Cybersecurity ยท Iran
Cybersecurity law & regulation in Iran (2026)
Iran shaded by its cybersecurity status
Cybersecurity in Iran: sectoral rules, anchored by Computer Crimes Law (Law No. 71063, 2009); Supreme Council of Cyberspace (est. 2012 by Supreme Leader decree); FETA (Cyber Police of the Islamic Republic of Iran).
Iran's cybersecurity regime is built around the 2009 Computer Crimes Law, which criminalises unauthorised access, data interference, and system disruption, enforced by the dedicated Cyber Police (FETA). The Supreme Council of Cyberspace, established in 2012, serves as the apex policy body coordinating all state agencies on cyberspace matters, including the development of Iran's domestic National Information Network. There is no comprehensive horizontal cybersecurity or data-breach-notification law comparable to the EU NIS2 Directive; proposals to expand internet and cyber control legislation have repeatedly stalled or been withdrawn under public pressure.
Key points
Law No. 71063, enacted by Parliament in January 2009 and effective June 2009, comprises 55 articles added to Book Five (Ta'zirat) of the Islamic Penal Code. It criminalises unauthorised access, unlawful interception, data destruction, fraud, and distribution of illicit content via computer or telecommunications systems, with penalties ranging from fines to imprisonment.
Established on 26 February 2012 by decree of Supreme Leader Khamenei, the SCC is the centralised policymaking, decision-making, and coordination body for all cyberspace matters. All state agencies, including Parliament, are required to comply with its decisions. It oversees the National Information Network (Iran's sovereign intranet) and content governance.
The Cyber Police of the Islamic Republic of Iran (FETA), established under the Law Enforcement Command, is the primary enforcement body for computer crimes. It handles investigations, seizure of equipment, and blocking of content under powers granted by the Computer Crimes Law.
Iran has no statutory data-breach notification obligation or formal cyber-incident reporting framework comparable to the EU NIS2 or GDPR regimes. A Draft Protection of Personal Data Law announced by the Ministry of ICT in 2018 remains unratified by Parliament as of 2025-2026.
In July 2025, the Pezeshkian administration submitted an urgency bill, 'Combating the Dissemination of False Content in Cyberspace', to Parliament. It was withdrawn after significant public backlash. A separate 'Protection Bill' granting IRIB (state broadcaster) sweeping control over audio-visual online content has also been revived and debated, signalling ongoing legislative attempts to tighten cyber control.
In December 2023 Iran's Parliament approved a bilateral information-security cooperation agreement with Russia, signalling an intent to deepen defensive and offensive cyber coordination with Moscow outside of any domestic comprehensive cybersecurity law framework.
Timeline - major decisions & events
CISA and partner agencies confirmed that an Iranian-affiliated APT group has, since at least March 2026, disrupted programmable logic controllers across US water, energy, government-facilities, and manufacturing sectors, causing operational outages and financial losses. The advisory marks Iran's escalation from opportunistic IT intrusions to sustained, disruptive OT campaigns.
CISA โThe Ministry of Justice submitted the 'Bill on Combating the Spread of False News Content in Cyberspace' under double-urgency procedures requiring a parliamentary vote within 30 days, bypassing normal debate. Critics warn that the bill's sweeping definitions could criminalise virtually any online dissent or opinion.
Center for Human Rights in Iran โCISA, NSA, FBI, and allied agencies published a joint advisory documenting Iranian cyber actors' systematic use of password spraying and MFA push-bombing to compromise healthcare, government, energy, and engineering targets since October 2023. Organisations were directed to enforce phishing-resistant MFA and audit privileged accounts.
CISA / DoD โOFAC designated two Iranian companies and four individuals linked to the IRGC Cyber-Electronic Command for spear-phishing and malware campaigns against more than a dozen US companies and government entities. The designations extended the accountability framework established in the February 2024 Unitronics-related sanctions.
US Department of the Treasury โOFAC sanctioned six senior IRGC Cyber-Electronic Command officials in direct response to the November 2023 compromise of Israeli-made Unitronics PLCs in US water and wastewater systems. These were the first US designations to name IRGC-CEC leadership personally for operational-technology attacks on civilian infrastructure.
US Department of the Treasury โThe IRGC-affiliated group CyberAv3ngers compromised at least 75 Unitronics PLC devices at US water and wastewater facilities, defacing operator interfaces with political messaging. CISA issued Advisory AA23-335A; the incident was the most publicly confirmed IRGC attack on civilian operational technology to date and prompted the subsequent Treasury sanctions.
CISA โFollowing Mahsa Amini's death in morality-police custody, authorities imposed nationwide restrictions on Instagram and WhatsApp and severed mobile internet connectivity; deep-packet inspection was deployed to defeat VPNs at the network layer. The episode demonstrated Iran's real-time ability to weaponise its National Information Network architecture for domestic repression.
NetBlocks โWithout parliamentary approval, the Supreme Council of Cyberspace issued a directive implementing three articles of the Cyberspace User Protection Bill, consolidating armed-forces control over Iran's internet gateways and enabling tiered bandwidth throttling. The move created a de facto regulatory regime bypassing the legislature entirely.
ARTICLE 19 โThe Iranian parliament voted to advance the Cyberspace User Protection Bill under Article 85, granting a Supreme Regulatory Commission authority to manage domestic and international bandwidth and effectively criminalise VPN use. The bill was never fully ratified but was partially enacted through SCC directives in September 2022.
The Iran Primer (USIP) โThe Shamoon disk-wiper erased data on approximately 30,000 computers at Saudi Aramco, replacing files with an image of a burning US flag; US officials attributed the operation to Iran. It was Iran's first large-scale destructive offensive cyber operation and demonstrated the country had moved beyond espionage to disruptive attacks on critical economic infrastructure.
Congressional Research Service โSupreme Leader Khamenei established the Supreme Council of Cyberspace (SCC) by decree, designating it as Iran's apex internet-governance body with authority over all state agencies and mandate to create the National Cyberspace Center, develop the National Information Network, and set all cyberspace policy. The SCC is the central institution through which Iran's dual offensive-and-censorship cyber strategy is coordinated.
Wikipedia / Supreme Council of Cyberspace โIran formally stood up its Cyber Police unit (FATA) under the Islamic Republic of Iran Police on 23 January 2011, empowering it to investigate cybercrimes, monitor online content, and conduct surveillance operations. By 2018 FATA had arrested nearly 75,000 people, making it a primary instrument of domestic digital enforcement under the Computer Crimes Law.
Wikipedia / Iranian Cyber Police โThe Stuxnet worm, attributed to the US and Israel, was publicly identified in June 2010 after destroying an estimated 1,000 centrifuges at Iran's Natanz facility. The attack directly catalysed Iran's national cyber strategy: the regime responded by establishing the Supreme Council of Cyberspace, the Cyber Defence Command, and cultivating state-sponsored APT groups (APT33, APT34, APT35, APT42).
Wikipedia / Stuxnet โIran's Computer Crimes Law, approved by parliament in January 2009 and entering force in June 2009, established criminal penalties for unauthorised access, data interference, fraud, interception of communications, and publication of illegal or 'immoral' content online across 55 articles. The law also created the multi-agency Computer Crimes Detection and Operations Committee (CCDOC) for content oversight and remains the bedrock of Iran's domestic cybersecurity legal framework.
ILO NATLEX โIran - other topics
Cybersecurity in other countries
Last verified 5/24/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ