Cybersecurity regulation in Libya (2026)

Enacted by the House of Representatives and officially published 27 September 2022, the law criminalises unauthorised access, system disruption, and electronic fraud, with penalties ranging from fines and up to one year imprisonment for basic offences to heavier sentences for aggravated acts. It applies extraterritorially where effects occur in Libya.

Issued by the Minister of Economy and Trade in 2024, this decision requires companies and individuals providing cybersecurity services to obtain a Practicing Permit from NISSA. Commercial licence renewal is conditional on holding a valid permit; existing operators were given a six-month compliance window.

The National Information Security and Safety Authority was established by Decree No. 28 of 22 January 2013. Its standards, policies, and decisions are binding on all ministries and government entities. NISSA hosts Libya-CERT (the national computer emergency response team) responsible for prevention, detection, and mitigation of cyber threats.

As of 2025–2026, Libya has no statutory requirement for organisations to notify authorities or affected individuals following a data breach or cyber incident. DLA Piper's Data Protection Laws of the World confirms the absence of any breach-notification mandate.

Libya lacks a dedicated data protection statute and has not adopted a published national cybersecurity strategy. NISSA is mandated to develop such a strategy in coordination with the Ministry of Communications and Informatics, but it had not been formally adopted as of the latest available reporting.

The Libyan Technology Foundation identified the absence of critical infrastructure attack provisions as a significant gap in Law No. 5/2022. Separately, Access Now, Human Rights Watch, and ARTICLE 19 have called for repeal or major revision of the law, citing broadly worded offences used against journalists and activists.