Cybersecurity regulation in Pakistan (2026)

PECA 2016 is Pakistan's principal cyber statute, criminalizing unauthorized access, data interference and electronic fraud. The Prevention of Electronic Crimes (Amendment) Act 2025 (enacted 29 January 2025) replaced the FIA Cyber Crime Wing with the National Cyber Crime Investigation Agency (NCCIA), created a Digital Rights Protection Authority, and criminalized 'fake/false' information — drawing criticism over free-expression impact.

MoITT's National Cyber Security Policy 2021 aims to secure national ICT and Critical Information Infrastructure, mandate security standards, and establish CERTs/SOCs and a Cyber Governance Policy Committee. It is a strategic policy framework rather than directly enforceable legislation.

The Federal Cabinet approved the CERT Rules 2023 (notified 13 October 2023), and MoITT announced the first National Computer Emergency Response Team (PKCERT) on 12 October 2023 to monitor, coordinate and respond to cyber threats across sectors.

The State Bank of Pakistan's Enterprise Technology Governance & Risk Management Framework (BPRD Circular No. 05 of 2017) imposes binding cyber risk-management duties on financial institutions and requires reporting of established information/cyber-security breaches and major incidents to SBP within 48 hours. SBP also issued a Technology Risk Management Framework for payment institutions (2025).

There is no enacted general personal-data protection law. The draft Personal Data Protection Bill (introduced by MoITT) would require data controllers to notify the proposed National Commission for Personal Data Protection of a breach within 72 hours, but it remains unfinalized pending parliamentary approval and assent.

Reporting in 2025 indicates Pakistan is working to establish a dedicated National Cybersecurity Authority to centralize oversight, signaling that comprehensive institutional consolidation is still developing rather than fully in force.