Cybersecurity · Bangladesh
Cybersecurity regulation in Bangladesh (2026)
Bangladesh shaded by its cybersecurity status
Bangladesh enacted the Cyber Security Ordinance, 2025, gazetted on 21 May 2025, repealing the Cyber Security Act, 2023 (which had itself replaced the Digital Security Act, 2018). The Ordinance constitutes a comprehensive statutory framework covering critical information infrastructure (CII) protection, cybercrime offences, incident response, and institutional governance under a newly structured NCSA. Civil-society concerns persist over vague definitions and residual speech-restricting provisions, but the law is in force and operative.
Key points
Bangladesh's cybersecurity law evolved from the Digital Security Act 2018 to the Cyber Security Act 2023 (Act No. 46 of 2023, passed 13 September 2023), and most recently to the Cyber Security Ordinance 2025, gazetted 21 May 2025 by the interim government. Each iteration replaced the prior law in full.
The Ordinance establishes the NCSA as the primary regulatory authority empowered to designate Critical Information Infrastructure, issue mandatory security directions, conduct audits, prescribe technical standards, and coordinate with law enforcement. The apex policy body is the National Cyber Security Council (NCSC), which approves national cybersecurity policy and reviews NCSA performance.
The government retains sole authority to designate CII sectors (energy, banking, government systems, etc.). CII operators must deploy mandated security controls, localize sensitive data domestically, and establish security operations capabilities. Warrantless search, seizure, and arrest powers apply to CII-related cyber incidents.
BGD e-GOV CIRT (Bangladesh Government Computer Incident Response Team) serves as the national operational incident response body; organizations are directed to report indicators of compromise and suspicious activity to BGD e-GOV CIRT/NCSA. The Ordinance mandates incident response protocols and emergency procedures, including digital forensics coordination.
The Ordinance criminalises unauthorised access, hacking, cyberterrorism, cyber fraud, e-transaction crimes, incitement of religious/ethnic hatred, sexual harassment, blackmail, and online obscenity, with graded penalties. The 2025 reform made many offences (cyber fraud, sexual harassment, blackmail) bailable and removed 9 sections of its predecessor dealing with speech-based offences (defamation, 'offensive' content, false information).
The 2025 Ordinance explicitly recognises internet access as a citizen's right—a first for Bangladesh. However, Article 19, Human Rights Watch, and local civil-society groups have flagged that vague and undefined terms in the Ordinance still risk chilling free expression and press freedom, and called for further revision.
Timeline - major decisions & events
The interim government gazetted Ordinance No. 25 of 2025, repealing the Cyber Security Act 2023 and dropping nine contentious provisions inherited from the Digital Security Act 2018. The ordinance is the first South Asian law to criminalise AI-facilitated offences explicitly, recognises internet access as a civic right, and grants BGD e-GOV CIRT statutory authority as the national CERT.
Bangladesh Government Press (Official Extraordinary Gazette) ↗The ITU's 5th edition of the Global Cybersecurity Index placed Bangladesh in Tier 1 (Role Model) with a score of 96.96, citing capacity development and technical measures as areas of strength. The classification provided international validation of the country's cybersecurity institutional build-out, though the index evaluates the existence rather than quality of measures.
ITU (International Telecommunication Union) ↗Parliament passed a new law replacing the Digital Security Act 2018, reducing some prison terms for defamation-related offences and removing non-bailable provisions, but preserving most substantive prohibitions. Civil-society organisations criticised it as a cosmetic rebrand; the law was repealed less than two years later by the Cyber Security Ordinance 2025.
Laws of Bangladesh (Ministry of Law, Justice and Parliamentary Affairs) ↗Security researcher Viktor Markopoulos discovered that a Bangladesh Registration Office government website leaked names, addresses, phone numbers, and national ID numbers of tens of millions of citizens through a misconfigured API — not an active intrusion. The site was taken down on 10 July 2023 after TechCrunch reported it; leaked NID data subsequently circulated on Telegram, exposing persistent gaps in public-sector data governance.
TechCrunch ↗BGD e-GOV CIRT published Bangladesh's first structured national cybersecurity strategy, built on four pillars — Digital Government, Human Resource Development, IT Industry Promotion, and Connectivity & Infrastructure — with 28 activities across 10 strategic themes. The strategy provided the coordinating framework for aligning all government ministries and agencies on cybersecurity responsibilities.
BGD e-GOV CIRT (Bangladesh Computer Council) ↗The president signed the Digital Security Act into law, creating broad criminal offences for online content deemed defamatory, anti-state, or religiously offensive, with penalties up to life imprisonment for attacks on liberation-war ideology. The law absorbed and expanded Section 57 of the ICT Act and was widely condemned by journalists, the UN OHCHR, and civil-society groups for enabling political and press-freedom prosecutions.
Laws of Bangladesh (Ministry of Law, Justice and Parliamentary Affairs) ↗Actors later attributed by CISA to North Korea's Reconnaissance General Bureau (BeagleBoyz) used malware to impersonate Bangladesh Bank on the SWIFT messaging network, issuing 35 fraudulent transfer instructions totalling ~$1 billion to the Federal Reserve Bank of New York; $101M was transferred before a spelling error triggered a hold. $81M reached the Philippines and was largely laundered through casinos — making this the largest cyber-enabled central-bank theft on record and prompting SWIFT-wide security reforms.
Wikipedia (aggregating Bangladesh Bank, FBI, and SWIFT official statements) ↗The Bangladesh Computer Council activated the e-Government Computer Incident Response Team under the LICT (Leveraging ICT for Growth, Employment and Governance) project; the Bank heist occurring the same month catalysed its formal government mandate and resourcing. BGD e-GOV CIRT subsequently gained full FIRST membership, establishing Bangladesh's first institutionalised cyber-incident response capability.
BGD e-GOV CIRT (Bangladesh Computer Council) ↗Parliament amended the 2006 ICT Act to extend maximum sentences for some offences from 10 to 14 years, reclassify Section 57 violations as cognizable (warrantless arrest permitted) and non-bailable, and remove the requirement for prior government approval before filing cases. The amendment dramatically expanded law-enforcement power under Section 57 and led to at least 700 cases before the Cyber Tribunal by 2017, most targeting journalists and critics.
Wikipedia (referencing official Bangladesh Gazette amendments) ↗Bangladesh - other topics
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →