Cybersecurity · Papua New Guinea
Cybersecurity regulation in Papua New Guinea (2026)
Papua New Guinea shaded by its cybersecurity status
Papua New Guinea's primary in-force instrument is the Cybercrime Code Act 2016, which criminalises unauthorised access, data interference, attacks on critical infrastructure, and related offences. A National Cybersecurity Strategy (2024) operationalises capacity-building through a national CERT (PNGCERT) and a Cybersecurity Operations Centre, while a National Data Governance & Data Protection Policy (finalised 2024) introduces breach-notification concepts but remained pending Cabinet enactment as of mid-2026. In October 2024 PNG was formally invited to accede to the Budapest Convention on Cybercrime, with the accession instrument expected to be deposited in late 2025.
Key points
The foundational statute (No. 35 of 2016, certified 13 December 2016) criminalises unauthorised system access, data interception, hacking, cyberbullying, identity theft, and computer-related fraud. It includes specific provisions protecting critical infrastructure — national power grid, water supply, LNG plant, air services, and health systems — and amended the Evidence Act to admit electronic evidence.
Administered by the Department of Information and Communications Technology (DICT), the strategy prioritises protecting critical infrastructure, developing PNGCERT (the national CERT), building digital forensics capabilities, enhancing incident-response reporting, and deepening partnerships with Australia, India, South Korea, and Israel. The National Cyber Security Centre was launched alongside earlier policy work.
On 9 October 2024 the Council of Europe's Committee of Ministers formally invited PNG to accede to the Convention on Cybercrime (Budapest Convention). DICT announced PNG's intent to deposit the accession instrument in late 2025, aligning domestic investigative and mutual-assistance frameworks with the treaty.
DICT finalised the National Data Governance & Data Protection Policy (v5.2, March 2024). It applies to all data controllers and processors in the public and private sectors and introduces breach-notification obligations and administrative penalties up to PGK 500,000 for serious violations. As of mid-2026 the policy was still awaiting Cabinet endorsement before progression to statute law — meaning no binding breach-notification law is yet in force.
NICTA (National Information & Communications Technology Authority) is the statutory converged ICT regulator and licensing authority; DICT sets whole-of-government digital and cybersecurity policy. PNGCERT coordinates national incident response, and PNG participates in the Pacific Cyber Security Operational Network (PaCSON) for regional threat-sharing.
In the ITU's 2024 Global Cybersecurity Index, PNG advanced from Tier 5 (2020) to Tier 3, doubling its score from 26.34 to over 58, driven by improvements in legal measures, technical measures, and organisational frameworks — placing it second in the Pacific after Vanuatu.
Papua New Guinea - other topics
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →