Cybersecurity · Laos

Cybersecurity regulation in Laos (2026)

Comprehensive lawLaw on Cybersecurity (published Lao Official Gazette 20 March 2026); supplemented by Law on Prevention and Combating Cyber Crime (2015) and Law on Electronic Data Protection No. 25/NA (2017); primary regulator: Ministry of Technology and Communications (MTC) with LaoCERT as national CSIRTCountry index 75 · B+

Laos shaded by its cybersecurity status

Laos enacted a standalone Law on Cybersecurity, published in the Lao Official Gazette on 20 March 2026 after National Assembly review in June 2025, creating a comprehensive legal framework governing cybersecurity obligations across all sectors. The law complements the 2015 cybercrime law and 2017 electronic data protection law, mandating incident reporting, annual compliance filings, and critical infrastructure protection across five designated sectors. Enforcement authority rests with the MTC, supported by LaoCERT.

Key points

Law on Cybersecurity (2026)

Laos published a standalone Law on Cybersecurity in the Lao Official Gazette on 20 March 2026, following National Assembly review on 23 June 2025. It introduces a comprehensive framework covering risk management, access control, encryption, network security, incident response, and registration requirements for online service providers.

source 1 ↗source 2 ↗

Critical Infrastructure Sectors

The 2026 law designates five critical national information infrastructure sectors: national defence and public security; technology and communications; finance and banking; energy; and commerce, transport and logistics. Operators of these sectors face heightened security obligations including physical protection, access control, and third-party service provider oversight.

source 1 ↗source 2 ↗

Incident Reporting & Breach Notification

All covered entities must immediately report cybersecurity incidents to the MTC/LaoCERT. In addition, organisations must submit annual cybersecurity reports to the MTC every January, maintain data backups across multiple locations, and establish documented incident response procedures.

source 1 ↗source 2 ↗

National Cybersecurity Operations System & LaoCERT

The 2026 law establishes a National Cybersecurity Operations System, a 24/7 central monitoring and response structure integrating big data analytics and AI. LaoCERT, operating as a division of the MTC's Department of Cyber Security, serves as the national CSIRT and front-line receiver of security breach reports from individuals and legal entities.

source 1 ↗source 2 ↗

Predecessor Laws Still In Force

The Law on Prevention and Combating Cyber Crime (15 July 2015) criminalises cyber offences and established LaoCERT; the Law on Electronic Data Protection No. 25/NA (12 May 2017) requires data controllers to implement technical and organisational security measures, data backup and recovery systems, and imposes fines of up to LAK 15 million for violations.

source 1 ↗source 2 ↗source 3 ↗

Enforcement & Penalties

Violations of the 2026 Law on Cybersecurity may result in warnings, fines, civil liability, or criminal penalties. The MTC is the primary supervisory authority; LaoCERT handles operational incident coordination. The 2017 data protection law additionally provides criminal sanctions for serious breaches.

source 1 ↗source 2 ↗

Laos - other topics

Crypto & Digital Assets Artificial Intelligence Data & Privacy Digital Payments & Fintech Digital Nomad & Residency Internet & Online Safety Starting a Business

Read in:Spanish French German Portuguese Hindi

Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →