Skip to content
World Watch/Iran/Cybersecurity

Cybersecurity ยท Iran

Cybersecurity law & regulation in Iran (2026)

Sectoral rulesComputer Crimes Law (Law No. 71063, 2009); Supreme Council of Cyberspace (est. 2012 by Supreme Leader decree); FETA (Cyber Police of the Islamic Republic of Iran)Country index 62 ยท C+

Iran shaded by its cybersecurity status

Cybersecurity in Iran: sectoral rules, anchored by Computer Crimes Law (Law No. 71063, 2009); Supreme Council of Cyberspace (est. 2012 by Supreme Leader decree); FETA (Cyber Police of the Islamic Republic of Iran).

Iran's cybersecurity regime is built around the 2009 Computer Crimes Law, which criminalises unauthorised access, data interference, and system disruption, enforced by the dedicated Cyber Police (FETA). The Supreme Council of Cyberspace, established in 2012, serves as the apex policy body coordinating all state agencies on cyberspace matters, including the development of Iran's domestic National Information Network. There is no comprehensive horizontal cybersecurity or data-breach-notification law comparable to the EU NIS2 Directive; proposals to expand internet and cyber control legislation have repeatedly stalled or been withdrawn under public pressure.

Key points

Computer Crimes Law (2009)

Law No. 71063, enacted by Parliament in January 2009 and effective June 2009, comprises 55 articles added to Book Five (Ta'zirat) of the Islamic Penal Code. It criminalises unauthorised access, unlawful interception, data destruction, fraud, and distribution of illicit content via computer or telecommunications systems, with penalties ranging from fines to imprisonment.

Supreme Council of Cyberspace

Established on 26 February 2012 by decree of Supreme Leader Khamenei, the SCC is the centralised policymaking, decision-making, and coordination body for all cyberspace matters. All state agencies, including Parliament, are required to comply with its decisions. It oversees the National Information Network (Iran's sovereign intranet) and content governance.

FETA (Cyber Police) enforcement

The Cyber Police of the Islamic Republic of Iran (FETA), established under the Law Enforcement Command, is the primary enforcement body for computer crimes. It handles investigations, seizure of equipment, and blocking of content under powers granted by the Computer Crimes Law.

No breach-notification or incident-reporting regime

Iran has no statutory data-breach notification obligation or formal cyber-incident reporting framework comparable to the EU NIS2 or GDPR regimes. A Draft Protection of Personal Data Law announced by the Ministry of ICT in 2018 remains unratified by Parliament as of 2025-2026.

Proposed internet-control legislation (2025, withdrawn)

In July 2025, the Pezeshkian administration submitted an urgency bill, 'Combating the Dissemination of False Content in Cyberspace', to Parliament. It was withdrawn after significant public backlash. A separate 'Protection Bill' granting IRIB (state broadcaster) sweeping control over audio-visual online content has also been revived and debated, signalling ongoing legislative attempts to tighten cyber control.

Iran-Russia information-security cooperation (2023)

In December 2023 Iran's Parliament approved a bilateral information-security cooperation agreement with Russia, signalling an intent to deepen defensive and offensive cyber coordination with Moscow outside of any domestic comprehensive cybersecurity law framework.

Timeline - major decisions & events

Apr 1, 2026guidanceofficial
CISA Joint Advisory: Iranian APT Disrupts US Critical-Infrastructure PLCs

CISA and partner agencies confirmed that an Iranian-affiliated APT group has, since at least March 2026, disrupted programmable logic controllers across US water, energy, government-facilities, and manufacturing sectors, causing operational outages and financial losses. The advisory marks Iran's escalation from opportunistic IT intrusions to sustained, disruptive OT campaigns.

CISA โ†—
Jul 1, 2025law
Iran Tables 'Double-Urgency' Bill to Criminalise False Online Content

The Ministry of Justice submitted the 'Bill on Combating the Spread of False News Content in Cyberspace' under double-urgency procedures requiring a parliamentary vote within 30 days, bypassing normal debate. Critics warn that the bill's sweeping definitions could criminalise virtually any online dissent or opinion.

Center for Human Rights in Iran โ†—
Oct 16, 2024guidanceofficial
US/UK/AUS Joint Advisory on Iranian Brute-Force Credential Attacks Against Critical Infrastructure

CISA, NSA, FBI, and allied agencies published a joint advisory documenting Iranian cyber actors' systematic use of password spraying and MFA push-bombing to compromise healthcare, government, energy, and engineering targets since October 2023. Organisations were directed to enforce phishing-resistant MFA and audit privileged accounts.

CISA / DoD โ†—
May 1, 2024enforcementofficial
US Treasury OFAC Sanctions IRGC-CEC Companies and Individuals for Targeting US Government Networks

OFAC designated two Iranian companies and four individuals linked to the IRGC Cyber-Electronic Command for spear-phishing and malware campaigns against more than a dozen US companies and government entities. The designations extended the accountability framework established in the February 2024 Unitronics-related sanctions.

US Department of the Treasury โ†—
Feb 1, 2024enforcementofficial
US Treasury Sanctions Six IRGC-CEC Officials for Unitronics PLC Hacking

OFAC sanctioned six senior IRGC Cyber-Electronic Command officials in direct response to the November 2023 compromise of Israeli-made Unitronics PLCs in US water and wastewater systems. These were the first US designations to name IRGC-CEC leadership personally for operational-technology attacks on civilian infrastructure.

US Department of the Treasury โ†—
Nov 1, 2023incidentofficial
IRGC-Affiliated CyberAv3ngers Compromise US Water-Sector PLCs

The IRGC-affiliated group CyberAv3ngers compromised at least 75 Unitronics PLC devices at US water and wastewater facilities, defacing operator interfaces with political messaging. CISA issued Advisory AA23-335A; the incident was the most publicly confirmed IRGC attack on civilian operational technology to date and prompted the subsequent Treasury sanctions.

CISA โ†—
Sep 21, 2022enforcement
Iran Cuts Instagram, WhatsApp, and Mobile Internet During Mahsa Amini Protests

Following Mahsa Amini's death in morality-police custody, authorities imposed nationwide restrictions on Instagram and WhatsApp and severed mobile internet connectivity; deep-packet inspection was deployed to defeat VPNs at the network layer. The episode demonstrated Iran's real-time ability to weaponise its National Information Network architecture for domestic repression.

NetBlocks โ†—
Sep 6, 2022decision
Supreme Council of Cyberspace Silently Enacts Three Articles of Unratified Protection Bill

Without parliamentary approval, the Supreme Council of Cyberspace issued a directive implementing three articles of the Cyberspace User Protection Bill, consolidating armed-forces control over Iran's internet gateways and enabling tiered bandwidth throttling. The move created a de facto regulatory regime bypassing the legislature entirely.

ARTICLE 19 โ†—
Jul 1, 2021law
Parliament Fast-Tracks Internet User Protection (Siyanat) Bill Under Article 85

The Iranian parliament voted to advance the Cyberspace User Protection Bill under Article 85, granting a Supreme Regulatory Commission authority to manage domestic and international bandwidth and effectively criminalise VPN use. The bill was never fully ratified but was partially enacted through SCC directives in September 2022.

The Iran Primer (USIP) โ†—
Aug 1, 2012incidentofficial
Shamoon Wiper Attributed to Iran Destroys 30,000 Saudi Aramco Computers

The Shamoon disk-wiper erased data on approximately 30,000 computers at Saudi Aramco, replacing files with an image of a burning US flag; US officials attributed the operation to Iran. It was Iran's first large-scale destructive offensive cyber operation and demonstrated the country had moved beyond espionage to disruptive attacks on critical economic infrastructure.

Congressional Research Service โ†—
Feb 26, 2012decision
Supreme Leader Decrees Creation of Supreme Council of Cyberspace

Supreme Leader Khamenei established the Supreme Council of Cyberspace (SCC) by decree, designating it as Iran's apex internet-governance body with authority over all state agencies and mandate to create the National Cyberspace Center, develop the National Information Network, and set all cyberspace policy. The SCC is the central institution through which Iran's dual offensive-and-censorship cyber strategy is coordinated.

Wikipedia / Supreme Council of Cyberspace โ†—
Jan 23, 2011law
Iran Officially Launches Cyber Police (FATA)

Iran formally stood up its Cyber Police unit (FATA) under the Islamic Republic of Iran Police on 23 January 2011, empowering it to investigate cybercrimes, monitor online content, and conduct surveillance operations. By 2018 FATA had arrested nearly 75,000 people, making it a primary instrument of domestic digital enforcement under the Computer Crimes Law.

Wikipedia / Iranian Cyber Police โ†—
Jun 1, 2010incident
Stuxnet Discovered, Triggers Iran's Decision to Build Offensive Cyber Capabilities

The Stuxnet worm, attributed to the US and Israel, was publicly identified in June 2010 after destroying an estimated 1,000 centrifuges at Iran's Natanz facility. The attack directly catalysed Iran's national cyber strategy: the regime responded by establishing the Supreme Council of Cyberspace, the Cyber Defence Command, and cultivating state-sponsored APT groups (APT33, APT34, APT35, APT42).

Wikipedia / Stuxnet โ†—
Jun 1, 2009lawofficial
Iran Enacts Computer Crimes Law (Law No. 71063), Foundational Cybersecurity Statute

Iran's Computer Crimes Law, approved by parliament in January 2009 and entering force in June 2009, established criminal penalties for unauthorised access, data interference, fraud, interception of communications, and publication of illegal or 'immoral' content online across 55 articles. The law also created the multi-agency Computer Crimes Detection and Operations Committee (CCDOC) for content oversight and remains the bedrock of Iran's domestic cybersecurity legal framework.

ILO NATLEX โ†—

Iran - other topics

Cybersecurity in other countries

Last verified 5/24/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ†’