Cybersecurity - Qatar

The National Cyber Security Agency was established by Emiri Decree No. (1) of 2021 under the Prime Minister, with authority to propose legislation, issue cybersecurity policies/standards, supervise and protect national critical infrastructure, and monitor compliance.

The National Information Assurance (NIA) Standard (v2.1, updated from Policy v2.0) sets a national data-classification methodology and baseline security controls across 26 domains; designated baseline controls are mandatory and agencies are audited annually for compliance.

Under the Personal Data Privacy Protection Law (Law No. 13 of 2016) and NCSA guidelines, controllers must notify the Competent Department of security incidents — guidelines set a 72-hour window from detection — with administrative fines up to QAR 1–5 million; the NCSA's National Cyber Governance and Assurance Affairs acts as the supervisory authority.

Critical infrastructure operators are subject to NCSA cybersecurity standards, incident-reporting duties and periodic assessments; in February 2025 Qatar launched a National Incident Management Framework (seven elements covering detection, investigation, strategic response, recovery and review) to coordinate response to nationally significant cyber incidents.

Launched September 2024, the strategy is built on five pillars including 'legislation, regulation and law-enforcement of cyberspace,' signalling that a fuller legislative framework is still being developed beyond current standards and frameworks.

The Cybercrime Prevention Law (Law No. 14 of 2014), overseen by the Ministry of Interior, criminalizes unauthorized access, online fraud and identity theft; separately the NCSA has moved to license and accredit cybersecurity service providers (including penetration-testing accreditation) under its compliance framework.