Cybersecurity regulation in Cambodia (2026)

Acting Head of State Hun Sen signed the Royal Decree promulgating Cambodia's first dedicated anti-cybercrime statute, which takes immediate effect and imposes sentences of 2–30 years (life imprisonment where victims die) on scammers, gang leaders, and financiers of technology-based fraud including pig-butchering, crypto scams, and forced-labour compounds. Cambodia had previously lacked any legislation specifically targeting cybercrime.

Cambodia's MPTC circulated a near-final draft of its first comprehensive Law on Personal Data Protection, modelled closely on the GDPR and mandating appointment of a certified Data Protection Officer for all controllers and processors regardless of scale — more stringent than the GDPR. As of early 2026 the bill awaited parliamentary passage.

Access Now and the International Commission of Jurists published a joint legal analysis and open letter calling on MPTC and the Ministry of Justice to withdraw or substantially amend the draft Law on Cybersecurity, citing warrantless infrastructure seizure powers, an unlimited government right to monitor systems, and no judicial oversight — all incompatible with international human rights standards.

MPTC circulated a draft Law on Cybersecurity for limited stakeholder review before the July 2023 national election; it would establish a corps of government cybersecurity inspectors empowered to monitor, seize, and compel access to any information system, drawing comparisons to China's cybersecurity statute and raising concerns that it would facilitate political surveillance.

The Ministry of Post and Telecommunications announced completion of the inaugural draft of a dedicated Law on Cybersecurity and committed to drafting a companion Personal Data Protection Law once the cybersecurity text was finalised, marking Cambodia's first formal attempt to enact sector-specific cybersecurity obligations.

The Royal Government announced indefinite postponement of the NIG—originally scheduled to go live the following day—after three UN Special Rapporteurs issued a joint statement warning it would seriously harm internet freedom, and Human Rights Watch called for the decree to be scrapped; the gateway has not been activated as of 2026.

Prime Minister Hun Sen signed Sub-Decree No. 23 requiring all internet service providers to route domestic and cross-border traffic through a single government-controlled gateway; operators must retain traffic data for 12 months, verify user real identities, block prohibited content on demand, and face licence suspension and bank-account freezing for non-compliance — the most sweeping cybersecurity and surveillance instrument in Cambodia's history.

MPTC published Cambodia's 15-year digital roadmap making cybersecurity an explicit national policy pillar — covering critical-infrastructure protection, a national awareness campaign, and a mandate to enact cybersecurity laws — providing the formal policy basis for all subsequent draft legislation and institutional capacity-building.

Human Rights Watch published an analysis of the August 2020 third-iteration draft Law on Cybercrime, warning that it would compel service providers to retain internet traffic data for at least 180 days on government demand, enable warrantless monitoring, and criminalise undefined online speech; the draft was never enacted but its provisions reappeared in subsequent cybersecurity law drafts.

Cambodia became the last ASEAN member to adopt a domestic e-commerce statute (entering force 23 May 2020); the law imposes a general obligation on all entities storing electronic data to implement 'all necessary measures' protecting it from unauthorised access, alteration, loss, or disclosure — Cambodia's earliest statutory data-security requirement applicable to businesses.

Cambodia's foundational telecom statute established the Telecommunications Regulator of Cambodia (TRC) and guaranteed subscribers a nominal right to privacy and security in communications, while simultaneously permitting undisclosed government monitoring without judicial safeguards; it provides the regulatory backbone on which all subsequent cybersecurity sub-decrees and draft laws are constructed.