The list of goods subject to import and export prohibitions or restrictions in the Eurasian Economic Union, including Kazakhstan, is determined by the Decision of the Board of Eurasian Economic Commission dating 2012. The Decision has been amended a few times since then. According to Section 1 of the so called "Single List" contained in the Decision, the following digital goods are among the goods that are subject to export restrictions: (i) Special hardware meant for secret information acquisition; (ii) Encryption devices.

Licensing procedures are applied to the importation of certain digital goods to the territory of the Eurasian Economic Union, including Kazakhstan. These digital goods include: (i) Civil radio-electronic equipment and/or high-frequency devices including those which are built-in or form a part of other goods; (ii) Special hardware meant for secret information acquisition; (iii) Encryption devices.

According to Art. 7.6 of the Informatization Law, the central executive body carrying out state regulation in the field of electronic industry orders the creation of a unified register of trusted software and electronic products. According to the Order of the Minister of Defense and Aerospace Industry of the Republic of Kazakhstan No. 53/НК, enforced in May 2018, in order to be registered in the register, the exclusive rights to the software must belong to a Kazakh entity or natural person. In addition, it is reported that the local content for this software must not be less than 70%. Furthermore, internet resources registered as network media (such registration is not mandatory) are reported to be subject to the general media requirements regarding the mandatory percentage of locally produced programs and programs broadcast in the Kazakh language.

According to the Art. 7 of the Advertisement Law, an advertisement that contains a comparison of the advertised goods (works, services) with the goods (works, services) of other individuals or legal entities, as well as statements, images, discrediting their honour, dignity, and business reputation, is prohibited. Advertisement, regardless of the form or used means of distribution (placement), should be reliable, and recognizable without special knowledge or the use of special tools, directly at the time of its presentation.

It is reported that the presidential elections in June 2019 and the parliamentary elections in January 2021 were both accompanied by disruption of internet connectivity. In addition, it is reported that there has been an internet shutdown at the beginning of January 2022 in the context of some protests. For over five days, except for short breaks of a few hours, people could not access websites, applications, or messenger apps. It is reported that the week-long internet blackout costed the economy more than USD 400 million.

The indicator "6.2.4 - Government Internet shut down in practice" of the V-Dem Dataset, which measures whether the government has the technical capacity to actively make internet service cease, thus interrupting domestic access to the internet or whether the government has decided to do so, has a score of 3 in Kazakhstan. This corresponds to "Rarely but there have been a few occasions throughout the year when the government shut down domestic access to Internet."

It is reported that the government has extensive authority to block online content. The National Security Committee of the Republic of Kazakhstan (NSC) controls the State Technical Service (STS) since 2017, assuming the authority to block content and disrupt internet networks for investigative purposes and to prevent crimes. The NSC can act without a court order, though it must notify other state bodies within 24 hours. In 2017, the NSC and a number of other state entities adopted new rules for blocking or suspending networks, ICT resources, and other web resources. The rules are classified. There are no publicly available data on the extent of state censorship, although one unofficial estimate puts the number of blocked websites at more than 30,000. Ministries occasionally release information on content restrictions. For example, in August 2018, the Ministry of Information and Communication announced that it had blocked more than 1,800 online “materials” since the beginning of 2018 and intended to block 9,340 more through 534 court proceedings. It is also reported that in 2019, the government prohibited access to social media, and temporarily blocked independent news websites. In February 2020, amid an outbreak of intercommunal violence between ethnic Kazakhs and the Dungan minority, the government temporarily blocked WhatsApp in a bid to stop the violence.

As per the requirements of the Law on Amendments and Additions to Certain Legislative Acts of the Republic of Kazakhstan on Information and Communications (2017), users have been required to identify themselves using government-issued digital signature technology or SMS verification in order to comment on domestic websites. Failure to enforce the rule after April 2018 can lead to fines. The law requires website operators to make it mandatory for users to enter into a formal agreement before they are permitted to post comments in local websites. The information provided in the agreement needs to be retained by the website and be handed over to the authorities whenever asked.

Amendments to the Communications Law in 2016 obliged ISPs to monitor content passing through their networks and to decide whether to restrict any problematic material. The amendments do not specify how ISPs are to carry out this obligation. The administrative code, in force since 2016, imposes fines on ISPs for not complying with censorship orders.

A basic legal framework on intermediary liability for copyright infringement is absent in Kazakhstan's law and jurisprudence. However, the Agreement on Enhanced Partnership between the EU and the Republic of Kazakhstan signed in March 2016 provides a safe harbour to European companies under several conditions. According to the agreement, an information intermediary is not liable, for example, if it does not initiate the transfer, if the end-user always takes the initiative, if it does not choose the recipient of the transfer if it does not choose or change the information contained in the transfer if it complies with the conditions of access to information, observes rules for updating information, does not interfere with the lawful use of generally recognized technologies, immediately deletes information or stops access to it, after receiving a notice.

A basic legal framework on intermediary liability beyond copyright infringement is absent in Kazakhstan's law and jurisprudence. However, the Agreement on Enhanced Partnership between the EU and the Republic of Kazakhstan signed in March 2016 provides a safe harbour to European companies under several conditions. According to the agreement, an information intermediary is not liable, for example, if it does not initiate the transfer, if the end-user always takes the initiative, if it does not choose the recipient of the transfer if it does not choose or change the information contained in the transfer if it complies with the conditions of access to information, observes rules for updating information, does not interfere with the lawful use of generally recognized technologies, immediately deletes information or stops access to it, after receiving a notice.

In July 2019, the government introduced under the Law on Communications the Qaznet Trust Certificate, a machine-in-the-middle (MITM) technology enabling it to monitor users’ online activities. The certificate requires every internet user in the country to install a backdoor, allowing the government to conduct surveillance. This allows the government to conduct a so-called “man-in-the-middle” attack, which allows the government to intercept every secure connection in the country and see web browsing history, usernames and passwords, and even secure and HTTPS-encrypted traffic.
KazakhTelecom, the country’s largest telecommunications company, has said that citizens are “obliged” to install a “national security certificate” on every device, including desktops and mobile devices.
It is reported that the commentators and experts inside the country and abroad almost unanimously consider the certificate a government-initiated technology for the interception of encrypted user traffic via MITM attacks. Some of the 37 websites that University of Michigan researchers identified as targets of the certificate included Facebook, Gmail, Instagram, Mail.ru, OK, Twitter, VK, and YouTube, suggesting that its purpose was to “surveil users on social networking and communication sites.”
On 21 August 2019, Mozilla and Google simultaneously announced that their Firefox and Chrome web browsers would not accept the government-issued certificate, even if installed manually by users. Later, Apple also announced that they would make similar changes to their Safari browser and the certificate would not be installed. After this, the requirement for the installation of the certificate was postponed.
While required, the certificate appeared to affect a fraction of connections passing through the country’s largest ISP, Kazakhtelecom. This means that some, but not all, of the Kazakh Internet population was affected.
In December 2020, Kazakhstan once again tried to enforce the installation of the certificate. However, the enforcement once again halted after the protest of the major internet browsers. Although not enforced, the provisions for mandatory installation of the certificate remain in Kazakhstan's regulations.

As per the requirements of the Law on Amendments and Additions to Certain Legislative Acts of the Republic of Kazakhstan on Information and Communications (2017), users have been required to identify themselves using government-issued digital signature technology or SMS verification in order to comment on domestic websites.
The law requires website operators to make it mandatory for users to enter into a formal agreement before they are permitted to post comments in local websites. The information provided in the agreement needs to be retained by the website and be handed over to the authorities whenever asked.

According to Art. 25.2(10) of Law No. 94-V, an owner and / or operator of a personal data database, which is a legal entity, should appoint a person responsible for organizing the processing of personal data (this requirement does not apply to the activities of courts). According to Art. 25.3, such a person is entrusted with the following duties:
- Exercise internal control over observance by the owner and / or operator of a personal data database and its employees of Kazakh law requirements in relation to personal data and its protection;
- Inform the employees of an owner and / or operator of the provisions of Kazakh law in respect of processing and protection of personal data;
- Exercise control over receipt and processing of applications from personal data subjects or their legal representatives.

Kazakhstan has not joined any agreement with binding commitments to open transfers of data across borders.