1. GOVERNING TEXTS

1.1. Legislation

The legislation covering data protection and cybersecurity obligations includes the following general acts:

• Law of the Republic of Belarus of 10 November 2008 No. 455-3 'On Information, Digitalisation and Information Protection' (only available in Russian here) ('Law No. 455-3'). Law No. 455-3 establishes general categories of information and information systems, measures for data protection, obligations of owners of information systems and authorities of state bodies in this sphere;
• Edict of the President of the Republic of Belarus of 16 April 2013 No. 196 'On Development of Data Protection' (only available in Russian here) ('Edict No. 196'). Edict No. 196 establishes requirements and procedures of technical and cryptographic protection of information, and qualifying features of critically important digital assets;
• Law of the Republic of Belarus 'On Personal Data Protection' ('the Law on Personal Data') (this law has been adopted in April 2021, and entered into effect on 15 November 2021). For the first time in Belarusian legal history, the Law on Personal Data provides definitions of personal data, actors of personal data processing, rights and obligations, the specific rules applying to cross-border personal data transfers, and limits on the use of personal data;
• Order of the Operations and Analysis Centre under the President of the Republic of Belarus of 20 February 2020 No. 66 'On Implementation of the Edict of the President of the Republic of Belarus No. 449 dated 09.12.2019' (only available in Russian here) ('Order No. 66'). Order No. 66 clarifies the certification procedure of information systems processing information of limited distribution, and technical and cryptographic protection of critically important digital assets; and
• Order of the Operations and Analysis Centre under the President of the Republic of Belarus of 12 March 2020 No. 77 'On Approval of Compliance of Information Protection Tools' (only available in Russian here) (‘Order No. 77’). Order No. 77 establishes a system of state standards relating to information protection and covering specific components of data protection, for instance, antivirus software and pre-encryption tools.

Cybersecurity in Belarus is also governed by a range of specific legal acts relating to particular categories of information systems and their owners. For example, these include:

• The Banking Code of the Republic of Belarus of 25 October 2000 ('the Banking Code'). The Banking Code provides basic requirements for risk management of banks and other credit institutions, including data protection, and establishes functions of the regulatory authority, the National Bank of the Republic of Belarus ('the National Bank'), to adopt related legislation and guidelines for banks.
• Law of the Republic of Belarus 'On Payment Systems and Payment Services' (only available in Russian here) ('the Payment Services Law'). The Payment Services Law is intended to regulate activities of both domestic and foreign payment service providers. It also creates a baseline of data protection and cybersecurity for payment service providers' information systems.
• The Rules on Rendering Services Connected to Creation and Placement of Digital Signs (Tokens) and Related Transactions approved by the Supervisory Board of the High Technologies Park (only available in Russian here) ('the Rules of HTP'). The Rules of HTP cover token-related activities of entities and residents of the High Technologies Park, including data protection and cybersecurity matters.

1.2. Regulatory authority 

The main regulatory authorities relating to the generally applicable cybersecurity-related laws are:

• The Operations and Analytics Centre under the President of the Republic of Belarus ('OAC'). The OAC is responsible for:
  • drafting and adopting regulatory acts in the sphere of data protection;
  • supervising data protection compliance, including technical and cryptographic information protection;
  • issuing of prescriptions to owners of information systems on addressing identified violations;
  • elaboration of procedures of certification of information systems, including critically important digital assets;
  • coordination of activities of state bodies in the cybersecurity sphere;
  • categorisation of information systems;
  • aggregation of information received from owners of information systems of their compliance with legislation, identified violations, and risks;
  • establishment of requirements for interoperability of information systems; and
  • exercising other authorities in the sphere of data protection.
• The Ministry of Communications and Informatization of the Republic of Belarus, which has the following competencies:
  • implementation of a unified state policy in the sphere of data protection;
  • development of sector government programs;
  • coordination of formation and state registration of information resources;
  • technical regulation and standardisation of information resources, information systems, and information networks; and
  • promotion of creation of information technologies, information systems, and information networks.

This list of regulatory authorities is not exhaustive; some other state bodies are entitled to exercise authority in the cybersecurity sphere within their competence. For instance, the State Control Committee and the State Security Committee are entitled to impose sanctions on owners of information systems for violation of applicable legislation. The Ministry of Internal Affairs is authorised to penalise violations of personal data regulations.

1.3. Regulatory authority guidance

There is no official regulatory authority guidance regarding the application of cybersecurity-related legislation. The OAC regularly provides recommendations on principles and methods of data protection on its official website.

2. SCOPE OF APPLICATION

The personal scope

The Law No. 455-3 defines actors of information relations as:

• Republic of Belarus and administrative-territorial units of the state;
• public authorities and state organisations;
• other legal entities and companies without a status of a legal entity;
• private persons, including individual entrepreneurs; and
• foreign states and international organisations.

Actors of information relations can act as:

• owners of information;
• users of information, information systems and/or information networks;
• owners of software and hardware tools, information resources, information systems, and information networks;
• information intermediaries; and
• operators of information systems.

Owners of information systems have a key role in ensuring cybersecurity of respective information systems. In most cases they shall ensure creation of cryptographic and technical protection of information systems, have reporting obligations to the OAC and other competent authorities and bear liability for cybersecurity and personal data violations.

However, an owner and a user of an information system do not always coincide. For these cases the Law No. 455-3 introduced a separate definition of an operator of an information system – an actor of information relations operating the information system and/or providing information services with the information system.

Cybersecurity definitions are inextricably linked with personal data actors. The Law on Personal Data provide the following categories:

• personal data subject – a private person whose personal data is processed;
• personal data operator – a state authority, a legal entity of the Republic of Belarus, another company or a private person, including an individual entrepreneur, processing personal data independently or jointly; and
• authorised person – a state authority, a legal entity of the Republic of Belarus, another company or a private person processing personal data on behalf or in the interests of a personal data operator based on a legal act, a decision of a state authority or a contract with the personal data operator.

The territorial and extraterritorial scope

Personal data protection and cybersecurity protection establish different territorial scope boundaries. The Law on Personal Data does not provide actual territorial limits of its force regarding the nature of regulated personal data. So, a literal reading of the Law on Personal Data leads to the conclusion that it covers not only personal data of Belarusian citizens and/or residents, but also any other personal data in any way concerning the legal field of Belarus. The definition of personal data operators is applied to foreign entities and has a fully extraterritorial character as well.

Basic extraterritorial provisions of cybersecurity are provided in the Law No. 455-3. It establishes the requirement to all information systems processing information of limited distribution to pass attestation and implement additional protection measures under the procedure specified by the OAC irrespective of a domestic or foreign location of the information system and their owners. From this perspective, cybersecurity regulations in Belarus are also extraterritorial, however, control and enforceability of cybersecurity requirements against foreign information system owners are questionable.

However, specialized bylaws such as the Order No. 66 are focused on particular requirements to information systems located exactly in Belarus or connected to state-owned information resources, including critically important digital assets, local information systems processing personal data, restricted proprietary information, etc.

The material scope

The Law No. 455-3 distinguishes two main categories of information governed by data protection legislation:

• publicly available information (Law No. 455-3 provides examples of this information: information on health, demographics, education, culture, amount of the gold reserve in the state), requirements for the protection of which may be established only for prevention of its destruction, unlawful modification, or blocking authorised access to this information; and
• information of limited distribution, which includes:
  • information on private life of individuals and personal data;
  • state secrets;
  • service information of state bodies;
  • commercial, professional, banking, and other secrets protected by law;
  • information related to administrative offences and materials of criminal prosecution bodies and courts (until the completion of respective proceedings); and
  • other information provided in law.

Critically important digital assets

Belarusian legislation defines what shall be considered as critically important digital assets having an impact on the national interests of the Republic of Belarus. As a rule, such digital assets belong to the Republic and regional state bodies, the National Bank, and large state-owned enterprises.

In order for a digital asset to be recognised as 'critically important', an information system, resource, or network must meet one of the criteria provided in Edict No. 196:

• social importance;
• economic importance;
• environmental importance; or
• informational importance.

Personal data regulation material scope

The Law on Personal Data is aimed at regulation of personal data processing, including their collection, systematisation, keeping, correction, usage, depersonalisation, blocking, dissemination, provision, and deletion. Under the Law on Personal Data, personal data is characterised as any information related to an identified private person or to a private person that can be identified.

Personal data regulations do not cover personal data:

• processed by private persons for personal and home use which are not connected to business or other professional activities; and

• classified as state secrets.

3. DEFINITIONS

Belarusian law provides the following basic definitions relating to cybersecurity:

• data security policy – general intentions of a company to ensure confidentiality, integrity, authenticity, availability, and safety of information documented by an owner of an information system (per Law No. 455-З);
• database – a set of interconnected information structured according to certain rules on tangible media (per Law No. 455-З);
• data bank – an organisational and technical system that includes one or several databases and a database managing system (per Law No. 455-З);
• information intermediary – a subject of information relations providing information services to owners and (or) users of information (per Law No. 455-З);
• cryptographic protection of information – actions for ensuring confidentiality, control of integrity, and authenticity of information with cryptographic information protection tools (per Edict No. 196); and
• technical protection of information – actions for ensuring confidentiality, control of integrity, and authenticity of information without cryptographic information protection tools (per Edict No. 196).

Local legislation does not provide precise definitions of cybersecurity officers. Legal acts only specify requirements to officers responsible for cybersecurity/information security in companies. Cybersecurity officers shall have a higher education in information protection, or have a higher or vocational education in other fields, and pass retraining or advanced training in technical and cryptographic information protection.

Definition of cybersecurity incidents is also absent in Belarusian law. At the same time, the Order No. 66 specifies a list of examples of cybersecurity incidents. The list of incidents plays the role of a check-list for testing data protection systems and includes information leaks, information system intrusions, malware, etc.

4. IMPLEMENTATION OF AN INFORMATION MANAGEMENT SYSTEM/FRAMEWORK

Starting from 1 April 2020, owners of information systems processing information of limited distribution and critically important digital assets shall provide advanced training of their officers responsible for cybersecurity every three years. The same requirement is applied to technical and cryptographic services providers.

Advanced training is entrusted to a single state-owned institution, the National Traffic Exchange Center.

4.1.Cybersecurity training and awareness

Not applicable. 

4.2. Cybersecurity risk assessments

Besides special standards for banks and other financial institutions, a general approach to cybersecurity risk management is prescribed in the special state standard STB 34.101.70-2016 'Information Technologies. Security Methods and Tools. Methodology for Assessment of Information Security Risks in Information Systems'. Previously, owners of critically important digital assets were recommended to comply with this standard while creating internal risk management systems.

Currently, development of methodology for assessment of information security risks of critically important digital assets and the very assessment of the risks are compulsory elements of terms of reference for development of a digital asset information system.

Review of risk managements standards is also a part of a regular audit of critically important digital assets as described below.

4.3. Vendor management

There is no special regulation in respect of vendor management security. Certain provisions are provided exclusively for state procurements and functioning of the State information and analytical system of public procurements ('GIAS'). All information contained in GIAS shall be considered publicly available and, therefore, requirements to cybersecurity protection of information of limited distribution are not applicable. However, the GIAS shall not contain state secrets.

4.4. Accountability/record keeping

Legislation provides a detailed regulation of an audit of information systems, but only with respect to critically important digital assets. For all types of other information systems, including systems processing information of limited distribution, the audit is optional.

 The audit of critically important digital assets shall take place not later than one year after their creation and annually thereafter. Audits can be performed by an owner of the digital asset or by an independent licensed contractor. The template of an information system audit act includes review of 24 aspects such as identification and authentication, management of reservation processes, training of personnel, etc.

5. DATA SECURITY

Owners of information systems shall take the following measures to ensure data protection:

• legal measures – depending on the specific information systems, these measures can include conclusion of user agreements and/or non-disclosure agreements with counterparties;
• organisational measures regarding employees' data protection regime compliance; and
• technical measures, including using technical and cryptographic protection tools and control mechanisms of data protection.

For the creation of a technical base of a data protection system, an owner of an information system shall use only technical and cryptographic protection tools with Belarusian state quality certificates. Alternatively, an owner of an information system can apply for a state expertise of used protection tools performed by the OAC.

Information systems processing information of limited distribution shall pass a certification to be considered compliant with the data protection requirements. This certification includes approval of the internal data protection policies and analysis of the structure of the information system and information flows for specification of the composition, number, and locations of information system elements.

There are two options for obtaining certification for an information system:

• certification can be arranged by structural units or officials of the owner of an information system who are responsible for data protection - these employees shall have a higher education in information protection, or have a higher or vocational education in other fields, and pass retraining or advanced training in technical and cryptographic information protection; or
• certification can be performed by an outsourcing company having a licence for provision of services on technical and cryptographic data protection.

The certification of an information system shall be performed before the start of operation of such information system.

6. NOTIFICATION OF CYBERSECURITY INCIDENTS

Since 14 March 2020, owners of information systems have special reporting requirements established by the OAC for:

• critically important digital assets;
• systems processing service information of state bodies;
• systems processing information on the private life of individuals and personal data, except for information systems used for token-related activities of residents of the High Technologies Park; and
• systems processing information of limited distribution owned by state bodies and other organisations with 50% or more shares belonging to the state.

Owners of critically important digital assets shall notify the OAC on the following:

• creation of the digital asset – within five business days;
• results of the audit of the information system of the digital asset – annually;
• any cybersecurity incidents – within one calendar day; and
• planned suspension of the digital asset to perform technical works – ten business days prior to the suspension.

Starting from 2020, owners of system processing information of limited distribution are also obliged to inform the OAC on certain facts and incidents:

• creation of information systems – not later than 1 February of the year following the reporting period;
• information of internal cybersecurity departments and officers – not later than 1 February of the year following the reporting period;
• any cybersecurity incidents – within one calendar day; and
• attestation of the information system – within ten calendar days.

7. REGISTRATION WITH AUTHORITY

Registration is obligatory only for certain types of information systems.

All critically important digital assets shall be registered in the State Register of Critically Important Digital Assets maintained by the OAC as described above.

All state-owned information systems shall be registered in the Register of Information Systems, which owners of private information systems may, but are not obliged to, register systems within.

8. APPOINTMENT OF A SECURITY OFFICER

State bodies and owners of information systems processing information of limited distribution shall appoint officers or structural units responsible for data protection.

The head of the organisation/owner of an information system shall take personal responsibility for data protection in the organisation, including the technical and cryptographic protection of information systems.

9. SECTOR-SPECIFIC REQUIREMENTS

Financial services

High Technologies Park, a special Belarusian cluster for IT-companies, introduced special data protection requirements for token-related activities (i.e. the Rules on HTP), which are currently available almost exclusively for residents of the High Technologies Park. The Rules of HTP oblige business entities to take technical, software, and organisational measures to ensure the safe operation of information systems that they create and use for the provision of Initial Coin Offerings ('ICO') to their clients.

These measures shall include, among other things, the following:

• adoption of rules of personal data processing;
• use of special technical and cryptographic protection tools;
• limitation of the number of persons having access to information systems;
• use of multi-factor authentication for access to information systems;
• specification of reserve assets for processing and storing information; and
• adoption of an operation recovery plan of information systems.

Data protection and cybersecurity within banks are governed by special state standards ('STS') which are approved by the State Committee for Standardisation for the Republic of Belarus. For example, basic principles for the creation of banking information security systems are provided in the Government standard of the Republic of Belarus ('STB') 34.101.41-2013 on Information Technologies and Security Methods of Ensuring the Information Security of Banks of the Republic of Belarus General Provisions. STBs outline, among other things, the audit of information security in banks, assessment methodology, and methods of data protection risk management.

The National Bank is authorised to provide additional data protection requirements and guidelines for banks and non-banking credit and financing institutions. For instance, the National Bank issued recommendations on outsourcing in banks and its compliance with data protection regulations. All banks are obliged to agree on the candidates for positions of heads of information security departments with the National Bank.

Health

In 2019, the Ministry of Healthcare of the Republic of Belarus introduced the personal data protection for the healthcare sector which is intended to unify information systems used in healthcare institutions and contains specific cybersecurity requirements.

In 2020, the amendments to the Law of the Republic of Belarus 18 June 1993 No. 2435-XII 'On Healthcare' (only available in Russian here) announced the creation of a Centralised Health Information System. The goal of the system is to provide centralised keeping and processing of medical information, including databases, registers, etc. The system will have a status of a state-owned information system.

The system shall ensure:

• receipt, transfer, collection, processing, accumulation, storage, search, and provision of medical information, as well as its protection; and
• maintaining electronic medical records of patients and the unified electronic archive of medical information;

Telecommunications

Not applicable.

Employment

Owners of information systems shall take certain steps in order to create a data protection regime for their employees, which should include:

• the establishment of a special access regime to the territory (premises) and storage mediums where the information is kept; and
• the differentiation of information access levels for employees and contractors.

It is important to mention that cybersecurity protection is closely interconnected with a commercial secrecy regime as commercial secrecy comprises a great part of information of the limited distribution of business entities. Therefore, a data protection regime cannot be evaluated as sufficient without taking special commercial secrecy protection measures prescribed by Belarusian law, including:

• the adoption of internal regulations providing the rights and obligations of employees having access to commercial secrecy and information management;
• registering employees that have access to commercial secrecy;
• the inclusion of a non-disclosure clause in employment agreements or conclusion of separate non-disclosure agreements with employees; and
• the appointment of officers responsible for the maintenance of a commercial secrecy regime.

Education

Not applicable.

Insurance

Not applicable.

10. PENALTIES

Violations in the cybersecurity sphere can be divided into offences associated with non-compliance with the data protection legislation of owners of information systems and offences and crimes related to unauthorised access to information systems and resources.

Breaches in the sphere of data protection are generally recognised as administrative offences in Belarus and entail respective administrative liability for owners of information systems.

In 2021 Belarus has introduced a more comprehensive and strict liability for personal data protection violations:

• intentional unlawful collection, processing, storing or provision (disclosure) of personal data of an individual, or violation of their rights related to processing of personal data cause imposition of a fine in the amount of up to 50 basic values (approx. €470);
• if the actions above are committed by a person who has these personal data due to their professional activity or service cause imposition of a fine in the amount from 4 to 100 basic values (approx. €40 to €940);
• intentional unlawful distribution of personal data of individuals causes imposition of a fine in the amount up to 200 basic values (approx. €1,880); and
• non-provision of means of personal data protection causes imposition of a fine in the amount from 2 to 10 basic values (approx. €19 to €94), for an individual entrepreneur – from 10 to 25 basic values (approx. €94 to €235), for a legal entity – from 20 to 50 basic values (approx. €188 to €470).

In the course of monitoring the compliance of owners of information systems with the legislation, the OAC may suspend activities of a respective information system for up to six months, until all identified violations have been addressed.

Unauthorised access to information systems can entail administrative liability in the form of a fine between 20 to 30 basic values (approx. €188 to €282). Alternatively, such an offence may entail criminal liability (for private persons only), constituting a fine, a prohibition of taking certain official positions or performing certain activities, and/or imprisonment up to seven years, depending on gravity of the crime and its consequences.

11. OTHER AREAS OF INTEREST

Belarusian legislation provides special regulations for the classification of state secrets and measures for its cyber protection. Information systems processing information related to state secrets are subject to special control and inspections of the OAC in accordance with the respective regulations approved by the Order No. 66.

As an additional measure for cybersecurity, Belarusian legal entities and individual entrepreneurs shall use only information networks, systems, and resources located in Belarus for sale of goods, performance of works, or rendering services on the internet.

Moreover, in 2018, the Council of Ministers adopted the Concept of Information Security of the Republic of Belarus (only available in Russian here) ('the Concept'). The Concept provides, inter alia, basic directions for data protection development in Belarus for the next few years, which includes:

• the creation of a single state monitoring system for the provision of information security services to the public sector and the business community;
• automated aggregation of information on revealed cyber incidents and exchange of this information among competent state bodies, telecommunication operators, and computer emergency response teams (CERT/CSIRT);
• the implementation of special sector cybersecurity monitoring systems for critically important digital assets; and
• the development of personal data protection legislation in accordance with the principle 'security by default', including the establishment of a special authority responsible for the protection of personal data-related rights of private persons.

Network and information systems

Law No. 455-3 defines an information system as a combination of data banks, information technologies, and a complex of software and hardware tools. An information network is defined as a set of information systems or a complex of software and hardware tools that interact through telecommunication networks.

The main criterion determining applicable data protection obligations and requirements is the type of information processed in information systems and information networks: publicly available information or information of limited distribution as described above.

Currently, special legislative requirements for data protection, including technical and cryptographic protection, of publicly available information are almost entirely absent. However, the majority of information systems processing publicly available information also process information of limited distribution. As a consequence, these information systems shall comply with special requirements to data protection.

Order No. 66 the OAC additionally divides information systems into ten categories based on the types of processed information and applied data channels.

Critical information infrastructure operators

The OAC maintains the State Register of Critically Important Digital Assets and provides information from this register only to authorised officials of state bodies in accordance with their competence.

Decisions on the inclusion of a digital asset in the register is taken jointly by a competent state body governing the operation of this digital asset and the OAC. Data protection and cybersecurity of critically important digital assets, including an annual audit of the information security of critically important digital assets, is regulated by special rules provided in Order No. 66.

Operators of essential services

There are no special requirements to operation of essential services but, in appropriate cases, provisions on the protection of critically important digital assets shall apply as described above.

Cloud computing services

While there is no legislation specific to these providers/services, general requirements on data protection of systems processing information of limited distribution shall apply.

Digital service providers

The Draft Payment Services Law does not provide a definition of information systems of payment service providers, but entitles the National Bank to establish requirements with regards to cybersecurity in information systems used for rendering payment services.

Klim Stashevsky Partner
[email protected]
Mikhail Khodosevich Associate
[email protected]
Arzinger & Partners LLC, Minsk