Cybersecurity regulation is based on three elements that underpin cybersecurity laws in many countries around the world: Minimum security, reporting and the powers of state authorities vis-à-vis critical infrastructure operators (CRITIS).

Cybersecurity laws explicitly require management systems for information and data security (ISMS) - examples include Germany, Switzerland and China - or implicitly through a catalogue of requirements that addresses the essential content of a management system - examples include the European Union and the USA.

The protection of infrastructures with the help of several lines of defence has established itself as a standard; in the case of critical infrastructures for the state, the authors propose expand- ing the recognised “3 lines of defence” model (3LoD) to include a fourth line of defence, the state as legislator (setter of requirements) and supervisor (review body), to 4LoD.

The state should promote the establishment and operation of information security manage- ment systems (ISMS) for infrastructures defined as critical in the Cybersecurity Act.

These ISMS certifications should be incentivised indirectly in the industry. Incentivisation could be based on the successful procedure in the EU for the introduction of chip cards in accordance with the EMV standard (Europay, Mastercard, Visa). The globally recognised ISO 27001 standard should serve as the certification standard for an ISMS.

The Uzbek administration is recommended to analyse 30 identified points in the current cybersecurity law and to remove the 8 possible obstacles to economic growth identified from these points while at the same time increasing structural security.

In the opinion of the authors, the current draft of the cybersecurity law provides a good basis for a discussion of the current law for Uzbekistan as well as an impetus for a standardised cybersecurity law for Central Asia.