Cybersecurity regulation in Philippines (2026)

The Bangko Sentral ng Pilipinas (BSP) unveiled the six-year Financial Services Cyber Resilience Plan (FSCRP), directing all BSP-supervised financial institutions to adopt standardised incident-response protocols and resilience benchmarks. This followed P5.82 billion in recorded cyber losses across the financial sector in 2024.

President Marcos signed Republic Act No. 12010 (AFASA), criminalising money muling and social engineering schemes (phishing, smishing, vishing) with penalties up to 10 years imprisonment. It imposes liability on financial institutions that fail to prevent account takeovers, significantly extending cybersecurity obligations beyond RA 10175.

Threat actor 'Sp1d3r' claimed to have exfiltrated data on up to 32 million customers across Jollibee's brands; the National Privacy Commission confirmed approximately 11 million records were affected — including dates of birth and senior citizen IDs — making it the largest confirmed data breach in Philippine history. The NPC opened a formal investigation.

President Marcos issued EO 58, formally adopting the NCSP 2023–2028 as the country's whole-of-nation cybersecurity roadmap and directing all national government agencies to align their own cybersecurity plans with it. The plan uses a CIANA-PS framework and designates DICT/CICC as the lead implementation body.

The National Privacy Commission's Circular 2023-06 took effect, prescribing mandatory technical and organisational security controls for all personal information controllers and processors, including DPO designation, privacy impact assessments, and mandatory breach-response procedures; entities were given until 30 March 2025 to achieve full compliance.

The Philippine Health Insurance Corporation suffered a Medusa ransomware attack that paralysed member portals and compromised approximately 72 workstations; the attackers demanded USD 300,000 and, when unpaid, publicly leaked the database on Telegram. DICT issued a national technical advisory, and the NPC launched a self-check portal for affected members.

Republic Act No. 11934 required all mobile subscribers to register SIM cards with their real identities, aimed at eliminating the anonymity that enables phishing and SMS scams; telcos were given six months to implement, and unregistered SIMs were deactivated by mid-2023. The law is enforced by the National Telecommunications Commission.

Bangko Sentral ng Pilipinas issued Circular No. 1140 mandating all BSP-supervised financial institutions to deploy robust fraud management systems to detect and prevent cyber-enabled fraud; the measure also overhauled IT Risk Management regulations and introduced the ASTERisC* suptech platform for automated cybersecurity compliance supervision.

Hackers under Anonymous Philippines defaced the Commission on Elections website; separately, LulzSec Pilipinas dumped the entire 340 GB voter database online, exposing biometric data, passport numbers, and fingerprints of 55 million registered voters — still one of the largest government data breaches in world history and a catalyst for NPC enforcement build-up.

The Supreme Court (G.R. No. 203335) lifted its October 2012 TRO and upheld the core cybercrime offences under RA 10175 — illegal access, data interference, cybersex, and child pornography provisions — while striking down the online libel provision for being overbroad, giving the Cybercrime Prevention Act its final constitutional shape.

President Aquino signed RA 10175 into law, criminalising illegal access, data and system interference, computer-related fraud, cybersex, and child pornography; it also created the Cybercrime Investigation and Coordinating Center (CICC) as the national cybersecurity coordination body and established real-time collection powers for law enforcement.

Republic Act No. 10173 established the foundational personal-data protection regime for both the public and private sectors, created the independent National Privacy Commission (NPC) to enforce it, and set mandatory breach-notification and data-subject-rights obligations that underpin all subsequent cybersecurity compliance requirements.