Cybersecurity regulation in Afghanistan (2026)

President Ghani signed a 28-article Cyber Crime Code into law on 20 June 2017 as part of the national Penal Code. It criminalises unauthorised access (hacking), cyber-terrorism, spreading ethnic hatred online, exposing state secrets, and cyber-fraud, but contains no breach-notification duties and no procedural or international-cooperation provisions.

Afghanistan adopted a National Cyber Security Strategy in November 2014 via the MCIT/ISSD. It established AFCERT as the primary incident-response body and set goals for critical-infrastructure protection, but the strategy has never been updated and is widely considered obsolete; no successor strategy has been published under the Taliban administration.

The Information Systems Security Directorate (ISSD), established within MCIT in 2009, was tasked with protecting critical information infrastructure and hosting the Afghanistan CERT (AFCERT). The Ministry of Interior's cybercrime department cooperates with ISSD on investigations. Operational capacity under the post-2021 Taliban government is severely limited and not publicly documented.

The Afghanistan Telecom Regulatory Authority (ATRA), established in 2006, can compel operators to monitor traffic and provide immediate network access for national-security or criminal investigations. This constitutes the primary sector-specific cybersecurity-adjacent obligation on telecoms; no equivalent obligations exist for finance or other critical sectors.

Afghanistan has no enacted data-protection law and no statutory obligation for organisations to notify authorities or affected individuals following a data breach or cyber incident. The Council of Europe Octopus profile confirms the absence of any such regime.

Since late 2025 the Taliban has imposed sweeping internet restrictions rather than protective cybersecurity measures: in September 2025 fibre-optic internet was banned in five provinces (briefly attempted nationwide), social-media platforms including Facebook and Instagram were blocked from October 2025, and in May 2026 ATRA was directed to cut residential fibre-optic services in Kabul. These actions reflect content-control priorities, not a defensive cybersecurity posture.