Cybersecurity ยท Iraq
Cybersecurity law & regulation in Iraq (2026)
Iraq shaded by its cybersecurity status
Cybersecurity in Iraq: proposed, anchored by No dedicated cybersecurity or cybercrime law in force; obligations derived from Iraqi Penal Code No. 111 of 1969 and Civil Code No. 40 of 1951, supplemented by sector-specific rules (Banking Law No. 94/2004; CPA Order 65/2004 for communications/CMC); National Cybersecurity Strategy 2022-2025 and Ministry of Interior Cybersecurity Directorate (established 2025) constitute the institutional framework.
Iraq has no enacted cybercrime or comprehensive cybersecurity statute as of 2026. A Draft Cybercrime Law has been in circulation since 2011, was suspended by parliament in May 2021 over free-speech concerns, and remains unenacted despite repeated attempts at reintroduction. Institutional capacity has grown, the Ministry of Interior upgraded its Cybersecurity Centre to a full Cybersecurity Directorate in 2025, but mandatory breach-notification obligations and a general data-protection regime do not exist.
Key points
Iraq has no dedicated cybercrime or cybersecurity statute. Courts rely on Penal Code No. 111/1969 and Civil Code No. 40/1951, instruments not designed for digital offences that leave significant enforcement gaps.
A Draft Information/Cybercrime Law (originated 2011, revised multiple times) was formally suspended by the Iraqi Parliament in May 2021 due to concerns it would restrict freedom of expression; reintroduced for a vote in 2022 but still not enacted as of 2026, with debate ongoing.
The Ministry of Interior approved Iraq's first National Cybersecurity Strategy in December 2022, setting policy goals for cyber defence and establishing the basis for a dedicated Cybersecurity Centre under the ministry's authority.
The Ministry of Interior's Cybersecurity Centre was upgraded to a full Cybersecurity Directorate in 2025, described as 'a strategic response to the shifting digital threat landscape,' and works alongside a high-level inter-agency cybersecurity committee convened by the Prime Minister.
Iraq has no general data-protection law and no Data Protection Authority. There is no statutory obligation to notify regulators or affected individuals of data breaches; notification is considered prudent but carries no legal mandate.
The Communications and Media Commission (CMC), established under CPA Order 65/2004, issues digital-content directives and a draft Data Classification Policy. Banking Law No. 94/2004 and Central Bank of Iraq regulations impose some cybersecurity-adjacent obligations on financial institutions.
Timeline - major decisions & events
Iraq participated in Operation Ramz (October 2025-February 2026), INTERPOL's first MENA-wide cybercrime crackdown across 13 countries, resulting in 201 arrests, 382 suspects identified, and 53 malicious servers seized. Iraq's Cybersecurity Directorate simultaneously chaired the INTERPOL Cybercrime Working Group for the Gulf/MENA region, marking Iraq's formal integration into international cyber-enforcement architecture.
INTERPOL โIraq's Ministry of Trade issued binding e-commerce rules requiring licensed merchants to implement secure systems to protect customer personal data, collect only necessary information, obtain explicit consent before sharing data, and display a privacy policy on all digital storefronts. This is Iraq's first sector-specific data-security obligation for online commerce.
Mondaq / Etihad Law โThe Communications and Media Commission formally issued Iraq's first comprehensive digital-platform regime, covering social media, video-sharing, e-commerce, fintech, and AI platforms. Operators must meet cybersecurity international best practices, implement controls against unauthorized interception, report breaches within 24-72 hours, and obtain a CMC licence or registration before serving Iraqi users.
Communications and Media Commission (CMC) Iraq โPM Mohammed Al-Sudani inaugurated the National Cybersecurity Centre under the Ministry of Interior, describing it as a historic step in integrating cyber defence into the national security system. The centre was shortly afterwards elevated to a Cybersecurity Directorate, headed by Brigadier General Dr Hassan Hadi Lazeez, giving it permanent institutional standing and a mandate to lead national cyber incident response.
Iraq Business News โThe UN General Assembly adopted the landmark UN Convention against Cybercrime, which opened for signature in Hanoi in October 2025 with 65 countries signing, including Iraq. The convention imposes obligations to criminalise computer intrusion, fraud, and CSAM, and requires parties to cooperate on cross-border investigations and electronic-evidence exchange.
UNODC โIraq's Ministry of Interior approved the country's inaugural national cybersecurity strategy, establishing a policy roadmap covering critical-infrastructure protection, capacity building, and inter-agency coordination. The strategy directly paved the way for the 2025 Cybersecurity Centre inauguration, though implementation gaps and under-resourcing have persisted.
Stimson Center โThe Iraqi Parliament suspended the draft Law on Combating Cybercrimes after intense pressure from civil society and international human-rights organisations, with Speaker Al-Halbousi vowing it 'will not pass' in its current form. The bill's overbroad provisions, including criminalising online content deemed harmful to 'national unity', were condemned as threats to press freedom and political dissent.
Human Rights Watch โIraq's Council of Representatives completed the second reading of a revised cybercrime bill seeking to criminalise unauthorised computer access, online fraud, and certain content offences, moving it toward a vote. Vaguely worded provisions on harming 'national unity' and 'social peace' online drew immediate condemnation and ultimately led to suspension in 2021.
Library of Congress Global Legal Monitor โBecause the 2013 parliamentary withdrawal decision was never formally enacted into law, the original draft Iraqi Information Crimes Law was reintroduced with slight amendments in January 2019, reopening a divisive legislative debate and setting the stage for the 2020 second reading and 2021 suspension.
Al Tamimi & Company โIraq established its first national incident-response capability, IQ-CERT, to monitor, detect, and coordinate responses to cybersecurity incidents affecting government networks. Its creation marked Iraq's first formal institutional cybersecurity capacity and enabled participation in international CERT cooperation networks.
Cybil Portal (ITU/UNIDIR) โCoalition Provisional Authority Order No. 65, signed on 20 March 2004, created the CMC as Iraq's independent regulator for telecommunications, radio, and media, the foundational institutional pillar of Iraq's entire communications governance framework. The CMC later became the primary regulatory body for digital platforms, cybersecurity obligations, and online content in post-2003 Iraq.
Coalition Provisional Authority โIraq - other topics
Cybersecurity in other countries
Last verified 5/24/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ