Cybersecurity · Israel
Cybersecurity regulation in Israel (2026)
Israel shaded by its cybersecurity status
Israel has no single comprehensive cybersecurity statute in force; cyber defense is currently governed by a patchwork of executive resolutions establishing the National Cyber Directorate and by sector-specific obligations (banking/finance regulators, critical-infrastructure rules, and data-protection breach notification). A first comprehensive National Cyber Protection Law (Memorandum 5786-2026) was published for public comment on 22 January 2026 but, amid elections, is not expected to be enacted before 2027.
Key points
The Israel National Cyber Directorate operates primarily through government resolutions and temporary/emergency arrangements rather than a dedicated overarching cyber statute; a 2019 Knesset amendment gave limited statutory recognition to its role, but no general cross-sector cyber-defense law is in force.
The National Cyber Protection Law Memorandum, 5786-2026 was published for public comment on 22 January 2026 (comment deadline 21 February 2026). It would impose baseline standards and incident-reporting duties on 'essential/critical organizations' (telecom, energy, health, water, transport), create sectoral cyber units in ministries, and add administrative fines up to NIS 300,000 plus criminal sanctions; it is widely expected to pass no earlier than 2027.
Amendment 13 to the Protection of Privacy Law took effect on 14 August 2025. On a 'severe security incident' (data breach), the database owner must immediately notify the Privacy Protection Authority, which can order notification of affected individuals; the PPA gained expanded enforcement and significant monetary penalties.
The Banking Supervision Department imposes binding cyber requirements via Proper Conduct of Banking Business directives (notably Directive 361 'Cyber Defense Management', recently consolidated), and mandatory reporting of technological-failure and cyber events to the Supervisor of Banks (Directive 366).
Critical national infrastructure and essential-service operators are subject to INCD-led protection and guidance under existing government-resolution arrangements (the draft 2026 bill would put these 'essential/critical organization' duties on a statutory footing with mandatory incident reporting).
Absent a general law, mandatory incident reporting currently arises only from sector regimes (banking/finance, privacy/data-breach) and from INCD's voluntary national reporting channels (e.g., CERT-IL); economy-wide mandatory cyber-incident reporting awaits the proposed law.
Timeline - major decisions & events
Israel published a draft National Cybersecurity Law creating binding obligations for 'essential organizations' (energy, health, telecom, transport) and large digital/storage service providers, with incident-reporting duties, INCD supervision, monetary sanctions up to ILS 640,000 and possible criminal liability. It is the long-awaited attempt to put the National Cyber Directorate's powers on a statutory footing after the failed 2018 bill.
Barnea Jaffa Lande ↗Amendment 13 took effect in mid-August 2025, mandating data protection officers, strengthening data-security and transparency duties and dramatically expanding the Privacy Protection Authority's enforcement powers (administrative fines scaled to number of data subjects and turnover). It aligns Israel's regime more closely with the EU GDPR.
IAPP ↗The Knesset passed Amendment 13, the most sweeping overhaul of Israeli privacy/data-security law since 1981, modernizing definitions of sensitive data and overhauling enforcement. It is the legislative backbone for organizations' data-security obligations pending a dedicated cybersecurity statute.
Israel Tech Policy Institute ↗A ransomware attack locked the Hadera hospital out of all digital systems for weeks (≈ILS 36 million in losses), becoming a landmark national incident; the INCD had earlier warned the hospital of unaddressed vulnerabilities. It triggered sector-wide INCD warnings and accelerated healthcare cybersecurity regulation.
Times of Israel ↗A legislative amendment gave statutory recognition to the National Cyber Directorate's role in protecting Israel's cyberspace, an interim step after the comprehensive 2018 cyber bill stalled. It clarified the INCD's legal standing pending a full cybersecurity law.
U.S. Library of Congress ↗The Prime Minister's Office published a draft bill to give the INCD far-reaching powers—compelling production of information, issuing binding instructions, entering premises and seizing computer material to handle cyberattacks. It drew heavy criticism over privacy and oversight and ultimately failed to advance.
Council on Foreign Relations ↗These regulations, effective alongside the EU GDPR, impose tiered data-security obligations on all database holders—access controls, encryption, audits, staff training, written security policy and breach notification to the Privacy Protection Authority within 72 hours. They remain the core operative cybersecurity/data-protection compliance rules.
Lexology ↗A government resolution unified the National Cyber Bureau and the National Cyber Security Authority into a single Israel National Cyber Directorate within the Prime Minister's Office, responsible for the full civilian cyber-defense lifecycle from policy to operational defense. This created the central regulator that shapes today's framework.
Wikipedia (Gov. Resolution) ↗Government Resolution 3611, 'Advancing National Cyberspace Capabilities,' created the Israel National Cyber Bureau in the Prime Minister's Office to set cyber policy, protect critical infrastructure and coordinate across government, academia and industry. It is the foundational document of Israel's centralized civilian cyber governance.
National Security Archive ↗Special Government Resolution B/84 assigned protection of computerized critical infrastructure to the Israel Security Agency (Shin Bet) via a new National Information Security Agency (Re'em/NISA), requiring supervised bodies to follow mandatory IT-security instructions. It was one of the world's first centralized CIP frameworks and the origin of Israel's cyber obligations.
Connections / PfP Consortium ↗Israel - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →