
Listen to the AI generated audio article.
Overview
Armenia has long sat near the bottom of global cybersecurity rankings, and the 2024 International Telecommunication Union’s (ITU) report, was no exception: the country landed in Tier 4 (evolving), while neighboring states, Azerbaijan and Georgia, ranked as Tier 2 (advancing). Armenia’s weakest points were familiar ones: fragile institutions, thin technical capacity and years of underinvestment. While the country continues to rank low in international cybersecurity rankings, significant policy and institutional progress have been achieved over the last three years, and we can expect a considerable jump in Armenia’s ranking in the years to come. In September, the National Assembly of Armenia passed the Draft Law on Cybersecurity (hereafter: the Law) in its first hearing. The law was submitted by the Government and developed by the Ministry of High-Tech Industry with the Information Systems Agency of Armenia (ISAA). It marked one of the clearest signs yet that Armenia is finally trying to catch up.
Of all the indicators used to gauge a country’s cybersecurity maturity, one lesson is consistent: no sector can sustain growth unless policy and governance do the heavy lifting.
“Economic institutions shape economic incentives: the incentives to become educated, to save and invest, to innovate and adopt new technologies, and so on. It is the political process that determines what economic institutions people live under, and it is the political institutions that determine how this process works.”
– Daron Acemoglu, Why Nations Fail
The same holds for cybersecurity. Whether in the public or private sector, technical measures alone rarely add up to real resilience. Even an organization that has introduced cutting-edge tools will find itself exposed if the underlying governance is weak. That logic has long been embedded in the literature on political economy and in the world’s leading security standards. The International Standardization Organization (ISO) has always stressed the importance of maintaining a proper Information Systems Management System (ISMS). The U.S. National Institute of Standards (NIST) in 2024 updated its Cybersecurity Framework (2.0), and the most substantial change was the addition of a “Govern” function.
Policy Developments
The introduction of the Law on Cybersecurity to Armenia’s National Assembly marks a significant step forward. Even if the precise blend of political will, bureaucratic momentum, and institutional nudging behind it is hard to trace, two forces stand out.
The Law is directly tied to the 2020 National Security Strategy, approved by the Security Council. Although the Armenian Government has distanced itself from this strategy since the 44-day war, forming a new working group in February 2025 by a Decree to develop an updated national security strategy with no visible progress to date—it remains the only strategic-level document addressing cybersecurity. It laid out a credible agenda: a national cybersecurity center, establishing national computer emergency response teams (CERT), and a legal framework for protecting critical information infrastructure. Most of these are now either in development or already in place. By contrast, the Government Programme for 2021-2026 offers only a cursory nod to cybersecurity within the defense sector, yet the government’s actual actions since then have been far more substantial than its own program suggests.
The driving force behind Armenia’s cybersecurity reforms began in 2022, with the establishment of the Information Systems Management Board (ISMB). The board is chaired by the Deputy Prime Minister (who serves as Armenia’s CIO) and comprises eight members. Its primary role is to oversee digital reforms, ensuring that Armenia’s digitalization conforms to an integrated national architecture and achieves better interoperability and security of systems. Three months later, in April 2022, the Information Systems Agency of Armenia was formed as the institutional hub driving Armenia’s digitization and cybersecurity agenda. Given the absence of a formal mandate (which the current Draft Law aims to address), and the government’s financial constraints, ISAA was established as a foundation by a decision of the Central Bank President.
The Information Systems Agency of Armenia (ISAA) currently operates under the Central Bank, which finances it and can offer competitive salaries to attract top talent without undergoing civil service procedures. But the setup is designed to be temporary. In the government’s view, ISAA is a stopgap with an expiration date: a bridge institute that will operate only until the new Cybersecurity Law comes into force and a national cybersecurity center—an autonomous body built on ISAA’s foundations—takes its place.
The Proposed Institutional Framework
The Law envisages a two-tiered institutional setup for cybersecurity governance in Armenia: the authorized body and the autonomous body. The authorized body—the Ministry of High Tech Industry, according to the Law on Government Structure and Activities—will be primarily responsible for developing a unified cybersecurity policy and the overall legislative framework. At the operational level, the autonomous body (i.e., the National Cybersecurity Agency) will be formed based on ISAA. It will serve as the single point of contact and carry out incident response, awareness raising, information sharing, and other functions typical of national cybersecurity agencies.
The proposed governance structure of the National Cybersecurity Agency is commendable. It will be civilian-controlled and governed by a five-member board. The Government of Armenia will propose board candidates to the National Assembly, who will serve five year terms upon election. Parliamentary oversight and civilian control help establish structural advantages from the start, ensuring transparency and checks and balances. This framework also creates an environment where the private sector will be more inclined to share cyber intelligence and incident information with the National Cybersecurity Agency.
The Law establishes Armenia’s institutional framework for cybersecurity and provides the necessary tools to enforce its provisions. The National Cybersecurity Agency has substantial monitoring and compliance authority over both private and public sectors. It can monitor the IT systems of critical information infrastructure operators—directly or indirectly—through audits and on-site inspections. It can also initiate proceedings for non-compliance. The consequences for the private sector and governance concerns are discussed below.
Private Sector Consequences
The Law lists 14 sectors that are important to the state, including public administration bodies, and places responsibilities on the entities operating in those sectors (critical information infrastructure operators). The Law defines specific sectors deemed critically important and five overarching criteria for assessing the criticality of entities operating in those sectors. However, it leaves the specific criteria for identifying critical information infrastructure operators to be regulated later through government decisions and bylaws.
Once the government adopts the criteria for Critical Information Infrastructure (CII) identification and the list of CII operators, those entities will be required to ensure three critical processes:
- Implement organizational and technical measures to prevent, detect, resolve and report cyber incidents.
- Develop proper risk management processes for ensuring the continuity of critical infrastructure operations.
- Meet minimum cybersecurity standards determined by the government and pass cybersecurity certifications (ISO27001 or similar international certification) every three years.
Legally requiring CII operators to report cyber incidents to relevant authorities (the Computer Emergency Response Team, currently operating under ISAA), is a significant step in strengthening Armenia’s overall security resilience. Before the introduction of the Law, the government had no institutional processes to gather and share cyber incident information with the private sector, which operates or owns the majority of digital infrastructure, including utilities, financing, transport and healthcare. In simpler terms, if an adversary launched a coordinated attack on critical infrastructure not operated by the government (such as the healthcare system or energy sector), the government had no formal procedures to gather information, share it with concerned parties, or, in emergencies, assist or assume command and control of major cyber incidents in critical sectors. The Law establishes the legal foundation to address this critical gap, while implementation is left to the National Cybersecurity Agency.
A major concern for private-sector CII operators is the cost of passing mandatory audits and obtaining ISO certification every three years. This is not a one-time effort; it requires organizational, procedural and technical changes. Meeting international certification standards will burden management and impose direct costs for maintaining information management systems and employing cybersecurity specialists. Certification costs depend on an organization’s current cybersecurity and information systems posture. For medium-sized enterprises, costs are estimated to range from $10,000 to $75,000. For large-sized enterprises, they can exceed $100,000.
This is where trust-based cooperation between the public and private sectors becomes crucial. The right public policy approach should emphasize “nudges” and “carrots” rather than fines and cost burdens. However, without a legal mandate for enforcement mechanisms, achieving this balance is difficult.
Compliance With NIS2 and EU Integration
With Armenia’s EU aspirations, compliance with the European Union’s key cybersecurity legal framework is essential. The Network and Information Systems (NIS)2 directive was adopted in 2022, replacing NIS1. It expands coverage to more sectors, imposes comprehensive risk management requirements, sets strict incident reporting timelines, and requires each country to designate a national authority as the single point of contact. Although NIS2 compliance is not currently part of the EU-Armenia CEPA agreement, it is expected to be included in the new agreement under negotiation.[1] Even EU member states are struggling with NIS2 compliance and transposition into national law. The deadline for transposition was October 2024. Only four EU states met it, and in November 2024, the European Commission opened infringement procedures against 23 member states. Currently, 15 out of 27 EU Member States have transposed the NIS2 Directive into national law.
The delay in transposition stems from two structural factors: (1) existing cybersecurity governance frameworks and institutions; and (2) the expanded scope and added sectors. Adapting existing frameworks to the NIS2 Directive creates greater implementation challenges than building a new framework from scratch. Armenia’s current “blank slate” approach gives it a significant structural advantage over some EU states and aspiring members like Moldova and Georgia. For Armenia, policy alignment and implementation are more straightforward. It faces no entrenched political-institutional interests occupying the policy space as Georgia and Moldova do. While Armenia can create new, compliant structures, other countries must rearrange established institutional roles and overcome vested interests.
The new Armenian Law is primarily compliant with NIS2 and mirrors its logic and requirements. Below is a comparison of key aspects in both regulations.

Table 1. Comparison of Armenian Law on Cybersecurity and key NIS2 requirements
Not Carrots and Sticks, But Carrots and Nudges
Once the Law is adopted, the new National Cybersecurity Agency built out of ISAA will need more than technical expertise; it will need clear leadership and credible policymaking to forge a shared vision with the private sector. Strategic communication will be essential. The Armenian government must help the private sector understand that cybersecurity is a shared common good—one whose failure can cascade across the entire market. Government leadership must create a shared understanding: protecting cyberspace requires a whole-of-society effort. An annual statement by the Minister of High-Tech Industry or other high ranking political officials during opening and closing ceremonies won’t suffice. Cybersecurity must be championed continuously, not only by technical and relevant authorities but by leaders at the highest political levels.
Building trust with the private sector will require a nuanced approach—not simply penalizing non-compliance, but offering incentives for compliance. In economic terms, the cost of inaction can sometimes exceed the cost of compliance. The government must therefore incentivize the private sector. But without a shared belief and vision, no incentive will work. Nudge-based policies, drawn from behavioral science, offer a middle ground. They gently steer the private sector toward secure practices without heavy-handed fines. For example, companies that voluntarily adopt and demonstrate high-security standards could receive simplified reporting requirements or reduced audit frequency.
The Government of Armenia and ISAA must demonstrate leadership and excellence to become trusted partners locally and internationally. Without a reputation for excellence, ISAA will struggle to convince local suppliers, such as audit and cybersecurity services providers, to pursue certification as “ISAA trusted service providers.” It will be even harder to persuade critical infrastructure operators to entrust their IT systems to ISAA during major incidents. Building excellence at home will enhance Armenia’s reputation abroad, enabling cooperation and intelligence sharing with international partners.
Building trust should cross political aisles as well. For the upcoming 2026 Parliamentary Elections, ISAA should extend its support and capacity-building activities for all political organizations. Good practices indicate that the role of the government shall not be limited only to awareness-raising activities during the election cycle, but also extend to actual support to participating political organizations. Political parties entering the campaigning cycle can and will have various cybersecurity maturity levels. New and less-funded political parties and candidates will be more vulnerable to cyberattacks. Hence, the government’s efforts to support political parties become more relevant to ensure the campaign period is free of cyber obstructions, and ultimately, electoral integrity is not compromised, ensuring democracy prevails.
Armenia has made considerable progress in institutional development and governance, creating unique structural advantages. Now comes implementation. Success will require leadership, excellence, strategic communications, and the right mix of incentives and encouragement.
Footnote:
[1] Mentioned to me by a Ministry of High Tech Industry representative.
EVN Security Report
EVN Security Report: September 2024
Armenia faces distinct security threats from Azerbaijan, Turkey, and Russia, with Russia posing the most complex and severe challenge through cyber operations. This month's security briefing explores the concept of subversion as a tenable risk-mitigation strategy against these threats.
Read morePodcast
Also see
Cyber Operations and International Law
In the ever-evolving landscape of modern warfare, the significance of cyber operations has grown significantly, providing nations with additional means to project power, exert influence and secure strategic advantages. Davit Khachatryan looks at the contemporary nature of conflicts in the digital age and their adherence to the foundational principles established by the UN.
Read morePolitics
A Viral Scandal and the Line Between Privacy and Public Interest
What are the legal and ethical boundaries between privacy and public interest in democratic societies? Using the recent leaked video involving a senior Armenian cleric as context, Anoush Begoyan outlines established principles that distinguish legitimate scrutiny from voyeurism and scandal.
Read moreFrance–Armenia Defense Partnership: From Symbolic Solidarity to Support for Sovereignty
France’s defense cooperation with Armenia marks a decisive shift in its policy toward the EU’s eastern periphery. Moving from symbolism to substance, Paris now helps Yerevan build deterrence and resilience, reshaping how sovereignty and stability interact in the South Caucasus. Sossi Tatikyan explains.
Read moreArmenia, China, and the Shanghai Cooperation Organization: Navigating Between Poles
Armenia’s pursuit of a strategic partnership with China and its bid to join the Shanghai Cooperation Organization (SCO) reflect a broader effort to recalibrate foreign policy amid shifting global alignments, balancing ambition with constraint in an increasingly multipolar world.
Read moreArmenia vs. Azerbaijan: Competing Narratives at the UN
Five years after the 2020 war, Aliyev and Pashinyan addressed the UNGA with sharply contrasting narratives. Aliyev employed cognitive warfare to assert dominance and legitimize past aggression, while Pashinyan exercised narrative constraint, emphasizing sovereignty, reciprocity and constructive peacebuilding. Sossi Tatikyan explains.
Read moreArmenia’s Balancing Act in a Multipolar World
As global power shifts toward multipolarity, Armenia faces profound uncertainty. With Russia’s retreat and ongoing regional pressures, Yerevan is pursuing a “balanced and balancing” foreign policy—deepening Western ties while engaging Iran, India, China and others—in a bold recalibration of its security and diplomacy.
Read more








