On June 30, 2021, the Government of Mongolia submitted a draft Law on Cyber security and supplementary draft laws to the State Great Khural(or the Parliament). On December 17, 2021 at the plenary session, the State Great Khural approved the draft Law on Cyber security. The law has adopted the first time in Mongolia and has been discussed and developed 7 times over the past decade.

Within framework of the Fourth Industrial Revolution, our country has established a legal system for ensuring national cybersecurity, a vital law that creates legal conditions for the development and security of the country, as well as information security, which is an integral part of national security1.

In case of violation of the Law on Cyber security and investigating the violation, the terminology, element of crime and the concept of Chapter 26 of the Criminal Code of Mongolia have been amended in accordance with the Law on Cyber Security and the UN Budapest Convention. In addition, Law on Infringement, the Law on Communications, the Law on Infringement procedure and the Law on Criminal Procedure have been amended in connection with the adoption of the Law on Cyber security2.

An overview of highlighted new regulations of the Law on Cyber security is outlined in this legal alert.

Purpose of the Law

The purpose of the Law on Cyber security is to establish a system, principles and legal basis for cybersecurity operations, and to manage the relations ensuring the integrity, confidentiality and accessibility of information in cyberspace and cyber environment.

Scope of the Law

Coordinates, organizes and monitors the relations between the state, individuals and legal entities related to cyber security.

Unless otherwise provided by law, this law shall apply to foreign citizens, stateless persons, and legal entities of foreign country and with foreign investment which operates through Mongolia's information system and information network.


"Cyber security"- means the integrity and confidentiality of information in a cyber environment;

"Cyber space"- means tangible and intangible field consisting of the Internet and other information and communication networks and the interconnected set of information infrastructure to ensure their operation;

"Cyber environment"- means an information system and information network environment that allows to access, login, collect, process, store and use of information;

"Cyber- attack"- means an action aimed at undermining the cyber security of an information system or information network;

"Cyber security breach"- means an act or omission that threatens the integrity, confidentiality or accessibility of information;

"Center for Combatting Cyber-attacks and violations"- means an entity with the main function to coordinate the activities of preventing, detecting, suppressing, responding to and restoring information systems and providing professional management;

"Cyber security risk assessment"- means specialized activities to determine the probability of a cyber security breach, threat, vulnerability its consequences, risk reduction and prevention measures for electronic information, information systems and information networks;

"Organization with critical information infrastructure"- means an organization with an information system and information network that could cause a damage to Mongolia's national security, society and economy due to the loss of cyber security;

"National cyber-attack"- an attack on the information systems and information networks of an organization with critical information infrastructure that can disrupt the normal functioning of the organization and harm the national Security, society and economy of Mongolia;

"Integrated state information network" - a set of state Internet, official and special use networks with integrated infrastructure aimed at exchanging information between government organizations and ensuring cyber security;

Areas of cyber security:

  • cyber security policy, management and organization;
  • technical and technological measures to ensure cyber security;
  • prevention and education of cyber-attacks and violations;
  • detection, suppression, retaliation and recovery of cyber-attacks and violations.

Cyber security risk assessment

  • Cyber security risk assessment will be conducted by a legal entity which registered with the state central administrative body in charge of digital development and telecommunications. The legal entity shall have a full-time employee with a valid certificate issued by an international professional association, standardization organization or equivalent or similar organization.
  • Procedures and methodologies for cyber security risk assessment shall be approved by the state central administrative body in charge of digital development and telecommunications in cooperation with intelligence agencies.

Information security audit

An information security auditing shall be performed by a legal entity registered with the state central administrative body in charge of digital development and telecommunication. The legal entity to conduct an information security auditing shall have:

  • a full-time staff member with a valid certificate of information security auditing which issued by an international professional association, standardization organization or equivalent or similar organization;
  • the employee does not work under a parallel contract with other legal entities authorized to conduct similar audits;
  • other requirements under the law.

To view the full article click here


1 http://parliament.mn/n/mo3on 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.