Cybersecurity regulation in Oman (2026)

Royal Decree No. 52/2017 establishes primary cybersecurity obligations applicable across government and private-sector information systems, requiring protection of critical digital infrastructure and compliance with national cybersecurity standards set by MTCIT.

Royal Decree No. 64/2020 established the CDC as the central national cybersecurity oversight authority, reporting to the Internal Security Service. All stakeholders are legally obliged to immediately notify the CDC of any real or potential cybersecurity threat or breach, extending to operators of critical infrastructure, essential services, digital service providers, and government institutions.

The PDPL entered full legal force on 5 February 2026 after a four-year adaptation period. It mandates data breach notification to the National Cyber Governance and Assurance Affairs (NCGAA) and affected individuals within 72 hours. Ministerial Decision No. 34/2024 further requires DPO appointment and external auditors for processors handling sensitive data.

Royal Decree No. 12/2011 criminalises unauthorised access to IT systems, data destruction, network disruption, cyberterrorism, electronic fraud, and credit card misuse. It applies to public and private actors and constitutes the primary enforcement instrument against cyber offenders.

MTCIT issues mandatory Cybersecurity Governance Guidelines for public entities and operates the National Center for Information Security (NCIS). In the first nine months of 2024, NCIS handled 136 cybersecurity incidents and issued 25 security alerts. OCERT provides incident-response coordination and public awareness.

The Authority for Public Services Regulation has issued dedicated Cyber Security Standards for electricity and water providers, including ICS/SCADA protections. Oman's national cybersecurity strategy, aligned with Vision 2040, targets top-10 global cybersecurity readiness and guides enhanced protections for critical infrastructure operators across all regulated sectors.