You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

Search
Close this search box.
January 9, 2025

Myanmar Issues Cybersecurity Law

Subscribe to Updates

On January 1, 2025, Myanmar’s State Administration Council enacted Cybersecurity Law No. 1/2025, which aims to regulate various aspects of digital security and online activities. The law has not yet been implemented and will come into force on a date specified by the Myanmar president, who will also provide an official adoption and compliance timeline for individuals and organizations impacted by the new regulations.

Below are some of the key provisions, implications, and penalties under the Cybersecurity Law.

  • Extraterritorial penalties. The law contains an important provision that authorizes penalties against Myanmar citizens who are found guilty of violations, even if these occur outside the country’s borders.
  • VPN definition and regulation. Virtual private networks (VPNs) are defined by this law as specific systems that function as backup networks by using technological means in order to ensure the safety of linking networks to each other. This definition sets the framework for subsequent regulations and penalties associated with VPN usage. The law does not restrict individuals or entities from using VPNs; it regulates VPN service providers.
  • Penalties for unapproved VPN services. Establishing a VPN or providing VPN services without approval from the designated ministry (to be appointed later by the government) can result in significant penalties. For individuals, the punishment may be imprisonment for 1–6 months, a fine of MMK 1–10 million (approx. USD 476–4,760), or both, with the proceeds of the violation being confiscated. If the violator is a company or organization, the minimum fine will be MMK 10 million, and the proceeds will be confiscated.
  • Government oversight. The ministry designated by the government is authorized to investigate and take control of cybersecurity services and digital platform services for national defense and security purposes, or upon request from a government department or organization in accordance with respective laws.
  • Licensing requirements. The Cybersecurity Law introduces two types of licenses, valid for a period of 3–10 years, for (1) cybersecurity services and (2) digital platform providers. Digital platforms with over 100,000 users are required to apply for the latter license. Noncompliance with this requirement will be subject to a fine of at least MMK 100 million (approx. USD 47,600), and any proceeds resulting from the violation will be confiscated.
  • Penalties for unsolicited communications. Individuals who transmit unwanted and unsolicited messages, emails, or data via a network will be subject to imprisonment for 1–2 years, a fine of MMK 5–20 million (approx. USD 2,380–9,530), or both.
  • Penalties for cyber misuse. Engaging in cyber misuse—including the alteration, deletion, or sale of computer programs or data, as well as the unauthorized control and execution of computer systems, programs, or electronic data—will be subject to imprisonment from 6 months to 3 years, a fine of MMK 1–20 million (approx. USD 476–9,530), or both.
  • Penalties for online theft or mischief. Committing or inciting others to commit online theft or mischief using cyber resources will be subject to imprisonment for 2–7 years and the possibility of additional fines.
  • Penalties for unapproved online gambling. Operating an online gambling system without proper authorization may result in imprisonment for 6 months to 1 year, a fine of MMK 5–20 million (approx. USD 2,380–9,530), or both, with the proceeds from such activities being confiscated. If the offender is a corporation or organization, the minimum fine is MMK 20 million, and the illicit proceeds will also be confiscated. The law does not address how online gambling platforms can obtain official approval.

Myanmar’s Cybersecurity Law represents a significant step in the country’s regulation and oversight of digital security and online activities. Businesses, digital platform providers, cybersecurity service providers, and VPN providers need to understand these requirements and ensure compliance to prevent substantial penalties.

For more details on the Cybersecurity Law, or on any aspect of digital security and internet regulations in Myanmar, please contact Tilleke & Gibbins at [email protected].

Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

January 6, 2025
On December 24, 2024, the government of Vietnam issued Decree No. 163/2024/ND-CP, providing guidelines for implementing the new Telecommunications Law that took effect on July 1, 2024 (“Decree 163”). This new decree replaces Decree No. 25/2011/ND-CP and its amendments (“Decree 25”) and took effect immediately upon issuance, with regulations on data center services, cloud computing services, and basic telecom services over the internet (“over-the-top” or OTT telecom services) having an official effective date of January 1, 2025. Decree 163 introduces substantial changes across the telecom sector, covering various aspects including service provision, licensing, standards and technical regulations, quality, passive infrastructure planning, dispute resolution, and more. Hence, it is necessary for enterprises to conduct a compliance review to identify gaps between the new decree and their business models, and take necessary steps to ensure lawful business operations in Vietnam. Below are some highlights of Decree 163. Expanded Scope of Services For basic telecom services, Decree 163 has introduced machine-to-machine (M2M) communication and classified it as a basic telecom service. This establishes a regulatory framework for IoT device communication, previously unregulated in Decree 25. For value-added telecom services, in light of the new Telecommunications Law, Decree 163 provides more detailed regulations for new telecom services such as data center services, cloud computing services, and OTT telecom services, which were not addressed in Decree 25. Regulation of Three New Telecom Services Expanding on the Telecommunications Law’s definitions of data center services, cloud computing services, and OTT telecom services, Decree 163 applies a light-touch management approach to regulate these three new services, as follows: Offshore providers: Cross-border service providers are exempt from signing commercial agreements with licensed local telecom companies. They only need to notify the Vietnam Telecommunications Authority (VNTA) using the prescribed procedures and forms before offering services. Onshore providers: The foreign
Read More
December 24, 2024
On November 30, 2024, the Data Law was officially promulgated after an accelerated preparation process that began in February 2024. The Data Law is set to take effect on July 1, 2025. Having extraterritorial effect, the Data Law will impact both local and foreign individuals and enterprises. As noted in our previous legal update, the Data Law governs digital data, the National Data Center, the National General Database, digital data products and services, digital data management, and the rights, obligations, and responsibilities of agencies, organizations, and individuals related to digital data activities. This legal update provides an overview of the Data Law, with a deep focus on the key provisions likely to impact businesses operating or offering services in Vietnam. New Data Definition and Classification The Data Law broadly defines “digital data” as data about objects, phenomena, and events, which can include one or a combination of audio, images, numbers, text, or symbols represented in digital format (hereinafter referred to as “data”). This definition is very broad and potentially covers any information recorded or represented in digital forms, including personal and nonpersonal data (such as business data, transactional data, trade secrets, etc.). Data is further categorized into different types that can be used by public bodies. However, the rights and obligations associated with each type of data are not clearly addressed. The data classification criteria include: The nature of data sharing (shared data, private data, open data); The importance of data (core data, important data, and other data); Any other criteria to meet the requirements of data administration, processing, and protection, as determined by the data owner. While the Data Law requires private organizations to categorize data based on its level of importance, it still grants these organizations the right to categorize data based on other criteria. Cross-Border Data
Read More
December 12, 2024
Vietnam is a world leader in blockchain adoption and growth, appearing near the top of most rankings of cryptocurrency ownership and blockchain investment. Although the country has taken a cautious approach toward cryptocurrency (banning the use of cryptocurrencies like Bitcoin as a means of payment, for example), the government actively supports blockchain technology and its applications in non-financial sectors. Recognizing blockchain as a core technology of the Fourth Industrial Revolution, as a part of Vietnam’s broader digital transformation agenda, the government issued Decision No. 1236/QD-TTg on October 22, 2024, providing the National Strategy for Blockchain Application and Development to 2025, with Orientation to 2030. Like the National Strategy on Digital Infrastructure, the National Strategy on Blockchain outlines a very ambitious vision to position Vietnam as a regional leader in blockchain technology. The strategy aims for Vietnam to master and apply blockchain across all socio-economic sectors, supporting the nation’s goal of becoming a stable and prosperous digital nation by 2030. The specific goals set for 2025 include developing Vietnam’s blockchain infrastructure and ensuring compliance with cybersecurity and data protection laws; advancing blockchain research through three national innovation centers; building and upgrading 10 facilities dedicated to blockchain research and workforce training; and expanding blockchain education by integrating it into university programs. The strategy also aims to establish at least one blockchain center, special zone, or area, as a pilot, to build a national blockchain network; and foster a blockchain ecosystem by promoting its application across sectors such as banking and finance, transportation, healthcare, education and training, commerce, logistics, postal services, industrial production, energy, tourism, agriculture, public services, and more. The goals for 2030 include strengthening Vietnam’s national blockchain infrastructure to support both domestic and international services, positioning Vietnam as a global and regional leader in blockchain research, application, and development. The
Read More
December 11, 2024
On November 30, 2024, the National Assembly of Vietnam issued a new Law on Data (“Data Law”), the first of its kind in the country. Initiated by a legislative proposal in February 2024, the Data Law underwent an accelerated preparation process and was officially promulgated just nine months later. It is worth noting that the Data Law is not the same as the Personal Data Protection Law, which is still in draft form and is expected to be submitted to the National Assembly in November 2025. The scope of application of the Data Law is broader, including not only personal data but also other types of data. The Data Law governs digital data, the National Data Center, the National General Database, digital data products and services, digital data management, and the rights, obligations, and responsibilities of agencies, organizations, and individuals related to digital data activities. Set to take effect on July 1, 2025, the Data Law is expected to have a significant impact on businesses involved in data-processing activities. Below are some key takeaways from this pivotal legislation. Cross-Border Data Transfer and Processing The Data Law recognizes and protects the freedom of cross-border data transfer and processing, as well as the legitimate rights and interests of relevant agencies, organizations, and individuals. The government is assigned the responsibility to provide detailed regulations on cross-border data transfer and processing activities, including the transfer of offshore data into Vietnam. National Data Center Resolution No. 175/NQ-CP issued by the Vietnamese government in October 2023 set out ambitious goals for a new National Data Center, which will integrate and manage human-related data from the national database, databases of ministries and central and local authorities, and other databases. The National Data Center is expected to be a core platform to provide data-related services, support policy
Read More

Contact

We have seven offices in six countries
across Southeast Asia.

Contact Us

Careers

We are always seeking great people to grow
our amazing team.

Join Us

Networks

© 2024 Tilleke & Gibbins International Ltd. All rights reserved.

© 2020 Tilleke & Gibbins International Ltd. All rights reserved.

Privacy Policy

| Fraudulent Communications

| Legal Notice