Cybersecurity · Bahrain
Cybersecurity regulation in Bahrain (2026)
Bahrain shaded by its cybersecurity status
Bahrain has no single comprehensive cybersecurity statute; obligations are layered across sectors and instruments. A central authority — the National Cyber Security Center, whose powers were defined/strengthened by Royal Order No. 17 of 2025 — sets and enforces mandatory policies, issues CNI controls, and manages national incident response, while binding cybersecurity and breach-reporting duties currently fall on specific sectors (notably finance via the CBB) and on Critical National Infrastructure operators. Personal-data breach notification is governed separately by the PDPL.
Key points
Royal Order No. 17 of 2025 (issued 10 July 2025) defines the National Cyber Security Center as the central authority for setting and enforcing nationwide cybersecurity rules; operating under the Supreme Defence Council, it develops mandatory policies, issues standards/frameworks, and leads national incident response and CNI oversight.
The NCSC issues CNI cybersecurity controls applying to operators of essential services (oil, electricity, water, government, financial services), who face stringent security requirements and must report incidents that could compromise essential services.
The Central Bank of Bahrain (CBB) Rulebook requires licensees to report cyber-security incidents that compromise customer information or disrupt critical services to CBB as soon as possible and no later than one hour of occurrence/detection, plus governance, an IT Security Officer, and incident-management processes.
Under the Personal Data Protection Law No. 30 of 2018 (and implementing Order No. 43 of 2022), data controllers must notify the Personal Data Protection Authority of a breach within 72 hours of discovery (unless unlikely to affect data subjects' rights) and inform affected individuals where there is high risk.
Law No. 60 of 2014 on Information Technology Crimes criminalizes unauthorized access, interference with electronic systems, and misuse of digital data; Bahrain has also ratified the Arab Agreement on Combating IT Crimes (Law No. 2 of 2017).
Outside regulated sectors and CNI, private entities are not currently subject to a mandatory duty to report cyber incidents to the NCSC; such reporting is voluntary, though the 2025–2028 National Cyber Security Strategy signals continued expansion of the regime.
Timeline - major decisions & events
The Central Bank of Bahrain published updated Cyber Security Requirements in its Rulebook, consolidating board-level oversight, risk assessment, penetration testing and incident-reporting duties across banking, insurance and capital-market firms. It standardizes the cyber obligations applying to Bahrain's regulated financial sector.
Central Bank of Bahrain Rulebook ↗King Hamad issued Royal Order No. 17 of 2025 giving the National Cybersecurity Center (NCC) legislative, policy and technical authority — proposing cyber laws, issuing mandatory policies and standards, coordinating threat-sharing, and overseeing critical sectors under the Supreme Defence Council. It clarified the mandate left undefined when the NCC was created.
Library of Congress (Global Legal Monitor) ↗The National Cyber Security Center issued a National Risk Management Framework and CNI cybersecurity controls covering seven critical sectors (energy, financial services, ICT, healthcare, government, critical industry, transport). It set the baseline technical controls operators of critical infrastructure must adopt.
National Cyber Security Center ↗The Central Bank of Bahrain amended its Crypto-Asset (CRA) Module to introduce cybersecurity control guidelines aimed at protecting clients' digital assets. It extended formal cyber obligations to crypto-asset service providers operating in Bahrain.
Central Bank of Bahrain ↗Bahrain stood up the Personal Data Protection Authority (PDPA) and issued ten ministerial resolutions implementing the PDPL, covering security measures, breach handling and cross-border transfers. It marked the start of active enforcement of the data-protection and data-security regime.
Personal Data Protection Authority ↗Royal Decree No. 65 of 2020 created the National Cybersecurity Center as the central national authority for cybersecurity, though it left detailed responsibilities to be defined later (by Royal Order No. 17 of 2025). It centralized national cyber governance for the first time.
National Cyber Security Center ↗Bahrain published a five-pillar national strategy spanning resilient cyber defenses, governance and standards, public awareness, partnerships, and workforce development. It established the policy roadmap and CNI-sector approach underpinning today's framework.
National Cyber Security Center ↗The Central Bank of Bahrain added cybersecurity chapters to its Operational Risk and Risk Management modules, mandating board accountability, periodic control assessments, biannual penetration testing, cyber insurance and staff training. It created the financial sector's binding cyber obligations.
Central Bank of Bahrain ↗Bahrain enacted its first comprehensive data-protection statute, governing collection, processing, storage and transfer of personal data and mandating safeguards against unauthorized access, loss or disclosure. It laid the legal foundation for data-security obligations nationwide.
Ministry of Justice (Legislation Portal) ↗Bahrain enacted its cybercrime law criminalizing illegal access, data and system interference, illegal interception, misuse of devices and content offences, with fines up to BHD 100,000. It remains the core criminal framework backing cybersecurity enforcement.
ILO NATLEX ↗Bahrain - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →