On 22-24 October The ITU International Cybersecurity Drill 2025 took place in Yerevan. It was organized by the International Telecommunication Union (ITU), the Ministry of High-Tech Industry of the Republic of Armenia, the Central Bank of Armenia, and the Information Systems Agency of Armenia (ISAA). ISAA is responsible for supervision of AM-CERT - Armenia’s national Computer Emergency Response Team. In this article read about what tasks AM-CERT and ISAA handle, a new cybersecurity law that is going to be adopted, and how the ITU helps strengthen the competencies of specialists of national CERTs.
The ITU International Cybersecurity Drill 2025 served as a key platform for dialogue and knowledge exchange among around 200 participants including representatives from national security and IT agencies, cybersecurity leaders from key sectors such as energy, telecommunications, finance, and transportation, as well as solution developers, researchers, and international experts.
On 22 October
Cosmas Zavazava, Director of the Telecommunication Development Bureau, ITU opened the CyberDrill greeting the participants. He mentioned
the ITU Global Cybersecurity Index 2024 which measures national efforts to ensure cybersecurity. Armenia was recognized as one of the countries showing strong progress – particularly in the areas of legal measures and international cooperation. At the same time, there remains significant potential for further development in technical, organizational, and capacity-building measures – all of which are essential for achieving sustainable cybersecurity growth.
“The ITU places special emphasis on cybersecurity drills as a key mechanism for developing people and institutional capacity. CyberDrills supported by ITU combine hands-on technical exercises with realistic response scenarios that simulate actual cyberattacks. They improve the operational readiness of national teams and strengthen collaboration across borders,” Cosmas Zavazava mentioned.
All the Cybersecurity Drills organized by ITU are designed primarily for national Computer Incident Response Teams (CIRTs). One of the key sessions of the ITU International Cybersecurity Drill was devoted to enhancing the capacity and effectiveness of national and international CERTs/CSIRTs, as well as strengthening cross-border collaboration to combat evolving cyber threats.
The discussion was moderated by
Natalia Mochu, ITU Regional Director, and featured Chris Gibson (CEO, FIRST – Forum of Incident Response and Security Teams), Melissa Sirera (Carnegie Mellon University), Miroslaw Maj(SIM3 Auditor), and Merike Keao (Executive Security Advisor, Double Shot Security).
On October 23–24, participants moved from strategic discussions to practical, hands-on cybersecurity exercises.
Marwan Ben Rached, Senior Cybersecurity Coordinator at ITU, led sessions where teams practiced coordinated responses to simulated large-scale cyberattacks, sharing expertise and improving cooperation across regions.
Marwan Ben Rached, Senior Cybersecurity Coordinator at ITU
Armenia’s national Computer Emergency Response Team (AM-CERT) has been established in Armenia for handling security incidents affecting critical infrastructure. The Information Systems Agency of Armenia (ISAA) is responsible for the establishment and supervision of AM-CERT.
ISAA plays regulatory and oversight roles, it runs national cybersecurity awareness and training programs, readiness exercises, workshops, and other capacity-building initiatives. In addition, it supports digital governance projects such as interoperability frameworks, data governance, and regulatory oversight for digital public services.
In terms of current and near-future plans in cybersecurity, ISAA has been working in cooperation with the Ministry of High-Tech Industry to develop a legislative package that includes the draft law “On Cybersecurity.” The planned legislation seeks to strengthen Armenia’s unified digital environment through rules for open and public data, data policy, and interoperable systems. The law package is designed to regulate the prevention, response, and aftermath of cyber incidents, including measures for risk assessment, incident response, and stronger cooperation between the government and private sector.
ISAA is also prioritizing capacity and human resource development through education, training, public awareness campaigns, workshops, and cybersecurity exercises such as the
CyberDrills organized with ITU. Another important area is the development of cybersecurity baseline standards, including national baseline cybersecurity controls and risk classification frameworks, especially for critical infrastructure and essential sectors.
The law “On Cybersecurity” is going to be adopted in Armenia
“The draft law “On Cybersecurity” has not yet been adopted. It is currently in the parliamentary process, with drafts approved by the government and now going through legislative and committee readings. If there are no major delays or pushback, the law could likely be adopted within several months after the committee work, possibly by late 2025 or early 2026,” the ISAA experts said.
As they explain, once the cybersecurity law is adopted, assuming the drafts largely pass, there will be notable changes and effects. Government agencies and the public sector will be required to follow stricter cybersecurity standards, conduct risk assessments, and establish incident reporting procedures. They will be subject to oversight, audits, and mandatory cybersecurity baseline controls. There will be a need to improve digital public services with more secure and interoperable designs, cooperate with AM-CERT, integrate into national incident response systems, and manage public information under new rules. These measures will contribute to better national resilience, reduced risk of serious breaches, and higher public trust.
For businesses, particularly those in critical infrastructure or essential sectors, clearer rules will provide predictability and better security, reducing business risks and potentially creating new service opportunities. Companies will be required to comply with minimum cybersecurity requirements, implement risk management and incident prevention programs, report cyber incidents, establish internal policies, and possibly undergo audits. They will also need to cooperate with government bodies and provide information under regulation. Those offering digital services to the government might face stricter contractual and regulatory compliance obligations.
For citizens and individuals, the adoption of the law will mean higher trust, less risk of personal data breaches, and a safer digital environment. Their data and digital rights will be better protected under regulated cybersecurity and data protection laws. Digital services will become more secure and reliable, while new laws on public information and a unified data policy will increase transparency and give citizens more rights to access public data. In some cases, individuals may also need to follow certain security practices when interacting with regulated digital systems such as identity systems.
Read more about the steps that Armenia has done to strengthen its incident response capabilities in the interview with
Dr. Gevorg Mantashyan, First Deputy Minister of High-Tech Industry of the Republic of Armenia.