Legal Alert - March 2025 - KPMG Kazakhstan

Changes in EDS rules: restriction on transferring the private key to third parties

2 min read

Dear readers,

Starting from 13 March 2025, amendments to the Code of administrative offenses of the Republic of Kazakhstan (CAO RK) have come into effect, tightening the regulations on the use of Electronic Digital Signatures (EDS). The use of another person’s private EDS key (a unique code used to create an electronic signature) is now explicitly prohibited, even with the owner’s consent.

As a result, using someone else’s EDS now carries a substantial fine. Clause 6, Article 640 of the CAO RK establishes the following penalties:

for individuals – 50 MCI (196,600 KZT in 2025);
for officials, small business entities, and non-profit organizations – 100 MCI (393,200 KZT);
for medium-sized business entities – 150 MCI (589,800 KZT);
for large business entities – 200 MCI (786,400 KZT).

The use of EDS keys plays a crucial role in various services. They are used to sign tax declarations, conclude electronic contracts, submit electronic requests, request certificates and statements, as well as submit registration documents and notifications.

In light of the new regulations, the Committee for public services of the Ministry of digital development (MDD RK) has clarified the permissible procedure for delegating electronic signatures.

If an employee needs to be granted the authority to sign documents, this must be done by issuing them a separate EDS. In other words, a company executive cannot simply transfer their key to a subordinate—rather, the employee must obtain their own key and electronic signature certificate. The direct transfer of a private key, even to a trusted person, is now strictly prohibited.

It is also important to note that the eGov government portal does not allow documents to be signed or certificates to be obtained by proxy. In practice, this means that even a notarized power of attorney does not enable one person to log in and sign documents on behalf of another through eGov.

Company executives are now required to sign all documents personally using their EDS or ensure that authorized employees obtain their own EDS keys in the prescribed manner. The practice of sharing a single key among multiple individuals is no longer permitted.

Currently, the mechanism for controlling and detecting instances of private key transfer for EDS is not regulated. Legislation establishes liability for the transfer of keys, but there is currently no clear procedure for verifying and recording such violations.