Skip to content
World Watch/Iraq/Cybersecurity

Cybersecurity ยท Iraq

Cybersecurity law & regulation in Iraq (2026)

ProposedNo dedicated cybersecurity or cybercrime law in force; obligations derived from Iraqi Penal Code No. 111 of 1969 and Civil Code No. 40 of 1951, supplemented by sector-specific rules (Banking Law No. 94/2004; CPA Order 65/2004 for communications/CMC); National Cybersecurity Strategy 2022-2025 and Ministry of Interior Cybersecurity Directorate (established 2025) constitute the institutional frameworkCountry index 54 ยท C

Iraq shaded by its cybersecurity status

Cybersecurity in Iraq: proposed, anchored by No dedicated cybersecurity or cybercrime law in force; obligations derived from Iraqi Penal Code No. 111 of 1969 and Civil Code No. 40 of 1951, supplemented by sector-specific rules (Banking Law No. 94/2004; CPA Order 65/2004 for communications/CMC); National Cybersecurity Strategy 2022-2025 and Ministry of Interior Cybersecurity Directorate (established 2025) constitute the institutional framework.

Iraq has no enacted cybercrime or comprehensive cybersecurity statute as of 2026. A Draft Cybercrime Law has been in circulation since 2011, was suspended by parliament in May 2021 over free-speech concerns, and remains unenacted despite repeated attempts at reintroduction. Institutional capacity has grown, the Ministry of Interior upgraded its Cybersecurity Centre to a full Cybersecurity Directorate in 2025, but mandatory breach-notification obligations and a general data-protection regime do not exist.

Key points

No enacted cybersecurity law

Iraq has no dedicated cybercrime or cybersecurity statute. Courts rely on Penal Code No. 111/1969 and Civil Code No. 40/1951, instruments not designed for digital offences that leave significant enforcement gaps.

Draft Cybercrime Law stalled

A Draft Information/Cybercrime Law (originated 2011, revised multiple times) was formally suspended by the Iraqi Parliament in May 2021 due to concerns it would restrict freedom of expression; reintroduced for a vote in 2022 but still not enacted as of 2026, with debate ongoing.

National Cybersecurity Strategy 2022-2025

The Ministry of Interior approved Iraq's first National Cybersecurity Strategy in December 2022, setting policy goals for cyber defence and establishing the basis for a dedicated Cybersecurity Centre under the ministry's authority.

Ministry of Interior Cybersecurity Directorate (2025)

The Ministry of Interior's Cybersecurity Centre was upgraded to a full Cybersecurity Directorate in 2025, described as 'a strategic response to the shifting digital threat landscape,' and works alongside a high-level inter-agency cybersecurity committee convened by the Prime Minister.

No breach-notification or data-protection obligations

Iraq has no general data-protection law and no Data Protection Authority. There is no statutory obligation to notify regulators or affected individuals of data breaches; notification is considered prudent but carries no legal mandate.

Sector-specific and CMC rules provide partial coverage

The Communications and Media Commission (CMC), established under CPA Order 65/2004, issues digital-content directives and a draft Data Classification Policy. Banking Law No. 94/2004 and Central Bank of Iraq regulations impose some cybersecurity-adjacent obligations on financial institutions.

Timeline - major decisions & events

Feb 28, 2026enforcementofficial
INTERPOL Operation Ramz: Iraq Joins First MENA Cybercrime Enforcement Action

Iraq participated in Operation Ramz (October 2025-February 2026), INTERPOL's first MENA-wide cybercrime crackdown across 13 countries, resulting in 201 arrests, 382 suspects identified, and 53 malicious servers seized. Iraq's Cybersecurity Directorate simultaneously chaired the INTERPOL Cybercrime Working Group for the Gulf/MENA region, marking Iraq's formal integration into international cyber-enforcement architecture.

INTERPOL โ†—
Apr 1, 2025law
E-Commerce Regulation No. 4 of 2025 Enters into Force

Iraq's Ministry of Trade issued binding e-commerce rules requiring licensed merchants to implement secure systems to protect customer personal data, collect only necessary information, obtain explicit consent before sharing data, and display a privacy policy on all digital storefronts. This is Iraq's first sector-specific data-security obligation for online commerce.

Mondaq / Etihad Law โ†—
Feb 17, 2025lawofficial
CMC Issues Framework Regulations for Digital Platforms and Services (FDP)

The Communications and Media Commission formally issued Iraq's first comprehensive digital-platform regime, covering social media, video-sharing, e-commerce, fintech, and AI platforms. Operators must meet cybersecurity international best practices, implement controls against unauthorized interception, report breaches within 24-72 hours, and obtain a CMC licence or registration before serving Iraqi users.

Communications and Media Commission (CMC) Iraq โ†—
Jan 13, 2025decision
Prime Minister Inaugurates National Cybersecurity Centre; Later Elevated to Directorate

PM Mohammed Al-Sudani inaugurated the National Cybersecurity Centre under the Ministry of Interior, describing it as a historic step in integrating cyber defence into the national security system. The centre was shortly afterwards elevated to a Cybersecurity Directorate, headed by Brigadier General Dr Hassan Hadi Lazeez, giving it permanent institutional standing and a mandate to lead national cyber incident response.

Iraq Business News โ†—
Dec 24, 2024lawofficial
UN General Assembly Adopts Convention against Cybercrime; Iraq Among Signatories

The UN General Assembly adopted the landmark UN Convention against Cybercrime, which opened for signature in Hanoi in October 2025 with 65 countries signing, including Iraq. The convention imposes obligations to criminalise computer intrusion, fraud, and CSAM, and requires parties to cooperate on cross-border investigations and electronic-evidence exchange.

UNODC โ†—
Dec 1, 2022guidance
Ministry of Interior Approves Iraq's First National Cybersecurity Strategy (2022-2025)

Iraq's Ministry of Interior approved the country's inaugural national cybersecurity strategy, establishing a policy roadmap covering critical-infrastructure protection, capacity building, and inter-agency coordination. The strategy directly paved the way for the 2025 Cybersecurity Centre inauguration, though implementation gaps and under-resourcing have persisted.

Stimson Center โ†—
May 7, 2021decision
Parliament Suspends Draft Cybercrime Law after Rights Outcry

The Iraqi Parliament suspended the draft Law on Combating Cybercrimes after intense pressure from civil society and international human-rights organisations, with Speaker Al-Halbousi vowing it 'will not pass' in its current form. The bill's overbroad provisions, including criminalising online content deemed harmful to 'national unity', were condemned as threats to press freedom and political dissent.

Human Rights Watch โ†—
Nov 23, 2020lawofficial
Parliament Completes Second Reading of Draft Law on Combating Cybercrimes

Iraq's Council of Representatives completed the second reading of a revised cybercrime bill seeking to criminalise unauthorised computer access, online fraud, and certain content offences, moving it toward a vote. Vaguely worded provisions on harming 'national unity' and 'social peace' online drew immediate condemnation and ultimately led to suspension in 2021.

Library of Congress Global Legal Monitor โ†—
Jan 1, 2019law
Draft Information Crimes Law Reintroduced with Minor Amendments

Because the 2013 parliamentary withdrawal decision was never formally enacted into law, the original draft Iraqi Information Crimes Law was reintroduced with slight amendments in January 2019, reopening a divisive legislative debate and setting the stage for the 2020 second reading and 2021 suspension.

Al Tamimi & Company โ†—
Jan 1, 2017decisionofficial
IQ-CERT (Iraq Cyber Events Response Team) Established

Iraq established its first national incident-response capability, IQ-CERT, to monitor, detect, and coordinate responses to cybersecurity incidents affecting government networks. Its creation marked Iraq's first formal institutional cybersecurity capacity and enabled participation in international CERT cooperation networks.

Cybil Portal (ITU/UNIDIR) โ†—
Mar 20, 2004lawofficial
CPA Order No. 65 Establishes Communications and Media Commission (CMC)

Coalition Provisional Authority Order No. 65, signed on 20 March 2004, created the CMC as Iraq's independent regulator for telecommunications, radio, and media, the foundational institutional pillar of Iraq's entire communications governance framework. The CMC later became the primary regulatory body for digital platforms, cybersecurity obligations, and online content in post-2003 Iraq.

Coalition Provisional Authority โ†—

Iraq - other topics

Cybersecurity in other countries

Last verified 5/24/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ†’