Cybersecurity regulation in Palestine (2026)

Law by Decree No. 10 of 2018 on Cybercrime, promulgated by President Mahmoud Abbas (replacing the controversial 2017 Decree No. 16), is the main in-force cyber statute. It criminalises unauthorised access, interception, system damage and online content offences, and claims both national and extraterritorial application.

Law by Decree No. 28 of 2020 amended the 2018 Cybercrime Law; the statute remains a criminal-justice instrument rather than a risk-management/security-of-networks framework.

The law imposes duties on telecom/internet service providers: retain IT data and subscriber information (the legal database cites a minimum of 120 days) and provide it to the competent authority, and promptly notify authorities upon detecting a covered crime or any unlawful interception/wiretapping attempt.

The law establishes a specialised cybercrime unit within the police/security forces with judicial powers, and (under Article 40) allows the Attorney General, on request of security forces, to order blocking of websites threatening 'public order' or 'national security' within 24 hours — powers criticised by rights groups as overbroad.

There is no enacted general personal-data-protection statute and no general data-breach-notification duty; a Personal Data Protection draft law by decree has been circulated but not enacted. UNCTAD places Palestine among the small share of states with only draft (un-enacted) data-protection legislation.

No NIS2-style cross-sector cybersecurity law, dedicated national cybersecurity authority, or publicly documented national CERT/incident-reporting regime for operators of essential services was identified in official sources; obligations remain confined to the cybercrime statute and provider duties.