Cybersecurity regulation in Iraq (2026)

Iraq has no dedicated cybercrime or cybersecurity statute. Courts rely on Penal Code No. 111/1969 and Civil Code No. 40/1951, instruments not designed for digital offences that leave significant enforcement gaps.

A Draft Information/Cybercrime Law (originated 2011, revised multiple times) was formally suspended by the Iraqi Parliament in May 2021 due to concerns it would restrict freedom of expression; reintroduced for a vote in 2022 but still not enacted as of 2026, with debate ongoing.

The Ministry of Interior approved Iraq's first National Cybersecurity Strategy in December 2022, setting policy goals for cyber defence and establishing the basis for a dedicated Cybersecurity Centre under the ministry's authority.

The Ministry of Interior's Cybersecurity Centre was upgraded to a full Cybersecurity Directorate in 2025, described as 'a strategic response to the shifting digital threat landscape,' and works alongside a high-level inter-agency cybersecurity committee convened by the Prime Minister.

Iraq has no general data-protection law and no Data Protection Authority. There is no statutory obligation to notify regulators or affected individuals of data breaches; notification is considered prudent but carries no legal mandate.

The Communications and Media Commission (CMC), established under CPA Order 65/2004, issues digital-content directives and a draft Data Classification Policy. Banking Law No. 94/2004 and Central Bank of Iraq regulations impose some cybersecurity-adjacent obligations on financial institutions.