Cybersecurity · Bermuda
Cybersecurity regulation in Bermuda (2026)
Bermuda shaded by its cybersecurity status
Bermuda currently regulates cybersecurity through sector-specific rules rather than a single in-force comprehensive law. The BMA imposes operational cyber-risk management obligations on regulated financial entities (notably the Insurance Sector Code of Conduct, effective 2021), and the Personal Information Protection Act 2016 (fully operative 1 January 2025) requires data-breach notification. A comprehensive Cybersecurity Act 2024 received Royal Assent on 24 June 2024 but has no announced commencement date, so its critical-infrastructure regime is not yet binding.
Key points
The Cybersecurity Act 2024 was passed by the Legislature on 31 May 2024 and received Royal Assent on 24 June 2024, creating a framework to protect critical national information infrastructure across essential services (energy, telecoms, healthcare, government). No commencement date has been announced, so it is not yet operative.
Under the Cybersecurity Act 2024, sector-specific cyber and IT security prescriptions will be overseen by the Minister of National Security in consultation with a Cybersecurity Advisory Board that advises on safeguarding information resources connected to essential operations.
The BMA's Insurance Sector Operational Cyber Risk Management Code of Conduct took effect 1 January 2021, with full compliance required by 31 December 2021. It sets proportionate duties to maintain a robust cybersecurity programme; 97% of insurers reported a board-approved cyber-risk policy in 2024 filings.
The Personal Information Protection Act 2016 became fully operative on 1 January 2025. Organisations must notify the Office of the Privacy Commissioner (PrivCom) and affected individuals without undue delay of a breach likely to adversely affect an individual; failure to notify is a separate criminal offence.
Under PIPA, failing to report a qualifying breach can lead to fines up to $25,000 and/or up to 2 years imprisonment on summary conviction for individuals, and fines up to $250,000 on indictment for organisations.
Bermuda enacted the Computer Misuse Act 2024, replacing the 1996 statute of the same name, to align with international best practice and substantially increase penalties for computer-related offences.
Timeline - major decisions & events
Bermuda's comprehensive data-protection law became fully operative, obliging all in-scope organisations to appoint privacy officers, implement security safeguards, and report personal-data breaches. Its security and breach-notification provisions form a core pillar of Bermuda's cybersecurity obligations alongside the BMA codes and the Cybersecurity Act.
Office of the Privacy Commissioner for Bermuda (PrivCom) ↗Issued by the BMA under the Digital Asset Business Act 2018, the Code required all licensed digital-asset businesses to be fully compliant by this date with a proportionate technology/cyber-risk programme and board-level cyber governance. It extended sector-specific cyber rules to crypto and DLT firms.
Bermuda Monetary Authority ↗Passed by the Legislature on 31 May 2024, the Act creates a national regime overseen by a single Minister to set cybersecurity standards for Critical National Information Infrastructure (CNII) across health, telecoms, emergency services and energy, and establishes a Cybersecurity Advisory Board. It marks Bermuda's first economy-wide critical-infrastructure cyber law beyond the financial sector.
Parliament of Bermuda ↗The Government announced the firm date for PIPA to come fully into force, giving organisations an ~18-month preparation window to build data-security and breach-reporting compliance programmes. It ended years of uncertainty over when Bermuda's data-protection regime would actually bite.
Office of the Privacy Commissioner for Bermuda (PrivCom) ↗Banks, deposit companies, trust companies, investment businesses, fund administrators, money service businesses and corporate service providers had to be fully compliant with the BMA's operational cyber-risk code by this date. It brought most of Bermuda's BMA-regulated financial entities under formal cyber-governance and 72-hour incident-reporting duties.
Bermuda Monetary Authority ↗The BMA extended its cyber-risk framework beyond insurance to corporate service providers, trust companies, money service businesses, investment businesses and fund administrators (and, via amendments to the Banks and Deposit Companies Act 1999, to banks). It standardised board oversight, a CISO function, and incident reporting across the wider financial sector.
Bermuda Monetary Authority ↗The first BMA cyber code took effect, with insurers, insurance managers and intermediaries required to comply by 31 December 2021. It mandated board-approved cyber-risk policies, a CISO role, and notification to the BMA within 72 hours of a confirmed cyber event — the template for all later sector codes.
Bermuda Monetary Authority ↗Bermuda's earliest digital-economy statute legally facilitated e-commerce and included EU-style data-protection principles (never fully activated), laying the conceptual groundwork for later information-security and privacy regulation. It remains the historical starting point for Bermuda's IT and data-handling law.
Appleby ↗Bermuda - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →