Cybersecurity regulation in Timor-Leste (2026)

Timor-Leste has not enacted a dedicated cybersecurity or cybercrime statute; the country is classified in the 'Building' (T5) tier of the ITU Global Cybersecurity Index, with notably weak technical and organizational measures.

The Ministry of Justice advanced a draft cybercrime bill in early 2025 covering unauthorised access, interception and damage to computer systems/data, computer-related forgery, and child/'revenge' pornography, alongside provisions on online content and social-media misuse.

Journalists' and civil-society groups warn the draft focuses on shielding leaders from criticism, lacks whistleblower protections, sets a low threshold for interception of communications, and imposes no limit on warrant duration — raising free-speech and privacy concerns.

There is no general personal data protection law and no statutory data-breach or incident-reporting duty; privacy rests on Constitution Articles 36–38, with a Data Protection Law reported to be in preparation.

A National Cyber Strategy and implementation plan are being developed with international support (e.g., ITU and partners), and Timor-Leste is building incident-response/CIRT capacity rather than operating an established national CERT.

E-government and ICT security functions sit with bodies such as TIC TIMOR, ANC and DDSIA under the 2017 National ICT Policy and Timor Digital 2032; Timor-Leste has engaged Australia on cybersecurity cooperation to build capacity.