Skip to content

MiCA + ISO / GDPR / Security: a roadmap for business in Kazakhstan and Uzbekistan

  • by
MiCA + ISO / GDPR / Security: a roadmap for business in Kazakhstan and Uzbekistan

MiCA + ISO / GDPREU regulators have tightened requirements for the crypto and fintech markets: MiCA standardises the operations of crypto-asset service providers, the GDPR protects personal data, and ISO/IEC 27001 provides the cyber security framework. For companies from the CIS, these aren’t alien rules but a ticket to partnerships, investment and expansion into the markets of Europe and the Middle East. Let’s work out how to align MiCA, ISO and the GDPR without bureaucratic pain and with a clear plan.

MiCA in brief and to the point

MiCA (Markets in Crypto-Assets) is a pan-European regulation that standardises requirements for crypto-assets and providers (CASPs): licensing, capital, client protection, and risk and incident management. The requirements for stablecoins took effect in summer 2024, and for other providers from late 2024. For companies from the CIS, this means that if you want to work with EU partners, list with European providers and attract capital, implementing MiCA requirements in the CIS is unavoidable.

GDPR: where personal data is an asset

The GDPR has extraterritorial effect: if you collect or process EU citizens’ data, the rules apply to your office in Almaty or Tashkent as well. Fines can reach up to €20 million or 4% of annual worldwide turnover—enough to put compliance on the strategic agenda. See our page for detailed requirements and steps GDPR. The question of how to comply with the GDPR and ISO for fintech typically comes down to data inventory, lawful bases for processing, cross-border transfers, and robust information security practices under ISO/IEC 27001.

ISO/IEC 27001:2022 — the foundation for security processes

ISO/IEC 27001:2022 is an international standard that formalises an information security management system (ISMS): from risk assessment to the management of incidents, suppliers and cryptographic controls. For crypto companies it addresses several regulatory expectations at once—continuous monitoring, logging, key control, infrastructure segmentation, and the protection of wallets and custody processes. For more details, see the page ISO/IEC 27001:2022. For blockchain projects, ISO 27001 certification for CIS crypto companies is particularly relevant—it is recognised by partner banks and European counterparties.

Kazakhstan and Uzbekistan: how to synchronise requirements

For companies across both markets, a practical strategy is to build a single risk-management framework, with regulatory requirements added as “add-ons”. This way you establish a resilient ISO/IEC 27001 base and plug in the specific requirements of MiCA and the GDPR. Think of “compliance with MiCA and the GDPR in Kazakhstan” not as a one-off check but as a process: policy → practice → evidence.

Before moving on to the audit and the licensing project, make sure the basic elements are already in place.

  • Data map: know what data you hold, where it is stored, on what legal basis it is processed, who has access, and how it is erased upon a data subject’s request (GDPR).
  • Risk model: a formalised assessment methodology and a risk register (ISO 27001) covering on-chain/off-chain threats and third-party services.
  • Key management: procedures for generation, storage, rotation and segregation of duties for HSM/multisig schemes (MiCA + ISO controls).
  • Incidents: an incident response plan, RTO/RPO, logs, and criteria for notifying regulators and customers (GDPR + MiCA).
  • Suppliers: contractual and technical measures for clouds, data processors and node providers (GDPR Art. 28, ISO Annex A.5/A.15).
  • Privacy by default: data minimisation, DPIAs for high-risk processing, consent mechanisms and interfaces for data subject rights.
  • Evidence: up-to-date policies, training records, test protocols, scan results, audit reports — the materials you will show to inspectors.

This checklist helps align expectations between the internal team, auditors and potential regulators. For projects aiming for European integrations, supplement it with a legal review of cross-border data transfers and a cryptographic policy for custody.

Audit and licensing: what is most often examined

Companies from Kazakhstan and Uzbekistan encounter the same “first five” areas of focus:

  1. Asset and data register: the lack of up-to-date data-flow maps and a CMDB raises questions for auditors.
  2. Access control: weak segmentation and excessive privileges in cloud environments.
  3. Logs and monitoring: collection exists, but there is no event correlation and no response plan.
  4. Suppliers: boilerplate DPAs without technical measures.
  5. Document trail: policies are written, but practices and records do not evidence their execution.

That is why it makes sense to start a MiCA and ISO security audit (Kazakhstan, Uzbekistan, Georgia, Kyrgyzstan) with a quick diagnostic: reconcile actual practices with requirements, close immediate improvements, and then move on to a deeper assessment and preparation for licensing/certification.

Case-based approach: how this looks in practice

Let’s imagine a crypto service from Tashkent with custody wallets and P2P functionality. Implementation steps:

  • Verification of the lawful bases for processing EU customers’ data (GDPR) and configuring consents in the product.
  • Deployment of an ISMS: risk assessment, logging policy, incident playbooks, staff training (ISO 27001:2022).
  • MiCA compliance map: capital, AML/CTF, segregation of client assets, information security and reporting requirements.
  • Technical measures: HSM, multisig, network segmentation, secret management, CI/CD controls.
  • Preparation of the evidence base: scan reports, penetration testing, logs, training records, DPIAs.

For an Almaty-based fintech, the steps will be similar, but the emphasis will shift to bank integrations and evidencing that security policies meet partners’ requirements.

How System Management LLP helps

We support the full cycle: from rapid diagnostics to certification and licensing.

  • Gap analysis for MiCA, GDPR and ISO/IEC 27001 with risk prioritisation.
  • Turnkey ISMS build and preparation for ISO 27001:2022 certification.
  • Preparation for inspections and licensing of crypto-asset service providers (CASPs) in the EU.
  • Legal-technical GDPR support: register of processing activities, DPIAs, cross-border transfers, DPAs.
  • Team training: secure development, incident response, privacy by design.
  • Pre-audit and ongoing support: checklists, evidence base, liaison with auditors.

With System Management LLP, you get a single plan in which MiCA and GDPR compliance in Kazakhstan and ISO certification move in step with product development rather than hindering it.

Ready to take action? Let’s plan a collaboration — from Tashkent to Almaty, from crypto start-up to partner bank.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

LLP "System Management" specialises in providing consulting services, training, and certification of management systems in accordance with international ISO standards — including ISO 9001, ISO 14001, ISO 45001, ISO 27001, ISO 27701, ISO 50001, ISO 13485, and others.

Our mission is to deliver high-quality services in the development and certification of management systems that bring real value to our clients through the use of effective and flexible solutions tailored to each client’s unique requirements and expertise.

E-mail:
info@bcert.org

Phone:

+37253686541

WhatsApp:

+37253686541

Developed by Ticket to Online

EN
RU RO KK UZ TR KY FA HY AZ KA EN