Cyber Security Law 2025 Establishes a Framework for Digital Security and Governance

On January 1, 2025, the Cyber Security Law 2025 was enacted by Myanmar’s State Administration Council, providing a robust framework to address cybersecurity challenges, regulate digital platforms, and protect critical information infrastructures. Comprising 16 chapters and 88 sections, this law marks a significant step toward ensuring national security and fostering a resilient digital economy. The law will come into force on a date to be determined by a Presidential proclamation.

The legislation is designed to safeguard the secure use of cyber resources, protect national sovereignty from cyberattacks, support the development of cybersecurity services, and promote a thriving digital economy. It also introduces mechanisms for investigating and prosecuting cybercrimes while ensuring accountability across the digital ecosystem.

Licensing and Registration of Cybersecurity Services

The law mandates licensing and registration for cybersecurity service providers and digital platform operators. Section 19 specifies that licenses can range from three to ten years. Section 20 requires cybersecurity service providers to register under the Myanmar Companies Act and apply to the relevant department for a business license. Section 22 further mandates that providers seeking to continue operations must apply for license renewal at least six months before expiration.

Similarly, Section 24 requires digital platform providers with over 100,000 users in Myanmar to register under the Myanmar Companies Law and obtain the necessary approval. Renewals must be filed six months in advance as stipulated in Section 26. These requirements ensure transparency and regulatory compliance across key sectors.

Responsibilities of Digital Platform Providers

To maintain a secure digital environment, the law outlines obligations for digital platform providers. Section 31 mandates that platforms implement measures to identify and address harmful content, including fake news, child exploitation materials, incitement to violence, and activities that violate existing laws. Platforms must also manage complaints related to copyright infringement or content intended to cause social or economic harm.

Section 33 requires digital platform providers to retain user information, including personal data and usage records, for three years. Section 34 allows authorized entities to access this information upon written request, ensuring compliance with legal investigations and regulatory frameworks.

Regulation of VPN Services

Section 44 of the law regulates VPN services, mandating that anyone wishing to establish or provide VPN services within Myanmar must first obtain approval from the Ministry. This provision aims to prevent the misuse of VPNs for illegal activities or circumventing cybersecurity measures, ensuring secure and lawful internet usage.

Offenses and Penalties

The Cyber Security Law imposes strict penalties for non-compliance. Section 62 states that providing cybersecurity services without a license can result in imprisonment for one to six months, fines ranging from one to ten million kyats, or both. Companies found guilty face a minimum fine of ten million kyats.

Section 63 imposes fines of up to five million kyats for continuing operations without renewing a license. Section 64 prescribes fines of at least 100 million kyats for unregistered digital platform providers with over 100,000 users, while Section 65 imposes fines starting at 50 million kyats for failing to renew registration. Unauthorized VPN operations are penalized under Section 70, with imprisonment of one to six months or fines of one to ten million kyats. Section 71 outlines penalties for unlicensed online gambling, including imprisonment for six months to one year or fines ranging from five to twenty million kyats.

Protection of Critical Information Infrastructure

The law prioritizes the protection of critical information infrastructure across sectors such as national defense, government services, finance, healthcare, and energy. By safeguarding these essential systems, the law ensures the stability and security of Myanmar’s economic and national interests in the face of evolving digital threats.

Supporting Digital Governance

The Cyber Security Law establishes a structured and transparent approach to securing Myanmar’s digital environment. Through its emphasis on licensing, data retention, and clear obligations for service providers, it fosters accountability and trust in the nation’s cyber infrastructure. The framework supports the country’s vision for a secure digital economy while enhancing its readiness to address the challenges of the digital era.

Conclusion

The Cyber Security Law 2025 represents a pivotal advancement in Myanmar’s digital governance. By regulating cybersecurity services, safeguarding critical infrastructures, and promoting responsible online practices, the law sets the foundation for a secure and dynamic digital future. Its comprehensive approach ensures that Myanmar is well-positioned to thrive in an increasingly interconnected world.