World Watch/Philippines/Cybersecurity
Language:EnglishSpanishFrenchGermanPortugueseHindi

Cybersecurity · Philippines

Cybersecurity - Philippines

Sectoral rulesNo single comprehensive cybersecurity statute is yet in force. The regime is a patchwork: the Cybercrime Prevention Act (RA 10175), the Data Privacy Act (RA 10173) administered by the National Privacy Commission, sector-specific rules from the Bangko Sentral ng Pilipinas (BSP) for financial institutions, and the policy-level National Cybersecurity Plan 2023-2028 (adopted by Executive Order No. 58), coordinated by the Department of Information and Communications Technology (DICT). A comprehensive Cybersecurity Act bill remains pending in Congress.

The Philippines lacks an omnibus, NIS2-style cybersecurity law; obligations instead arise from sector-specific and cross-cutting instruments. Cybercrime is criminalized under RA 10175, personal-data breach duties flow from RA 10173 and NPC rules, and financial institutions face detailed BSP information-security and cyber-incident reporting circulars. A comprehensive Cybersecurity Act is under deliberation in Congress and has been backed as priority legislation but is not yet enacted as of 2026.

No omnibus law (sectoral regime)

There is no single horizontal cybersecurity statute. Obligations are spread across criminal law (RA 10175), data-protection law (RA 10173), and sectoral regulators, with DICT as the lead agency under RA 10844.

source 1source 2
Cybercrime Prevention Act (RA 10175)

Approved 12 September 2012, it criminalizes illegal access (hacking), data and system interference, device misuse, cybersquatting, computer-related fraud and related offenses; enforcement is by the NBI and PNP cybercrime units and the DOJ Office of Cybercrime.

source 1source 2
Data-breach notification (RA 10173 / NPC)

Under the Data Privacy Act and NPC rules, controllers must notify the National Privacy Commission and affected data subjects within 72 hours of knowledge or reasonable belief of a personal-data breach involving sensitive data or a real risk of serious harm.

source 1
National Cybersecurity Plan 2023-2028 (policy)

President Marcos Jr. adopted DICT's NCSP 2023-2028 via Executive Order No. 58, a whole-of-nation roadmap directing government agencies and GOCCs to formulate cybersecurity plans; it is a strategy, not a binding statutory obligation regime.

source 1source 2
Financial-sector cyber rules (BSP)

The Bangko Sentral ng Pilipinas imposes information-security and cyber-risk requirements on supervised financial institutions, notably Circular No. 982 (Enhanced Guidelines on Information Security Management) and Circular No. 1019 (technology and cyber-risk reporting/notification requirements).

source 1source 2
Comprehensive Cybersecurity Act (proposed)

A Cybersecurity Act is pending in Congress; it would protect critical information infrastructure (CII), require ISO/IEC 27001/22301/27701 standards, and mandate CII operators to report incidents to the NCERT with an initial report within 24 hours — but it is not yet enacted.

source 1source 2

Machine-assisted translation · verified 5/23/2026 · orientation, not legal advice. English version →