Cybersecurity - Israel

The Israel National Cyber Directorate operates primarily through government resolutions and temporary/emergency arrangements rather than a dedicated overarching cyber statute; a 2019 Knesset amendment gave limited statutory recognition to its role, but no general cross-sector cyber-defense law is in force.

The National Cyber Protection Law Memorandum, 5786-2026 was published for public comment on 22 January 2026 (comment deadline 21 February 2026). It would impose baseline standards and incident-reporting duties on 'essential/critical organizations' (telecom, energy, health, water, transport), create sectoral cyber units in ministries, and add administrative fines up to NIS 300,000 plus criminal sanctions; it is widely expected to pass no earlier than 2027.

Amendment 13 to the Protection of Privacy Law took effect on 14 August 2025. On a 'severe security incident' (data breach), the database owner must immediately notify the Privacy Protection Authority, which can order notification of affected individuals; the PPA gained expanded enforcement and significant monetary penalties.

The Banking Supervision Department imposes binding cyber requirements via Proper Conduct of Banking Business directives (notably Directive 361 'Cyber Defense Management', recently consolidated), and mandatory reporting of technological-failure and cyber events to the Supervisor of Banks (Directive 366).

Critical national infrastructure and essential-service operators are subject to INCD-led protection and guidance under existing government-resolution arrangements (the draft 2026 bill would put these 'essential/critical organization' duties on a statutory footing with mandatory incident reporting).

Absent a general law, mandatory incident reporting currently arises only from sector regimes (banking/finance, privacy/data-breach) and from INCD's voluntary national reporting channels (e.g., CERT-IL); economy-wide mandatory cyber-incident reporting awaits the proposed law.