In accordance with subparagraph 4-1 of Art. 7 of Law No. 544, the Minister of National Economy of Kazakhstan ordered the approval of the Rules of Domestic Trade (Order No. 264). Arts. 105-1 and 106-1 of the Rules mandate e-commerce sellers to indicate their BIN (business identification number), address of business operations on the territory of Kazakhstan and mobile telephone number registered in Kazakhstan in order to operate in the country. Additional information on this requirement is found in Annex 3-10 of Order No. 4.

According to Art. 7 of Law No. 167-VІ SAM on Monetary Regulation and Foreign Exchange Control (which repealed Law No. 57 of 2005 on Monetary Regulation in July 2018), the use of a local bank is mandatory for settlements in foreign currency between residents of the KR and non-residents. Exceptions are settlements made from a foreign bank account of a non-resident, carried out on account of the performance of obligations of a resident (e.g. when a foreign parent company pays its local branch in the KR) and settlements with non-residents made from the resident's account in a foreign bank. Also, settlements between residents of the KR (including local branches of foreign non-financial legal entities considered residents) must be made in local currency.

According to Art. 136 of Law No. 115-VI ЗРК of the Republic of Kazakhstan, imports placed under the customs procedure for domestic consumption with a total customs value not exceeding the threshold of EUR 200 (approx. 219 USD) are exempt from import duties and taxes.

According to Art. 56 of the Law on Informatization requires that internet resources with ".kz" and ".қaz" domains must be hosted on hardware and software complexes located in Kazakhstan. In other words, an internet resource (website, web application, web service) using a ".kz" or ".қaz" domain must be hosted on a server in a data centre located in Kazakhstan. The server must also be connected to a Kazakh internet provider and use a (dedicated or shared) Kazakhstan IP address. It is reported that the owners of Internet resources were originally required to start using Kazakhstan's data centres by November 2020; however, since the related transition required additional costs and time, the deadline for meeting this requirement was extended to February 2021.

The Law on Protection of Consumer Rights provides a comprehensive framework for consumer protection that also applies to online transactions. Art. 33 of the Law on Protection of Consumer Rights includes provisions for the protection of e-consumers. Additionally, e-consumers enjoy all other privileges of the normal consumers.

Kazakhstan has not signed the United Nations (UN) Convention on the Use of Electronic Communications in International Contracts.

Kazakhstan has not adopted national legislation based on or influenced by the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Commerce.

Kazakhstan has not adopted national legislation based on or influenced by the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Signatures.

Licensing procedures are applied to the importation of certain digital goods to the territory of the Eurasian Economic Union, including Kazakhstan. These digital goods include (i) Civil radio-electronic equipment and/or high-frequency devices, including those which are built-in or form a part of other goods; (ii) Special hardware meant for secret information acquisition; (iii) Encryption devices.

In accordance with Art. 12.2 of Law No. 94-V, personal data must be stored in a database situated within the territory of Kazakhstan by the owner and/or operator, as well as by third parties. Pursuant to Art. 27-1, the Rules for the Implementation of Measures to Protect Personal Data by the Owner, Operator, and Third Parties were approved. According to Paragraph 8 of these Rules, the collection and processing of personal data with restricted access must be conducted via information facilities located within the Republic of Kazakhstan. The storage and transfer of such data should be carried out using cryptographic protection tools that meet at least the third level of security, as defined by the standard established in Kazakhstan. Personal data of restricted access includes all personal data, except for that which the data subject has made publicly available or that which is publicly accessible by explicit provision of the law. A similar provision was already in effect since 2021 in Rules bearing the same name, repealed in 2023, under its Paragraph 10.

According to Art. 7.6 of the Informatization Law, the central executive body carrying out state regulation in the field of electronic industry is tasked with establishing a unified register of trusted software and electronic products. According to Art. 54.3.1, for the purposes of state security, only approved software may be used for public procurement and for critical information and communication infrastructure, whether state-owned or private, including telecommunication infrastructure. In addition, it is reported that the local content for this software must not be less than 70%.

Art. 21 of the Law of the Republic of Kazakhstan on Communications stipulates that operators of communication networks of all categories included in the unified telecommunications network of the Republic of Kazakhstan shall be obliged to create at their own expense a system of centralised management of their networks, which must be located on the territory of the Republic of Kazakhstan.

In addition to the legal requirement of local processing of personal data in Kazakhstan introduced in 2015 in the Personal Data Law (Art. 12.2), pursuant to Art. 16.2 of the Law, a copy of personal data may only be transferred from Kazakhstan to a foreign country (including for purposes of processing) without prior permission from the personal data subject only if the recipient of the personal data is located in a country that protects personal data (at either the national level (by adopting national laws and regulations) or the international level (through international treaties). Pursuant to Art. 16.3 of the Personal Data Law, if no such protection is available, cross-border transfers of personal data are only possible if:
- The subject gives specific consent;
- In cases specified by international treaties ratified by Kazakhstan;
- In cases stipulated in the laws of Kazakhstan in order to protect the constitutional order, public order, rights and freedoms of an individual and a citizen, and public health and morality; and
- In the case of the protection of the constitutional rights of an individual and citizen, where getting the consent of the subject or their legal representative is impossible.
It is reported that national legislation does not specify a list of countries to which the transfer of data is prohibited, nor are there any criteria listed for determining the countries that provide a proper level of protection of personal data.

Kazakhstan has not joined any agreement with binding commitments to open transfers of data across borders.

Law No. No. 94-V provides a comprehensive regime of data protection in Kazakhstan. The Personal Data Law provides general regulations on the collection and processing of personal data and notably includes broad requirements for data localisation. In addition, the Amendment Law was introduced in July 2020, significantly extending data protection obligations for organisations. The Amendment Law introduces, among other things, further requirements for data collection and processing, obligations for data operators (similar to data processors), and redefines key concepts. The Amendment Law further establishes the competency of the data protection authority, including its powers and role.