Cybersecurity - Bahrain

Royal Order No. 17 of 2025 (issued 10 July 2025) defines the National Cyber Security Center as the central authority for setting and enforcing nationwide cybersecurity rules; operating under the Supreme Defence Council, it develops mandatory policies, issues standards/frameworks, and leads national incident response and CNI oversight.

The NCSC issues CNI cybersecurity controls applying to operators of essential services (oil, electricity, water, government, financial services), who face stringent security requirements and must report incidents that could compromise essential services.

The Central Bank of Bahrain (CBB) Rulebook requires licensees to report cyber-security incidents that compromise customer information or disrupt critical services to CBB as soon as possible and no later than one hour of occurrence/detection, plus governance, an IT Security Officer, and incident-management processes.

Under the Personal Data Protection Law No. 30 of 2018 (and implementing Order No. 43 of 2022), data controllers must notify the Personal Data Protection Authority of a breach within 72 hours of discovery (unless unlikely to affect data subjects' rights) and inform affected individuals where there is high risk.

Law No. 60 of 2014 on Information Technology Crimes criminalizes unauthorized access, interference with electronic systems, and misuse of digital data; Bahrain has also ratified the Arab Agreement on Combating IT Crimes (Law No. 2 of 2017).

Outside regulated sectors and CNI, private entities are not currently subject to a mandatory duty to report cyber incidents to the NCSC; such reporting is voluntary, though the 2025–2028 National Cyber Security Strategy signals continued expansion of the regime.