Cybersecurity ยท Lebanon
Cybersecurity law & regulation in Lebanon (2026)
Lebanon shaded by its cybersecurity status
Cybersecurity in Lebanon: sectoral rules, anchored by Law No. 81/2018 on Electronic Transactions and Personal Data; 2019 National Cybersecurity Strategy; Telecommunications Regulatory Authority (TRA); National Cybersecurity Committee (Resolution 173).
Lebanon lacks a comprehensive standalone cybersecurity law. Its regime rests on the 2018 Electronic Transactions and Personal Data Law (Law 81/2018), a 2019 National Cybersecurity Strategy that has been only partially implemented, and sector-level oversight by the Telecommunications Regulatory Authority (TRA). Enforcement is severely hampered by the country's prolonged political and economic crisis, and a proposed National Cyber Security and Information System Agency (NCISA) has not yet been formally established.
Key points
Enacted October 2018, Law No. 81 combines electronic-transactions recognition with data-protection principles (purpose limitation, lawfulness, security) and requires data controllers to notify authorities of breaches. The Ministry of Economy and Trade is the designated enforcement authority, but practical enforcement remains minimal.
Lebanon criminalises hacking, unauthorised access, fraud, identity theft, and dissemination of malicious software. The Cybercrime and Intellectual Property Rights Bureau (est. 2006 under the Internal Security Forces) handles enforcement, though its legal basis, a memorandum of service rather than a formal law or decree, is contested.
Adopted by the Council of Ministers on 30 August 2019, the strategy set objectives through 2022 and proposed a National Cyber Security and Information System Agency (NCISA) under the Higher Council of Defense. As of 2025-2026 the NCISA has not been formally created and core strategy targets remain unimplemented.
The Telecommunications Regulatory Authority (TRA) acts as the principal cybersecurity body for the telecom sector, publishing guidance and coordinating incident response for licensed operators. The TRA maintains a dedicated cybersecurity portal but no general cross-sector mandatory incident-reporting framework is in force.
A voluntary Lebanon CERT was launched in 2019 by private-sector security experts and coordinates with ISPs, law enforcement, and international bodies. A National Cybersecurity Committee was formalised by Resolution 173 under the Prime Minister's authority, with a National Cybersecurity Coordinator appointed under Resolution 172.
Lebanon is a participant in the Council of Europe's Octopus/CyberSouth programme working toward Budapest Convention alignment, and is a signatory to the Paris Call. The 2024 ISOC Country Report scored Lebanon only 30.44/100 on cybersecurity readiness, reflecting absent cross-sector breach-notification duties, weak enforcement, and no NIS2-equivalent critical-infrastructure regime.
Timeline - major decisions & events
Minister of Telecommunications Charles Hajj relaunched the TRA with Jenny Gemayel as new chair, restoring Lebanon's independent telecoms regulator and its mandate to define rules for security, data sovereignty, and sector licensing. The revival is a prerequisite for any enforceable sector-level cybersecurity regulation.
The Beiruter โThe website of the Meteorological Department at Beirut-Rafic Hariri International Airport was compromised for over nine hours, exposing persistent gaps in critical-infrastructure cybersecurity despite the 2019 National Strategy. The incident intensified civil-society demands for enforceable standards on state digital platforms.
SMEX โThousands of Hezbollah-linked pagers and walkie-talkies containing concealed explosives detonated simultaneously in Israeli Operation Grim Beeper, killing 42 people and injuring over 4,000. The first known large-scale hardware supply-chain attack highlighted Lebanon's extreme vulnerability to adversarial hardware interdiction affecting civilian infrastructure.
Wikipedia (citing Lebanese government, Reuters, CNN) โThe CoE's CyberSouth regional programme, covering Lebanon, Jordan, Morocco, and Tunisia, concluded after delivering legislative-alignment support, judicial training, and cross-border cooperation frameworks. Lebanon received technical assistance on aligning its cybercrime provisions with Budapest Convention standards, though Lebanon has not formally acceded to the Convention.
Council of Europe โUnder EU counter-terrorism support, Civipol began mapping Lebanon's public, academic, and private cybersecurity actors as groundwork for the National Cyber Security and Information System Agency envisioned in the 2019 Strategy. The NCISA remains unestablished due to Lebanon's sustained political and economic crisis.
Civipol / EU Counter-Terrorism Support โLebanon's Cabinet approved its first National Cybersecurity Strategy, setting objectives across critical-infrastructure protection, incident response, awareness, and creation of a dedicated NCISA agency under the General Secretariat of the Higher Council of Defence. The strategy was never fully executed, no agency was created and the 2019-2020 economic collapse halted implementation.
Presidency of the Council of Ministers, Lebanon โLebanese security professionals from government, industry, and academia formed Lebanon CERT as a free public-benefit body to coordinate incident response, share threat intelligence, and raise security awareness. Operating without a statutory basis, it functions as Lebanon's de facto national CERT in the absence of a government-run agency.
Lebanon CERT โParliament passed Lebanon's first personal data protection statute and primary cybersecurity-relevant law, covering data-processing obligations, electronic signatures, and cybercrime procedural provisions (Articles 72-74, 124). The law lacks a dedicated supervisory authority, assigning de facto oversight to the Ministry of Economy and Trade with limited specialist capacity; it entered into force March 2019.
Official Gazette of Lebanon (English translation) โThe global HackingTeam breach exposed that Lebanon's ISF Cybercrime Bureau had purchased and deployed commercial spyware, including exploiting mobile-app vulnerabilities, against Lebanese citizens' devices. The revelations deepened civil-society concerns about the Bureau's lack of a legal statutory basis and its use as a censorship tool against journalists and activists.
SMEX โThe Internal Security Forces created Lebanon's first dedicated cybercrime enforcement unit through Service Memorandum 204/609, not by law or legislative decree, leaving the Bureau on contested legal footing. It became the de facto cybercrime investigator but has been repeatedly criticised for targeting journalists, bloggers, and political activists rather than limiting its remit to cyber offences.
Legal Agenda โLebanon became the first Arab country to legislate a framework for communications interception, requiring judicial or ministerial authorisation capped at two-month durations. Despite forward-looking design, Cabinet implementing regulations were not adopted until 2009 and judicial oversight is widely described as nominal, creating a persistent gap between law and practice.
CYRILLA Digital Rights Law Database โLebanon - other topics
Cybersecurity in other countries
Last verified 5/24/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ