Cybersecurity regulation in Brunei (2026)

Brunei's first comprehensive data-protection statute grants individuals rights over how private-sector organisations collect, use and disclose personal data; mandates Data Protection Impact Assessments, reasonable security measures, and equivalent-standard cross-border transfer controls; designates AITI as the enforcement authority with a one-year transition period before penalties (up to BND 80,000 or imprisonment) apply.

The Brunei Darussalam Central Bank issued binding TRM Guidelines requiring banks and financial institutions to maintain IT governance frameworks, conduct regular cyber-risk assessments, and report material technology incidents—aligning the financial sector with the Cybersecurity Act and making cyber risk the top-ranked operational risk for Bruneian banks.

The 2023 Cybersecurity Order was consolidated into Chapter 272 of the Laws of Brunei, and Cyber Security Brunei simultaneously published the Code of Practice for Critical Information Infrastructure, giving CII owners in ten designated sectors (energy, banking, health, telecoms, etc.) detailed technical and organisational requirements for risk management, incident detection, and mandatory reporting.

The Central Bank mandated all licensed banks to deploy continuous cyber-intrusion detection systems and report incidents promptly to BDCB, creating a sector-specific incident-reporting obligation that runs in parallel with the national Cybersecurity Act obligations for critical information infrastructure.

Brunei's first dedicated cybersecurity law established the national framework: it designated Cyber Security Brunei as the lead authority, defined ten critical information infrastructure sectors, mandated CII owners to appoint cybersecurity officers, perform risk assessments, and notify incidents, with penalties of up to BND 100,000 and two years' imprisonment for non-compliance.

Operating under the Ministry of Transport and Infocommunications, CSB became the institutional cornerstone of national cybersecurity, assuming oversight of BruCERT, leading policy development, and building the regulatory capacity that directly produced the 2023 Cybersecurity Order.

The government released a whole-of-nation Cybersecurity Masterplan covering legal reform, technical capability, organisational structures, and public awareness—setting the strategic roadmap that led to the establishment of CSB in 2020, the Cybersecurity Order in 2023, and the PDPO in 2025.

Brunei gave legal recognition to electronic records, contracts, and digital signatures, providing the secure legal basis for digital commerce and government services and underpinning later requirements for organisations to maintain integrity and availability of electronic systems.

On 1 May 2004 the government stood up the Brunei Computer Emergency Response Team as the national one-stop hub for detecting, analysing, and coordinating responses to cybersecurity incidents, and for international liaison with APCERT, OIC-CERT, and FIRST—Brunei's first operational cybersecurity institution.

The Authority for Infocommunications Technology Industry was established under the Telecommunications Orders 2001 as Brunei's central regulator for ICT and digital infrastructure; AITI later became the designated enforcement authority for the Personal Data Protection Order 2025, making it pivotal to cybersecurity compliance.

Brunei's first cyber-specific criminal law (enacted ca. 2000, revised edition 2007) criminalised unauthorised access, modification of computer material, interception of computer services, and obstruction of computer use, with penalties of up to BND 100,000 and 20 years' imprisonment for attacks on protected computers; it remains the primary cybercrime penal instrument.