According to Art. 5 of the Law of Georgia on the Control of Military and Dual-Use Goods, the import of "Dual-Purpose Products" included in the "control lists" outlined in Art. 2(p) is carried out on the basis of an import permit issued in accordance with the Law of Georgia on Licences and Permits, as specified in its Art. 24. Dual-purpose products, as defined in Art. 2(m), include computer software and technologies that serve both civil and military purposes.
The control list, detailed in the Government of Georgia's Resolution No. 394 on the Approval of Lists of Military and Dual-Purpose Products, includes semiconductor photocathodes, electro-optical converters, optical fibre, and optical fibre connectors, among other products. Additionally, Section 21 of Resolution No. 394 provides specific information about the types of software that fall under the licensing regime.

According to Art. 5 of the Law of Georgia on the Control of Military and Dual-Use Goods, the export of "Dual-Purpose Products" included in the "control lists" outlined in Art. 2(p) is carried out on the basis of an export permit issued in accordance with the Law of Georgia on Licences and Permits, as specified in its Art. 24. Dual-purpose products, as defined in Art. 2(m), include computer software and technologies that serve both civil and military purposes.
The control list, detailed in the Government of Georgia's Resolution No. 394 on the Approval of Lists of Military and Dual-Purpose Products, includes semiconductor photocathodes, electro-optical converters, optical fibre, and optical fibre connectors, among other products. Additionally, Section 21 of Resolution No. 394 provides specific information about the types of software that fall under the licensing regime.

Self-certification is permitted for radio transmission, electromagnetic interference (EMI), and electromagnetic compatibility (EMC). Foreign companies are authorised to self-certify compliance with these standards through a Supplier Declaration of Conformity (SDoC). The registration of the equipment with the regulatory authority is not required, nor is testing by an accredited laboratory mandatory. In cases where testing is conducted, the selection of the testing laboratory is at the discretion of the supplier or manufacturer.

Art. 37 of Law No. 3144 stipulates that the cross-border transfer of data is permissible if the data processing requirements outlined in the Law are met and adequate safeguards are in place in the destination jurisdiction to ensure the protection of data subjects' rights. In addition, the cross-border transfer of data is allowed under other circumstances, including when: (i) the data transfer is envisaged by an international treaty and agreements of Georgia; (ii) the data controller provides appropriate safeguards for data protection on the basis of an agreement concluded between the controller and the relevant state, the appropriate public institution of such state, a legal person or a natural person, or an international organisation; (iii) the data subject gives written consent after receiving information on the lack of proper safeguards for data protection in the relevant jurisdiction and on possible threats; (iv) the transfer of data is necessary to protect the vital interests of a data subject and the data subject is physically or legally incapable of consenting to such data processing; and (v) there is a lawful public interest, and the transfer of data is a necessary and proportionate measure in a democratic society.
Onward transfer is permitted only if such data transfer serves the initial purpose of data transfer, meets the requirements for the legal basis for data transfer, and ensures adequate safeguards for data protection.
Law No. 3144, signed in June 2023, superseded the Act No. 5669 with effect starting from June 2024. Art. 41 of the now-repealed Act No. 5669 established conditions for cross-border data transfers that were similar to those outlined in Art. 37 of the new Law.

Georgia has not joined any agreement with binding commitments to open transfers of data across borders.

Law No. 3144 provides a comprehensive regime of data protection in Georgia. The Law aims to bring Georgian legislation on personal data protection into closer alignment with the EU General Data Protection Regulation (GDPR) by establishing obligations such as the appointment of a data protection officer (DPO) and the conducting of a data protection impact assessment (DPIA), as well as requirements regarding data breach notifications, data subject rights, and international data transfers. Law No. 3144 superseded the Data Protection Act of 2011 (No. 5669), with effect starting from June 2024.

Art. 7 of Resolution No. 3 of the Georgian National Communications Commission "Regulations on the Rules of Provision of Services and Protection of Consumer Rights in the Sphere of Electronic Communications" addresses the information concerning the user that the service provider retains. The service provider must safeguard the following categories of user information for a period of four years: (a) the user's identification and contact details; (b) data related to the equipment or devices transferred to or used by the subscriber; (c) agreements or transactions related to service delivery; (d) payment information; (e) details of services received or provided, including a comprehensive record of incoming and outgoing telephone communications. Art. 3 defines a service provider as an operator of an electronic communications network or an authorised person who has access to the relevant elements or resources thereof and intends to, or is engaged in, provide electronic communication services through the elements or resources of the said network.
An article concerning the information retained by service providers about consumers has been included in the Regulations since its initial version. However, it was originally listed as Art. 5, and there were some variations in the specific data categories and the duration of data retention.

Art. 31 of Law No. 3144 requires data controllers to conduct data protection impact assessments (DPIAs) in cases where there is a high probability of threat of violation of fundamental human rights and freedoms during data processing, taking into account new technologies, categories, the volume of data, and the purposes and means of data processing. In addition, a DPIA is mandatory if the data controller : (i) makes decisions in a fully automated manner, including on the basis of profiling, which may have legal, financial, or other significant consequences for a data subject; (ii) processes data of a special category of a large number of data subjects; or (iii) carries out systematic and large-scale monitoring of data subjects' behaviour in places of public gathering. In the case of a substantial change in data processing, the controller is obliged to update the DPIA report and keep it for the entire period of data processing and for at least one year after termination of processing.

Art. 33 of Law No. 3144 requires various categories of organisations to appoint a personal data protection officer (DPO). This requirement applies to, among others, electronic communication companies, as well as data controllers or processors who manage the personal data of a significant number of data subjects or engage in systematic and large-scale monitoring of their behaviour.

Art. 8 of the Law on Electronic Communications stipulates that the Operational and Technical Agency (OTA) shall have the capability to obtain real-time communications and their identification data transmitted through the infrastructure of an electronic communication company by using stationary or semi-stationary technical means. For this purpose, the OTA is empowered to: a) place or install a lawful interception management system and/or any hardware and software required for its function, if necessary; b) require the electronic communication company to maintain the technical capacity, via stationary means, to provide the OTA with real-time communication content and its identification data, in accordance with the architecture and interface specified by the stationary technical capacity for obtaining real-time communication. The OTA functions under the authority of the State Security Service, an organisation subject to the direct oversight of the Prime Minister of Georgia.
An electronic communications company is defined as an authorised entity whose activities or services involve the provision of telephone networks, internet networks, or related services. Electronic communication identification data is defined as user identification data, data required for tracing and identifying the source of a communication; data necessary for identifying the recipient of a communication; data required for determining the date, time, and duration of a communication; data necessary for identifying the type of communication; data required for identifying the user's communication equipment or potential equipment; and data necessary for determining the location of mobile communication equipment.

There is an obligation for passive infrastructure sharing in Georgia to deliver telecom services to end users. Art. 19 of Law No. 1514 stipulates that an authorised person may request a provider of a public electronic communication network to provide access and/or interconnection to the relevant elements of its network. Furthermore, Art. 34 mandates that an authorised person with significant market power who owns an electronic communication network shall ensure unrestricted, transparent and non-discriminatory access to the relevant elements, technical facilities of its network, and other types of electronic communication services.

Georgia mandates functional and accounting separation for operators with significant market power (SMP) in the telecom market. Art. 29 (c) of Law No. 1514 provides that the National Communications Commission of Georgia may, by decision, impose on an authorised entity with significant market power the obligation to maintain separate records of expenditure and income in accordance with the methodological rules approved by the Commission. Furthermore, Art. 34.8 stipulates that, by decision of the Commission, an electronic communications network operator must ensure the separation of the functional resources of the relevant elements of its network, where their use is reasonably requested by an interested authorised entity. Additionally, Art. 27.6 establishes that the Commission may require an operator with significant market power as a result of a merger to ensure functional separation, meaning the division of functionally separated structural units into a separate legal entity or entities.

Georgia has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

Georgia has two government bodies within the telecommunications sector: a governmental ministry responsible for policy formulation and an independent regulatory commission called the Georgian National Communications Commission. The Commission serves as the country's regulatory authority for broadcasting and electronic communications. It functions as an independent state agency, operating as a legal entity under public law, with a commission comprising five appointed members. Although it enjoys operational and budgetary autonomy, the Commission remains accountable to the President, the Government, and Parliament, which could result in a lack of independence.
The Department of Communications, Information and Modern Technologies, housed within the Ministry of Economy and Sustainable Development, is the policy-making entity responsible for formulating and implementing state policy regarding electronic communications, information technologies, and postal services.

Georgia is not a party to the World Trade Organization (WTO) Agreement on Government Procurement (GPA). However, the country has been an observer of the WTO GPA since 1999.