Cybersecurity - Cambodia

The principal enacted instrument covers offences including illegal access, illegal system retention, data interference, and system interference; the Criminal Code (Arts. 317-320, 427-432) provides supplementary provisions on secrecy of communications and IT offences. A later redraft was shelved over civil-liberties concerns.

Promulgated by Royal Decree on 7 April 2026 and immediately in force, the Law on Combating Technology-based Fraud criminalises online scam operations, human trafficking for forced labour, and crypto money-laundering, with prison terms up to life imprisonment for ringleaders where victims die.

The Telecommunications Law (2015) established the Telecommunications Regulator of Cambodia (TRC) under MPTC to oversee operators and ISPs, with authority extending to network security obligations for licensed providers.

A final draft PDPL was released on 23 June 2025. It would require data controllers to notify MPTC of personal data breaches within 72 hours and to notify affected individuals of high-risk breaches immediately. Administrative fines could reach ~USD 150,000 or 10% of annual turnover. As of May 2026 it has not been promulgated.

MPTC has been developing a dedicated Cybersecurity Law; as of 2026 it remains in draft stage and has not been tabled for parliamentary approval. Access Now's legal analysis (2023) flagged broad government-access provisions as potential rights risks.

MPTC runs cybersecurity training under the Digital Economy and Society Policy Framework 2021-2035 and Digital Government Policy 2022-2035, supported by Japan's JICA Cybersecurity Resilience Improvement Project. There are no mandatory incident-reporting obligations to a national CERT in currently enacted law.