Cybersecurity regulation in Marshall Islands (2026)

PL 2025-27, enacted in 2025, is the primary national cybersecurity law. It establishes a legal framework to prioritise cybersecurity, designates and protects critical information infrastructure, and creates a national computer-emergency/incident-response team (CERT). The Ministry of Transportation and Communication is the implementing authority.

PL 2025-40 introduced substantive criminal offences for cybercrime, addressing a gap identified by the Council of Europe Octopus project, which had previously noted that the Marshall Islands lacked cybercrime legislation beyond limited interception and forgery provisions in the 2011 Criminal Code.

Before 2025, no comprehensive cybersecurity or cybercrime statute existed. The Criminal Code 2011 contained only Article 250 (unlawful interception/surveillance) and Article 224 (general forgery, not covering electronic means). Cybercrime bills had been under development since 2019 without enactment.

The Cybersecurity Act 2025 mandates an incident-response framework and CERT structure; specific breach-notification timelines for private-sector entities have not yet been confirmed in publicly available secondary commentary, and a dedicated data protection authority has not yet been established.

The Marshall Islands has been assessed as at high risk from state-sponsored cyber actors (including APT40, linked to China) targeting Pacific Island governments. Most government workers still use private email for official business, and few ministries have formal cybersecurity plans, underscoring the gap between legislative intent and operational capability.

The Marshall Islands is a member of the Pacific Cyber Security Operational Network (PICSON) and has participated in U.S. State Department cybersecurity capacity-building programmes and Japan-funded NEC Security exercises (October 2024) for Pacific Island critical-infrastructure operators.