Skip to content
World Watch/Lebanon/Cybersecurity

Cybersecurity ยท Lebanon

Cybersecurity law & regulation in Lebanon (2026)

Sectoral rulesLaw No. 81/2018 on Electronic Transactions and Personal Data; 2019 National Cybersecurity Strategy; Telecommunications Regulatory Authority (TRA); National Cybersecurity Committee (Resolution 173)Country index 64 ยท C+

Lebanon shaded by its cybersecurity status

Cybersecurity in Lebanon: sectoral rules, anchored by Law No. 81/2018 on Electronic Transactions and Personal Data; 2019 National Cybersecurity Strategy; Telecommunications Regulatory Authority (TRA); National Cybersecurity Committee (Resolution 173).

Lebanon lacks a comprehensive standalone cybersecurity law. Its regime rests on the 2018 Electronic Transactions and Personal Data Law (Law 81/2018), a 2019 National Cybersecurity Strategy that has been only partially implemented, and sector-level oversight by the Telecommunications Regulatory Authority (TRA). Enforcement is severely hampered by the country's prolonged political and economic crisis, and a proposed National Cyber Security and Information System Agency (NCISA) has not yet been formally established.

Key points

Law 81/2018, E-Transactions & Data Protection

Enacted October 2018, Law No. 81 combines electronic-transactions recognition with data-protection principles (purpose limitation, lawfulness, security) and requires data controllers to notify authorities of breaches. The Ministry of Economy and Trade is the designated enforcement authority, but practical enforcement remains minimal.

Cybercrime Bureau & Law

Lebanon criminalises hacking, unauthorised access, fraud, identity theft, and dissemination of malicious software. The Cybercrime and Intellectual Property Rights Bureau (est. 2006 under the Internal Security Forces) handles enforcement, though its legal basis, a memorandum of service rather than a formal law or decree, is contested.

2019 National Cybersecurity Strategy

Adopted by the Council of Ministers on 30 August 2019, the strategy set objectives through 2022 and proposed a National Cyber Security and Information System Agency (NCISA) under the Higher Council of Defense. As of 2025-2026 the NCISA has not been formally created and core strategy targets remain unimplemented.

TRA Sector-Level Cybersecurity Oversight

The Telecommunications Regulatory Authority (TRA) acts as the principal cybersecurity body for the telecom sector, publishing guidance and coordinating incident response for licensed operators. The TRA maintains a dedicated cybersecurity portal but no general cross-sector mandatory incident-reporting framework is in force.

Lebanon CERT & National Committee

A voluntary Lebanon CERT was launched in 2019 by private-sector security experts and coordinates with ISPs, law enforcement, and international bodies. A National Cybersecurity Committee was formalised by Resolution 173 under the Prime Minister's authority, with a National Cybersecurity Coordinator appointed under Resolution 172.

International Alignment & Gaps

Lebanon is a participant in the Council of Europe's Octopus/CyberSouth programme working toward Budapest Convention alignment, and is a signatory to the Paris Call. The 2024 ISOC Country Report scored Lebanon only 30.44/100 on cybersecurity readiness, reflecting absent cross-sector breach-notification duties, weak enforcement, and no NIS2-equivalent critical-infrastructure regime.

Timeline - major decisions & events

Oct 6, 2025decision
Telecommunications Regulatory Authority (TRA) Revived After 13-Year Dormancy

Minister of Telecommunications Charles Hajj relaunched the TRA with Jenny Gemayel as new chair, restoring Lebanon's independent telecoms regulator and its mandate to define rules for security, data sovereignty, and sector licensing. The revival is a prerequisite for any enforceable sector-level cybersecurity regulation.

The Beiruter โ†—
Jun 1, 2025incident
Beirut Airport Meteorological Department Website Hijacked for Nine-Plus Hours

The website of the Meteorological Department at Beirut-Rafic Hariri International Airport was compromised for over nine hours, exposing persistent gaps in critical-infrastructure cybersecurity despite the 2019 National Strategy. The incident intensified civil-society demands for enforceable standards on state digital platforms.

SMEX โ†—
Sep 17, 2024incident
Weaponised Pager and Walkie-Talkie Supply-Chain Attack Across Lebanon

Thousands of Hezbollah-linked pagers and walkie-talkies containing concealed explosives detonated simultaneously in Israeli Operation Grim Beeper, killing 42 people and injuring over 4,000. The first known large-scale hardware supply-chain attack highlighted Lebanon's extreme vulnerability to adversarial hardware interdiction affecting civilian infrastructure.

Wikipedia (citing Lebanese government, Reuters, CNN) โ†—
Dec 14, 2023guidanceofficial
Council of Europe CyberSouth Programme Closes, Capping EU-CoE Capacity-Building in Lebanon

The CoE's CyberSouth regional programme, covering Lebanon, Jordan, Morocco, and Tunisia, concluded after delivering legislative-alignment support, judicial training, and cross-border cooperation frameworks. Lebanon received technical assistance on aligning its cybercrime provisions with Budapest Convention standards, though Lebanon has not formally acceded to the Convention.

Council of Europe โ†—
Nov 1, 2022guidance
EU/Civipol Launches Ecosystem Mapping for Proposed National Cybersecurity Agency (NCISA)

Under EU counter-terrorism support, Civipol began mapping Lebanon's public, academic, and private cybersecurity actors as groundwork for the National Cyber Security and Information System Agency envisioned in the 2019 Strategy. The NCISA remains unestablished due to Lebanon's sustained political and economic crisis.

Civipol / EU Counter-Terrorism Support โ†—
Aug 30, 2019lawofficial
National Cybersecurity Strategy 2019-2022 Adopted by Council of Ministers

Lebanon's Cabinet approved its first National Cybersecurity Strategy, setting objectives across critical-infrastructure protection, incident response, awareness, and creation of a dedicated NCISA agency under the General Secretariat of the Higher Council of Defence. The strategy was never fully executed, no agency was created and the 2019-2020 economic collapse halted implementation.

Presidency of the Council of Ministers, Lebanon โ†—
Jan 1, 2019decision
Lebanon CERT Established by Volunteer Security Community

Lebanese security professionals from government, industry, and academia formed Lebanon CERT as a free public-benefit body to coordinate incident response, share threat intelligence, and raise security awareness. Operating without a statutory basis, it functions as Lebanon's de facto national CERT in the absence of a government-run agency.

Lebanon CERT โ†—
Oct 10, 2018lawofficial
Law 81/2018 on Electronic Transactions and Personal Data Enacted

Parliament passed Lebanon's first personal data protection statute and primary cybersecurity-relevant law, covering data-processing obligations, electronic signatures, and cybercrime procedural provisions (Articles 72-74, 124). The law lacks a dedicated supervisory authority, assigning de facto oversight to the Ministry of Economy and Trade with limited specialist capacity; it entered into force March 2019.

Official Gazette of Lebanon (English translation) โ†—
Jul 28, 2015incident
HackingTeam Leaks Reveal ISF Cybercrime Bureau Conducted Mass Mobile Surveillance

The global HackingTeam breach exposed that Lebanon's ISF Cybercrime Bureau had purchased and deployed commercial spyware, including exploiting mobile-app vulnerabilities, against Lebanese citizens' devices. The revelations deepened civil-society concerns about the Bureau's lack of a legal statutory basis and its use as a censorship tool against journalists and activists.

SMEX โ†—
Mar 8, 2006decision
ISF Cybercrime and Intellectual Property Rights Bureau Established via Service Memorandum

The Internal Security Forces created Lebanon's first dedicated cybercrime enforcement unit through Service Memorandum 204/609, not by law or legislative decree, leaving the Bureau on contested legal footing. It became the de facto cybercrime investigator but has been repeatedly criticised for targeting journalists, bloggers, and political activists rather than limiting its remit to cyber offences.

Legal Agenda โ†—
Dec 27, 1999law
Law 140/1999, Telecommunications Interception Act Enacted

Lebanon became the first Arab country to legislate a framework for communications interception, requiring judicial or ministerial authorisation capped at two-month durations. Despite forward-looking design, Cabinet implementing regulations were not adopted until 2009 and judicial oversight is widely described as nominal, creating a persistent gap between law and practice.

CYRILLA Digital Rights Law Database โ†—

Lebanon - other topics

Cybersecurity in other countries

Last verified 5/24/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ†’