Cybersecurity - Brunei

Passed as a Legislative Order on 20 May 2023 and revised in 2024, the Act creates a comprehensive legal framework for national cybersecurity oversight, designates Cyber Security Brunei (CSB) as the competent authority, and imposes binding duties on Critical Information Infrastructure (CII) owners across ten sectors including energy, banking and finance, healthcare, and defence.

CII owners must implement detection systems, conduct risk assessments, and follow the Code of Practice for CII issued by CSB. Non-compliance carries fines up to BND 100,000 and/or imprisonment up to 2 years, plus BND 5,000 per day for continuing offences.

Section 16 of the Cybersecurity Act requires CII owners to notify the Commissioner of Cybersecurity of prescribed cybersecurity incidents. As of 2025, the specific incident categories and reporting timelines are pending subordinate regulation, but the notification duty is in force.

The Personal Data Protection Order, gazetted 8 January 2025 and enforced by AITI, requires private-sector organisations to notify the Responsible Authority within 3 calendar days of assessing a data breach likely to cause significant harm to affected individuals.

The Brunei Darussalam Central Bank (BDCB) supplements the Act with sector-specific cybersecurity notices for banks: a January 2024 Notice on Early Detection of Cyber Intrusion and Incident Reporting, a June 2023 Technology Risk Management Notice, and a 2025 Compliance and Security by Design Notice (TRS/N-2/2025/1).

The Brunei Computer Emergency Response Team (BruCERT), established in 2004 and operating under CSB, serves as the national CERT coordinating incident response with international CERTs, ISPs, and government agencies. CSB also maintains the voluntary Brunei National Cyber Security Framework as a risk-reduction guide for all organisations.