Liability for Violations of Cybersecurity Requirements: What Changes Are Expected in the Legislation?

On 15 April 2026, the President of the Republic of Belarus signed the Law “On Amendments to the Codes on Administrative Liability”. Among other changes, the Law introduces liability for violations of cybersecurity requirements.

What applies today?

At present, the legislation does not contain any specific provisions establishing liability for violations in the field of cybersecurity.

Failure to comply with cybersecurity requirements may currently result in:

  • administrative liability (Article 24.58 of the Code of the Republic of Belarus on Administrative Offences (hereinafter — the Administrative Offences Code) — “Failure to take measures for the proper organisation of the activities of a legal entity”);
  • criminal liability (Article 203-2 of the Criminal Code of the Republic of Belarus — “Failure to comply with measures to ensure the protection of personal data”);
  • disciplinary liability.

What is planned to be added?

The Law “On Amendments to the Codes on Administrative Liability” provides for the addition of the following articles to the Administrative Offences Code:

  • Article 23.11 — “Violation of Cybersecurity Requirements”;
  • Article 23.12 — “Violation of Cybersecurity Requirements in Respect of Critical Information Infrastructure Facilities”.

Article 23.11: Liability for Violations in the Field of Cybersecurity

Article 23.11 provides for several levels of liability:

  1. If there is no obligation to use information protection systems (hereinafter — IPS) at an information infrastructure facility, but a violation of cybersecurity requirements has occurred, the owner (holder) of such facility may be subject to a fine: for individuals — up to 20 basic units; for legal entities — up to 100 basic units.
  2. Failure to comply with, or improper compliance with, the requirements for technical and cryptographic protection of information, where IPS are used in the information system: for individuals — up to 25 basic units; for sole proprietors and legal entities — up to 125 basic units.
  3. Failure to use IPS where such obligation is established by law: for individuals — up to 50 basic units; for sole proprietors and legal entities — up to 200 basic units.
  4. Failure by a cybersecurity centre to comply with, or improper compliance with, the requirements applicable to such centres: for individuals — up to 150 basic units; for legal entities — up to 600 basic units.


*A cybersecurity centre means a dedicated structural subdivision established for the continuous monitoring, detection, analysis and prevention of cyber incidents.

The requirements applicable to such centres, as well as the list of organisations for which the establishment of cybersecurity centres is mandatory, are set out in Decree of the President of the Republic of Belarus No. 40 dated 14 February 2023 “On Cybersecurity”.
 

Important: liability under Article 23.11 arises only where a high-level cyber incident occurs.
However, where a low-level cyber incident occurs, liability for violation of cybersecurity requirements may arise under Article 24.58 of the Administrative Offences Code.

Article 23.12: Liability for Critical Information Infrastructure Facilities

Article 23.12 applies exclusively to critical information infrastructure facilities.

  1. Liability is established in the following cases: Failure by the owner to comply with the requirements for technical and cryptographic protection of information: — for individuals — up to 50 basic units; — for legal entities — up to 200 basic units.
  2. If the act referred to in paragraph 1 caused harm to the national interests of the Republic of Belarus: — for individuals — up to 100 basic units; — for legal entities — up to 500 basic units.
  3. Failure by the owner to comply with the requirements for classifying a facility as critical and for ensuring technical and cryptographic protection of information: — for individuals — up to 150 basic units; — for legal entities — up to 700 basic units.

What can be done now?
REVERA law group recommendations

The adoption of the new regulation in the field of cybersecurity confirms the increased attention of the state to issues of ensuring cybersecurity.

Failure to comply with the applicable requirements in this area may result not only in administrative, criminal or other liability, but also in financial and reputational losses.

To minimise risks and ensure timely preparation for the entry into force of the new provisions, we recommend conducting an audit of internal cybersecurity processes and reviewing the existing requirements in this area.

In particular, businesses are already advised to review compliance with:

  • personal data protection legislation;
  • the requirements regarding the use of the national segment of the Internet (Decree of the President of the Republic of Belarus No. 60 dated 1 February 2010);
  • specific cybersecurity requirements (Order of the OAC No. 130 dated 25 July 2023); and
  • other applicable requirements.

 

Author: Liudmila Yepikhava, Aliaksandra Mahlysh

Contact a lawyer for further information

Contact a lawyer

Read more

news

Aptoide Files Antitrust Lawsuit Against Google: The Fight for Android Ecosystem Openness Continues

 articles

UDRP Overview Guide – Review REVERA law group

 news

Material Adverse Effect: what did the court decide?