Cybersecurity regulation in Myanmar (2026)

The law establishes a Central Cybersecurity Committee (CCC) chaired by a Vice-President, with a Steering Committee beneath it assigning duties to relevant ministries. The Ministry of Transport and Communications is the primary operational regulator.

Cybersecurity service providers and digital platform operators with more than 100,000 users in Myanmar must register under the Myanmar Companies Act and obtain a ministry-issued licence valid for 3–10 years. Foreign entities serving Myanmar users are equally covered.

Cybersecurity service providers must immediately notify the relevant Department of any detected cybersecurity anomalies and advise affected customers on preventive action. All covered organisations must submit annual cybersecurity reports to the Steering Committee and maintain an Emergency Cybersecurity Incident Monitoring and Response Team.

Sectors designated as CII — including national defence, government services, finance, healthcare, and energy — must develop cybersecurity plans, form incident-response teams, and report annually. Additional sectoral requirements can be imposed by the Steering Committee.

Digital platforms with 100,000+ Myanmar users must retain user personal data and activity logs for up to three years and disclose them to authorities on request. Platforms must also prevent dissemination of content deemed 'destabilizing' or 'misinformation', raising significant freedom-of-expression concerns.

Section 44 requires prior Ministry approval to establish or provide VPN services; unauthorised VPN use is prohibited. Penalties range from MMK 1–10 million for unlicensed cybersecurity services (plus 1–6 months imprisonment) to a minimum MMK 100 million fine for unregistered large-scale digital platforms.