Cybersecurity regulation in Bhutan (2026)

The Information, Communications and Media Act 2018 is Bhutan's main digital law. It criminalises unauthorised access to Critical Information Infrastructure, unlawful data disclosure, payment-system interference, unsolicited email, and related offences, and empowers BICMA to regulate ISPs, telecom operators, and online content providers.

Organisations that discover a personal-data or security breach must notify the Bhutan InfoComm and Media Authority (BICMA) within 72 hours, disclosing the breach's nature, categories of data affected, likely consequences, and remedial measures taken.

Sections 463–472 of Bhutan's Penal Code criminalise cyber trespass, cyber fraud, identity theft, data theft, cyber extortion, dissemination of illegal content, cyberbullying, and online defamation, providing a supplementary criminal-law layer to the ICMA.

Launched 25 October 2024 at the National Cybersecurity Conference, this is Bhutan's first national cybersecurity strategy. Its four pillars are: (1) institutional framework, (2) legislative framework enhancement, (3) critical information infrastructure protection, and (4) incident management. It acknowledges that dedicated cybersecurity legislation is absent and must be developed.

The Bhutan Computer Incident Response Team (BtCIRT), operating under GovTech, is the national CERT. It monitors government networks, data centres, and national critical ICT infrastructure, coordinates incident response, and handled 204 cybersecurity incidents in 2024 alone.

GovTech has publicly announced a review of the ICMA to bolster cybersecurity obligations. The NCS 2024–2029 identifies specific legislative gaps — including absence of a standalone cybersecurity act and limited enforcement capacity — and commits to remedying them within the strategy period. Bhutan is not a signatory to the Budapest Convention on Cybercrime.