Cybersecurity regulation in Iran (2026)

Law No. 71063, enacted by Parliament in January 2009 and effective June 2009, comprises 55 articles added to Book Five (Ta'zirat) of the Islamic Penal Code. It criminalises unauthorised access, unlawful interception, data destruction, fraud, and distribution of illicit content via computer or telecommunications systems, with penalties ranging from fines to imprisonment.

Established on 26 February 2012 by decree of Supreme Leader Khamenei, the SCC is the centralised policymaking, decision-making, and coordination body for all cyberspace matters. All state agencies, including Parliament, are required to comply with its decisions. It oversees the National Information Network (Iran's sovereign intranet) and content governance.

The Cyber Police of the Islamic Republic of Iran (FETA), established under the Law Enforcement Command, is the primary enforcement body for computer crimes. It handles investigations, seizure of equipment, and blocking of content under powers granted by the Computer Crimes Law.

Iran has no statutory data-breach notification obligation or formal cyber-incident reporting framework comparable to the EU NIS2 or GDPR regimes. A Draft Protection of Personal Data Law announced by the Ministry of ICT in 2018 remains unratified by Parliament as of 2025–2026.

In July 2025, the Pezeshkian administration submitted an urgency bill — 'Combating the Dissemination of False Content in Cyberspace' — to Parliament. It was withdrawn after significant public backlash. A separate 'Protection Bill' granting IRIB (state broadcaster) sweeping control over audio-visual online content has also been revived and debated, signalling ongoing legislative attempts to tighten cyber control.

In December 2023 Iran's Parliament approved a bilateral information-security cooperation agreement with Russia, signalling an intent to deepen defensive and offensive cyber coordination with Moscow outside of any domestic comprehensive cybersecurity law framework.