Main Amendments to Kazakhstan's Legislation on Personal Data, Informatisation and Digital Assets

On 11 December 2023, the Law of the Republic of Kazakhstan No. 44-VIII "On Amendments and Supplements to Certain Legislative Acts on Information Security, Informatisation and Digital Assets" was adopted. 

On 12 December 2023, the Law On Amendments and Supplements to Certain Legislative Acts on Information Security, Informatisation and Digital Assets was officially published. 

This law introduces significant changes to a number of legislative acts regulating information security, personal data protection and digital assets. The main part of these amendments will come into force on 11 February 2024, with the exception of certain provisions that will come into force on 1 July 2024.

Amendments to the law on personal data and its protection

A new concept of "breach of the security of personal data" has been introduced, which means a breach of the protection of personal data resulting in unlawful disclosure, alteration and destruction, unauthorised dissemination of transmitted, stored or otherwise processed personal data, as well as unauthorised access to such data.

The powers of the authorised body have been extended, including exercising state control over compliance with Kazakhstan's legislation on personal data and its protection in the form of inspections and sending information on violations of personal data security to the operator of the information and communication infrastructure of e-government.

In case of detection of a breach of personal data security, the law now provides for the obligation of the owner and/or operator of personal data to notify the authorised body within one working day from the date of detection of such a breach, indicating the contact details of the person responsible for organising the processing of personal data (if any).

It is prohibited to collect and process paper identity copies of documents, except in cases of lack of integration with the computer system of the state body and/or state legal entity, impossibility to identify the subject using technological means, as well as in other cases provided by the laws of the Republic of Kazakhstan.

Amendments to the Law "On Informatisation»

New key terms have been introduced, including 'information security threat', 'information security operations centre', 'information security incident response service', 'vulnerability' and 'single e-government repository'. These terms are intended to strengthen the understanding and regulation of information security. 

  • «Information Security Threat» is defined as a set of conditions and factors that create conditions for the occurrence of information security incidents.
     
  • «Vulnerability» is defined as a flaw in a computer system, the use of which could result in a violation of the integrity, confidentiality or availability of the computer system.
     
  • «Information Security Operations Centre» means a legal entity or a structural subdivision of a legal entity engaged in the protection of electronic information resources, information systems, telecommunication networks and other objects of informatisation.
     
  • «Unified e-government repository» means a repository of source codes and executable codes of e-government informatics objects compiled from them.

The powers of the Authorised Body have been extended, including approval of the rules of operation of the single e-government repository and the rules of interaction with information security researchers.

The powers of JSC National Information Technologies ("Operator") have also been extended. The Operator is obliged, on the basis of the information received from the Authorised Body, to inform the data subjects about breaches of personal data security or processing of personal data by sending information to the user account on the e-government web portal or to the mobile subscriber's number in the form of a short text message.

These amendments aim to strengthen information security in Kazakhstan by providing clearer definitions of key concepts and expanding the powers of regulators to ensure compliance with the requirements of the law.

Amendments to the Law on Digital Assets in Kazakhstan

The Act has been amended with respect to the licensing of digital mining activities. It now provides for cases where a digital mining licence may be suspended for a period of one (1) to six (6) months. The grounds for suspending a licence include.

  • Finding false information when obtaining a digital mining licence.
  • Failure of a digital miner to comply with the requirements established by the legislation of Kazakhstan.
  • Failure to comply with instructions to eliminate violations identified as a result of an unscheduled inspection by the authorised body within the established timeframe.
  • Failure by a digital miner to provide information on changes in information within the timeframe established by the legislation.

Specifies that a decision to suspend a licence must state the reasons and the duration of the suspension of digital mining activities.

Introduces a provision that the suspension of a digital mining licence shall result in a ban on digital mining activities for the period of the suspension.

These amendments are aimed at strengthening control over the sphere of digital assets and increasing the responsibility of market participants. They provide for stricter requirements for the licensing and regulation of digital mining activities, which should contribute to greater transparency and security in this area.


Dear journalists, the use of materials from REVERA website in publications is possible only after our written permission. 

For approval of materials please contact e-mail: i.antonova@revera.legal or Telegram: https://t.me/PR_revera