Law On Cyber Security – Security

By | December 14, 2023
Law On Cyber Security – Security

On June 30, 2021, the Government of Mongolia submitted a draft
Law on Cyber security and supplementary draft laws to the State
Great Khural(or the Parliament). On December 17, 2021 at the
plenary session, the State Great Khural approved the draft Law on
Cyber security. The law has adopted the first time in Mongolia and
has been discussed and developed 7 times over the past decade.

Within framework of the Fourth Industrial Revolution, our
country has established a legal system for ensuring national
cybersecurity, a vital law that creates legal conditions for the
development and security of the country, as well as information
security, which is an integral part of national

In case of violation of the Law on Cyber security and
investigating the violation, the terminology, element of crime and
the concept of Chapter 26 of the Criminal Code of Mongolia have
been amended in accordance with the Law on Cyber Security and the
UN Budapest Convention. In addition, Law on Infringement, the Law
on Communications, the Law on Infringement procedure and the Law on
Criminal Procedure have been amended in connection with the
adoption of the Law on Cyber security2.

An overview of highlighted new regulations of the Law on Cyber
security is outlined in this legal alert.

Purpose of the Law

The purpose of the Law on Cyber security is to establish a
system, principles and legal basis for cybersecurity operations,
and to manage the relations ensuring the integrity, confidentiality
and accessibility of information in cyberspace and cyber

Scope of the Law

Coordinates, organizes and monitors the relations between the
state, individuals and legal entities related to cyber

Unless otherwise provided by law, this law shall apply to
foreign citizens, stateless persons, and legal entities of foreign
country and with foreign investment which operates through
Mongolia’s information system and information network.


Cyber security“- means the integrity and
confidentiality of information in a cyber environment;

Cyber space“- means tangible and intangible
field consisting of the Internet and other information and
communication networks and the interconnected set of information
infrastructure to ensure their operation;

Cyber environment“- means an information
system and information network environment that allows to access,
login, collect, process, store and use of information;

Cyber- attack“- means an action aimed at
undermining the cyber security of an information system or
information network;

Cyber security breach“- means an act or
omission that threatens the integrity, confidentiality or
accessibility of information;

Center for Combatting Cyber-attacks and
“- means an entity with the main function to
coordinate the activities of preventing, detecting, suppressing,
responding to and restoring information systems and providing
professional management;

Cyber security risk assessment“- means
specialized activities to determine the probability of a cyber
security breach, threat, vulnerability its consequences, risk
reduction and prevention measures for electronic information,
information systems and information networks;

Organization with critical information
“- means an organization with an
information system and information network that could cause a
damage to Mongolia’s national security, society and economy due
to the loss of cyber security;

National cyber-attack“- an attack on the
information systems and information networks of an organization
with critical information infrastructure that can disrupt the
normal functioning of the organization and harm the national
Security, society and economy of Mongolia;

Integrated state information network” – a
set of state Internet, official and special use networks with
integrated infrastructure aimed at exchanging information between
government organizations and ensuring cyber security;

Areas of cyber security:

  • cyber security policy, management and organization;

  • technical and technological measures to ensure cyber

  • prevention and education of cyber-attacks and violations;

  • detection, suppression, retaliation and recovery of
    cyber-attacks and violations.

Cyber security risk assessment

  • Cyber security risk assessment will be conducted by a legal
    entity which registered with the state central administrative body
    in charge of digital development and telecommunications. The legal
    entity shall have a full-time employee with a valid certificate
    issued by an international professional association,
    standardization organization or equivalent or similar

  • Procedures and methodologies for cyber security risk assessment
    shall be approved by the state central administrative body in
    charge of digital development and telecommunications in cooperation
    with intelligence agencies.

Information security audit

An information security auditing shall be performed by a legal
entity registered with the state central administrative body in
charge of digital development and telecommunication. The legal
entity to conduct an information security auditing shall have:

  • a full-time staff member with a valid certificate of
    information security auditing which issued by an international
    professional association, standardization organization or
    equivalent or similar organization;

  • the employee does not work under a parallel contract with other
    legal entities authorized to conduct similar audits;

  • other requirements under the law.

To view the full article click here



The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.