The Georgian Parliament discussed the Draft Amendments to the Law of Georgia on Information Security with the III reading and adopted the Bill with 77 votes against 2 that contradicts EU regulations (Network and Information Systems Directive (NIS).

It should be emphasized that as soon as the bill was initiated the draft amendments have been discussed and criticized by the civil society organizations and relevant experts. IDFI has been actively engaged in the process of revising and analyzing the risks associated with the bill. The amendments adopted by the Georgian Parliament totally converts the Cybersecurity system of Georgia and contains very important risks.

Who is affected by the new law on information security?

The new law subjects into 3 tiers:

- The subject of the first category includes state institutions, legal entities of public law and state enterprises. The strictest regulations fall under tier I that enable OTA (State Security Service LEPL Operational–Technical Agency) to have access to the information infrastructure, systems and assets of the objects of critical information infrastructures (e.g. the Parliament of Georgia, The Administration of the President of Georgia, Tbilisi City Hall, Election Administration of Georgia, Georgian Railway, and etc.).

- Electronic communication companies will be included in the second category that enable law enforcement agencies to control telecommunication companies and Internet providers. 

- Third category covers legal entities of private law, such as banks and financial institutions, and falls under tier 3 controlled by the Digital Governance Agency of the Ministry of Justice. Therefore, the regulations applying to this category is relatively loyal.

Authority granted to the OTA (State Security Service LEPL Operational–Technical Agency)

- Authority to monitor the network flow, to configure and manage the network sensor of the entities falling under tier 1 and in case of consent, the network sensor of entities falling under tier 2;

- Upon request (for computer incident response) to gain access to the information assets, information system and / or information infrastructure of the entities falling under tire 1 and 2;

- Mandatory planned/unplanned inspection of the Informational Technology Infrastructures;

- Apply the administrative sanction in case of non-fulfillment of received data during the regular inspection;

- To define the minimum requirements for Information Security of the entities falling under tier 1 and 2 by subordinate normative acts; 

- To define Information Security rules for internal use of the entities falling under tier 1 and 2;

- To request information related to the development, implementation, monitoring and improvement of information security policy;

- To have full access to information security audits and penetration testing (except financial institutions).

The new law of Georgia on Information Security grants the OTA the full authority to have direct access to information systems of the executive, legislative, judicial authorities as well as the telecommunication sectors and indirect access to personal and commercial information.

The law enforcement agency is given the opportunity to have access to personal data, as the ambiguity of the norms poses a real danger of illegal and disproportionate processing of personal data.

See our study for more details: Cyber Security Reform in Georgia: Existing Challenges, International Practices and Recommendations.

 _____

This material has been financed by the Swedish International Development Cooperation Agency, Sida. Responsibility for the content rests entirely with the creator. Sida does not necessarily share the expressed views and interpretations.