, ensuring all public and vital information systems are identified and classified.

Public-Private Co-operation

The Law on Cybersecurity also enshrines the principle of co-operation between the state and the private sector. Particularly in the course of ensuring cybersecurity, preventing and disrupting cyberattacks and cyber threats, resolving cyber incidents and eliminating or mitigating their consequences, service providers are required to ensure adequate co-operation with competent state authorities and with one another, taking into account the interconnection and interoperability of information systems and critical information infrastructure.

This principle is also reflected in a number of provisions of the Law. For example, where a cyber threat may develop into a cyber incident having a material impact, the Autonomous Body may conduct a joint examination of the incident at the premises of the relevant service provider, in co-operation with the supervising authority over the service provider (if such an authority exists).

In the Republic of Armenia, the financial system regulator is the Central Bank of Armenia. While Armenia’s broader cybersecurity regulatory framework is still evolving, the regulation of cybersecurity within the financial sector has long been established by the Central Bank Decision No 173-N of 9 July 2013 on Minimum Requirements for Information Security.

The Central Bank has defined the scope of entities that are required to align their information security management systems with the requirements of internationally recognised information security standards and to obtain certification confirming compliance with those standards. These entities include:

• Banks operating in Armenia.
• The regulated market operator defined by the law of the Republic of Armenia ‘On the Securities Market’.
• The Central Depository.
• Credit bureaux.
• Persons providing investment and non-core services related to leveraged transactions, including forex transactions.
• Crowdfunding platform operators.
• Insurance companies.
• Payment and settlement organisations (together, financial organisations).

As to the territorial scope of this regulation, it should be noted that it is applicable to information security management systems operating in the territory of Armenia by financial organisations that are established and operating in Armenia.

The Central Bank has also established minimum requirements for these organisations concerning the management and mitigation of risks in the field of information technology. These requirements were developed considering the ISO/IEC 27001:2005 standard (Information technology – Security techniques – Information security management systems – Requirements). Under this decision, the aforementioned entities are obliged to pass a certification on compliance with international standards.

As for third parties, the financial entities should establish specific procedures for training its personnel and third parties in, or familiarising them with, information security rules in order to prevent the intentional or unintentional disclosure (leakage) of the latter’s confidential information by such persons.

In addition, the regulation establishes security-by-design obligations for the information systems of the financial organisations. These organisations must each have a unit or an individual responsible for information security. In the absence of such a unit or individual, there must be a delegation agreement with a company specialised in information security to perform the relevant functions.

Currently, these regulations remain in force together with Law provisions, according to which the financial sector is considered to be a sector of vital importance, and it is uncertain how the interplay and hierarchy between them will be regulated.

Under the cybersecurity legislation of the Republic of Armenia, there is no legal definition for Information and Communications Technology (ICT) service providers. However, according to Decision No 173-N of 9 July 2013 of the Central bank Board on Minimum Requirements for Information Security, financial organisations may partially or fully outsource the operation of their information technology infrastructure, provided that such outsourcing is conducted in compliance with the relevant laws of the Republic of Armenia and other normative legal acts. Outsourcing is subject to prior approval and regulatory oversight to ensure that banks maintain control over critical operations and the security of sensitive information.

Specifically, pursuant to Central Bank’s Decision No 118 of 20 July 2018, banks are required to submit documentation to the Central Bank before initiating any outsourcing of IT functions. This documentation must include the draft outsourcing agreement, a justification explaining the necessity of the outsourcing arrangement, and relevant internal legal acts of both the bank and the counterparty governing the relevant activities. The draft agreement must clearly define the rights, responsibilities, and scope of liability of each party. It should also establish provisions regarding the bank’s authority to conduct periodic monitoring of the counterparty, the right to engage or request external audits of the counterparty, and the procedures to follow if the outsourced services are terminated, ensuring continuity of operations.

The Central Bank retains broad supervisory authority over outsourced activities. It may inspect, review, re-audit, or otherwise oversee the counterparty’s performance to ensure compliance with the agreed terms and regulatory requirements. This framework ensures that, even when critical IT functions are outsourced, banks remain accountable for operational resilience and cybersecurity, and that the integrity and security of financial systems are preserved.

The key obligations of service providers under the Law are discussed in 2.2 Critical Infrastructure Cybersecurity Requirements.

Financial Organisations

Obligations for governance

• Information Security Policy – Financial organisations must maintain a formal Information Security Policy that is updated at least every three years to account for emerging threats and sector developments.
• Emergency Response Plan – Financial organisations are required to have a documented plan for responding to extraordinary events or incidents.
• Risk Management Plan – A structured approach for identifying, assessing, and managing information security risks must be in place.
• Business Plans, Procedures, Guidelines - Financial organisations should develop specific business plans, procedures, guidelines, and contracts, which must describe the forms and methods of achieving the goals of ensuring the protection of information resource.
• Business Continuity and Testing – Financial organisations must implement mechanisms to ensure business process continuity, including regular testing and validation of continuity plans (as outlined in 3.6 Threat-Led Penetration Testing).

Risk management

Financial institutions must develop a dedicated document that provides a detailed description of the possible information security risk scenarios and their sources, the ways in which such risks may materialise, the channels through which information may leak, and it must include a definition of the concept of “deliberate unauthorised actions.”

Risks must also be classified by origin: internal risks (within the institution) and external risks (originating outside the institution).

In addition, financial institutions must classify risks considered significant for the institution into at least the following categories:

• Confidentiality breaches – disclosure or leakage of classified information.
• Operational availability breaches – disruption or failure of business processes.
• Integrity breaches – distortion, modification, theft, or destruction of information.
• Information accessibility breaches – denial or obstruction of access to necessary information.

Incident management

In addition, for incident management, financial institutions are required to conduct emergency scenario testing at least once every three years, as well as whenever a new emergency response plan is developed. These tests must evaluate the time and resources needed to mitigate the consequences of emergency situations (further details are provided in 3.6Threat-Led Penetration Testing).

There are no specific operation resilience enforcement obligations or provisions for critical ICT service providers under the current cybersecurity regime.

Enforcement of operational resilience obligations by the Central bank in relation to financial organisations is done through supervisory compliance inspections, as a result of which the Central Bank of Armenia (CBA) may impose liability measures if breaches of applicable requirements are identified.

The Law of the Republic of Armenia on Protection of Personal Data addresses cross-border data transfers; however, Article 1 excludes certain categories of personal data from its scope. Specifically, the law does not cover personal data constituting state, banking, notarial, attorney-client, and insurance secrecy, or data processed in the context of national security or defence, anti-money laundering and counter-terrorism measures, operational-investigative activities, and judicial proceedings, which are governed by other legislation.

Sectoral legislation applicable to financial organisations – including the Law on Bank Secrecy, the Law on Insurance and Insurance Activity, and the Law on Combating Money Laundering and Terrorism Financing – does not contain rules on cross-border data transfers or data localisation requirements. However, under the Law on Combating Money Laundering and Terrorism Financing, the Central Bank, on its own initiative or upon request, may exchange information (including documents) containing legally protected secrets with foreign financial intelligence units. It is important to note that such exchanges are conducted on the basis of bilateral agreements or obligations arising from international organisation membership, provided that the recipient ensures equivalent confidentiality and uses the information exclusively for combating money laundering, terrorism financing, and predicate offences.

Hence, cross-border data transfers by financial organisations are not specifically regulated under Armenian law, and the general rules established by the Law on Protection of Personal Data must apply to these transfers.

The Law “On Personal Data Protection” defined that personal data may be transferred to a foreign country:

• based on data subject’s consent; or
• without the data subject’s consent where such a transfer derives from the purposes of personal data processing and/or is necessary for the implementation of such purposes.

Irrespective of the data subject’s consent, the transfer of personal data may be exercised with or without the permission of the Personal Data Protection Agency (PDPA), depending on which country the transfer is aimed at. Authorisation for the transfer is not required if the receiving country offers an adequate level of personal information (PI) protection. Adequacy can be established through two means:

• the transfer complies with the terms of relevant international agreements on data protection; or
• the receiving country is included in an official list published by the Agency, signifying that it provides a sufficient level of protection.

Authorisation for transfers to countries with no adequate level of data protection is possible:

• with the prior permission of the PDPA; and
• if the PI is transferred on the basis of an agreement; and
• the agreement provides for such safeguards with regard to the protection of PI that have been approved by the PDPA as ensuring adequate protection.

Regarding the data localisation requirements, the Law On Personal Data Protection does not require the collection of personal data in a server located in Armenia prior to its transfer abroad (ie, a data subject may transfer its data to an entity abroad directly and the law will not be applicable to that processing).

The penetration testing requirements applicable to financial organisations are regulated by the Decision No 173 N of 9 July 2013, adopted by the Central Bank of Armenia. According to this Decision, testing of the internal information network of banks and crowdfunding platform operators must, at a minimum, include:

• an internal penetration test;
• an external penetration test;
• a social engineering risk assessment; and
• an Advanced Persistent Threat (APT hunting exercise) presence test.

An APT hunting exercise is defined as the detection of manifestations of an already successful advanced persistent threat attack within the financial organisation’s infrastructure by analysing network traffic directed toward the most critical servers and workstations for a duration of up to one week.

As for red-teaming, it is defined as an authorised attack conducted to verify the effectiveness of all existing defensive measures (including organisational ones), during which an unauthorised person gains access to the organisation’s internal information network and remains undetected for a certain period.

The testing should be conducted by an independent organisation, which should:

• be a member of the Council of Registered Ethical Security Testers (CREST) International organisation;
• have at least three years of experience in that field; and
• have performed the penetration tests in at least five financial organisations outside the territory of the Republic of Armenia that are comparable in size to the organisation ordering the test.

The test results together with the conclusion of the testing organisation should be submitted to the Central Bank.

The frequency for mandatory testing varies, depending on the type of testing: the first three standard tests should be conducted once per year, while an APT hunting exercise should be conducted twice per year. In addition, vulnerability scanning of the internal information network should be done at least once every quarter.

Following the adoption of the Law, and taking into account the authority of the Autonomous Body to conduct penetration testing at the premises of service providers operating the CII, it remains unclear whether the Central Bank will continue to be the sole regulator responsible for cybersecurity in the financial sector, or whether other bodies, including but not limited to the Autonomous Body, will also be granted competences in this area and, if so, what the scope of those competences will be.

Currently, Armenia does not have separate cyber-resilience legislation and the main regulatory framework governing cyber-resilience is set out in the Law on Cybersecurity. In addition to the other obligations of service providers discussed under 2. Critical Infrastructure Cybersecurity Regulation, the law also imposes service providers, in the event of a cyber incident, to take measures aimed at mitigating its consequences and preventing its rapid escalation, including the expansion of its impact. For that purpose, they may impose a full or partial restriction on the operation, accessibility, or access to the relevant information system or critical information infrastructure. The state also has a positive obligation to ensure cyber resilience, which is discussed in 4.2 Key Obligations Under Legislation. (Additional cyber-resilience requirements imposed to the service providers are mentioned in 2.2 Critical Infrastructure Cybersecurity Requirements and 2.3 Incident Response and Notification Obligations).Cyber resilience requirements (the Law itself) apply to critical information infrastructures, as well as information systems. The definition of information systems is quite broad and covers any system or service that handles digital data, including all or any devices, or groups of interconnected or related devices, as well as the complete set of technical and software tools that process digital data automatically (for more details, see 2. Critical Infrastructure Cybersecurity Regulation).

While the law does not explicitly require “security-by-design,” all service providers should undergo cybersecurity audits, which effectively impose security measures from the design and operational stages.

There is no specific legislation for cyber-resilience in Armenia.

However, cyber-resilience-related obligations are established in various legal frameworks and sectoral regulations, including:

• risk assessment and risk management requirements for service providers (see 2.2Critical Infrastructure Cybersecurity Requirements);
• cyber-incident notification obligations applicable to service providers (see 2.3 Incident Response and Notification Obligations);

• regular penetration testing requirements for financial organisations (see 3.6Threat-Led Penetration Testing);

• cybersecurity obligations relating to the protection of personal data and personal data leakage notification requirements (see 3.6Threat-Led Penetration Testing); and

• information technology asset management and qualification requirements applicable to public-sector organisations and fully state-owned companies.

Failure to comply with the requirements of the Law may lead to administrative liability under the Code of Administrative Offences․

• Breaches of security requirements: this includes failure to ensure minimum cybersecurity requirements, failure to comply (or properly comply) with criteria and requirements established by international or national cybersecurity standards, or failure to maintain documentary proof of compliance. The applicable fine ranges from AMD7,000,000 to AMD10,000,000.
• Breaches relating to internal acts and internal business processes: this includes the absence of internal cybersecurity rules, failure to conduct a risk assessment (or develop an assessment scale), failure to determine the possible severity or scale of the consequences of a cyber incident, failure to approve a preventive measures plan, failure to appoint a cybersecurity specialist, or breaches relating to the outsourcing of that function. The applicable fine ranges from AMD200,000 to AMD300,000.
• Failure to comply with cyber-incident notification obligations and other related duties: this may result in a fine ranging from AMD500,000 to AMD700,000.
• Breach of duty to notify affected persons: where specifically applicable, this may result in a fine ranging from AMD200,000 to AMD300,000.
• Failure to undergo a mandatory cybersecurity audit: this may result in a fine ranging from AMD200,000 to AMD300,000.
• Failure to submit the cybersecurity audit opinion: this may result in a fine ranging from AMD100,000 to AMD200,000.
• Failure to provide documents or information requested by the Autonomous Body within the prescribed time limit: this may result in a fine ranging from AMD200,000 to AMD300,000.

General Frameworks

There is no cybersecurity certification requirement for the service providers in vital sectors as such.

However, the Law establishes the mandatory obligation of all service providers to undergo a cybersecurity audit once in every three years. It is defined that cybersecurity auditors should pass a certification, the procedures of which, as well as requirements applicable to auditors, are to be established by the Information Systems Regulatory Commission.

At the same time, the Law provides that an audit of service providers of critical information infrastructure should be conducted according to applicable international standards (eg, ISO standards), the list of which is to be determined and published by the Government of the Republic of Armenia or national standards (not yet adopted).

Furthermore, the cybersecurity service providers (in-house or outsourced) are subject to the certification requirements.

Sector-Specific Frameworks

In addition, Decision No 152-N of 12 February 2026, defined the minimum requirements and procedures for the implementation and operation of an Information Technology (IT) Asset Management System applicable to some organisations operating in the public sector (the staff of the human rights defender, the staff of the president, the staff of the prime minister, the staff of the national assembly, the board of the public television and radio company, state bodies (including subordinate state bodies) excluding the central bank, the staff of community heads, and state and community non-profit organisations), as well as fully state-owned companies.

Public sector organisations should have an IT asset Registry, the protection of which should be ensured by organisations, taking into account the requirements of the applicable legislation in the field of information security and information protection, as well as the requirements of the international standard ISO/IEC 27001 "Information technology – Security techniques – Information security management systems – Requirements."

Also, sector-specific certification regulations exist in the financial sector, which are established by Central Bank (as detailed in 3. Operational Resilience in the Financial Sector).

The main legislative act setting out general rules concerning the processing of personal data applicable in both the private and public sectors is the Law of the Republic of Armenia on protection of personal data (the Data Protection Law).

As to the intersection between the Law and the Personal data protection law, it should be noted that this Law defines that the processing of personal data by service providers when ensuring cybersecurity should be governed by the personal data protection legislation.

Cybersecurity Requirements Applicable to the Controller

The data controller should do the following:

• Ensure the security of information systems of processing personal data and guarantee that third parties do not have the possibility to access such information systems unlawfully, as well as ensure that lawful users have access only to the data they are authorised to process and to the data they are permitted to use.

• When processing biometric personal data outside information systems, ensure that such data is stored and used only on physical media, technologies, or in formats that protect the data from unauthorised access, illegal use, destruction, alteration, transmission, duplication, or dissemination. The requirements applicable to the physical media and technologies are not yet established and should be established by the Information Systems Regulatory Commission.
• Use encryption measures when processing personal data.

The aforementioned obligations apply to any entity that processes personal data, which may include state or local self-governmental bodies, state or municipal institutions or organisations, as well as legal or natural persons who organise and/or carry out the processing of personal data. The supervision over the compliance with these regulations is by default done by the Personal Data protection Agency (PDPA), unless the processor is a service provider under the law on cybersecurity or a database manager under the law on public information, in which case the supervision is done by Information Systems Regulatory Commission.

Notifications Regarding Personal Data leakage

In the event of a personal data leakage from electronic systems, the processor should immediately issue a public announcement regarding the breach, while simultaneously notifying the Police of the Republic of Armenia and the PDPA.

Under the current Armenian cybersecurity regime, there is no AI-specific legislation or regulatory guidance.

On 6 January 2026, the Armenian Government approved the Doctrine of Economic and Institutional Transformation of Armenia, which identifies the development and implementation of artificial intelligence technologies as a priority for the Armenian economy and envisages the future development of an AI policy framework.

Under the Law, the healthcare system is classified as a sector of vital importance. Accordingly, it should be taken into account that the Law provisions should be applicable to service providers operating within the healthcare sector (for more details on scope of service providers, see 2.2Critical Infrastructure Cybersecurity Requirements).

At the same time, it should be noted that the provisions of the Law would be applicable to state and local self-governmental bodies with respect to the exercise of their duties in relation to the healthcare system.

Currently, the sector-related regulatory framework includes the Law on Medical Assistance and Service for the population, as well as several Governmental decrees regarding the requirements for databases in the healthcare sector which are operated by state bodies or public organisations. There is no established sector-specific incident reporting, certification or procurement-related security requirements.