As part of the draft law, it is proposed to amend the laws "On the Licensing and Permitting System" and "On Cybersecurity," which will require companies in the field of cryptographic and technical information protection to obtain licenses. Licensing will cover activities such as the development and production of cryptographic protection means, their installation, adjustment, maintenance, creation of key information, as well as monitoring cyber threats, identifying spy devices, and responding to cyberattacks.
Additionally, the draft law introduces new concepts related to information infrastructure, including the term "state information infrastructure." It clarifies the rights and obligations of the owners of this infrastructure, including the necessity of conducting internal audits, notifying state authorities about cyber incidents, and complying with the directives of authorized bodies.
The draft also defines the powers of the authorized body in the field of digital forensics, conducting penetration tests (pentests), overseeing the development and operation of information protection means, as well as regulating the import and export of cryptographic tools.
The explanatory note to the draft law emphasizes that the lack of licensing has led to the emergence of many companies in the market without the necessary qualifications, which increases the risks of data leaks and vulnerabilities in information systems. The new legislative norms are expected to contribute to the creation of a transparent market for services, improve the quality of technical protection, and strengthen the country's digital sovereignty.
