Cybersecurity regulation in Syria (2026)

Issued 18 April 2022 (effective May 2022), it repealed the 2012 cybercrime law and criminalizes a broad range of online conduct, including defamation and acts deemed against state security, with penalties up to 15 years' imprisonment. It is a criminal-law/surveillance instrument rather than a framework imposing protective security duties on entities.

Under Law No. 20/2022, ISPs, telecom operators, web hosts, and application service providers must retain user data and copies of exchanged content and hand them to authorities on request; non-compliance carries imprisonment and fines. This functions more as a surveillance mandate than a cyber-resilience obligation.

The Electronic Personal Data Protection Law No. 12 of 2024 regulates the collection, processing, use, and transfer of personal data, with penalties up to ~12 million SYP and up to three years' imprisonment. It addresses data confidentiality but does not establish a clear personal-data breach-notification regime.

Responsibility for monitoring cyber matters sits with the National Agency for Network Services (NANS), which operates CERT Syria, the recognized national Computer Emergency Response Team. There is no separate NIS2-style competent authority supervising operators of essential services.

There is no comprehensive mandatory cyber-incident/breach-notification framework for operators; enforcement capacity is limited, with the cybercrime investigative unit reported as largely nonfunctional and most complaints routed to police lacking technical capability.

Following the December 2024 fall of the Assad government, the transitional administration is reconstructing cyber institutions—including a July 2025 cooperation agreement with Saudi firm Cypher to build a national cyber body and a digital-transformation strategy to 2030—while civil-society and judicial actors push to reform the repressive 2022 cybercrime law. No new comprehensive cybersecurity law is yet enacted.