Myanmar’s new Cybersecurity Law establishes framework and processes for use of digital resources

20 March 2025

On 1 January 2025, Myanmar enacted Cybersecurity Law No. 1/2025 (“Law”) which regulates the digital space including digital communications and seeks to support the development of the digital economy based on secure cyber resources. The Law has yet to come into effect. Its effective date will be announced in a notification by the President’s Office.

This article provides an overview of the Law.

Overview

The Law states its objectives as the following:

  • Ensuring the safe and secure use of cyber resources, critical information infrastructures (“CII”), and electronic information;
  • Protecting and safeguarding the sovereignty and stability of the State from cybersecurity threats, cyberattacks, or cyber abuse using electronic technologies;
  • Systematically developing cybersecurity services;
  • Effectively investigating and prosecuting cybercrimes; and
  • Supporting a digital economy based on cyber resources.

“Cybersecurity” is defined as the protection of information, cyber resources or electronic information from unauthorised access, disclosure, transmission, distribution, use, interference, modification or destruction, or of critical information infrastructure from unauthorised use, disruption, modification, destruction, and attempts to do so.

The Law has extraterritorial reach, providing that any Myanmar citizen residing abroad who commits an offence under the Law remains within its remit and will be subject to the penalties set out therein.

A Cybersecurity Central Committee (“CCC”) will be established to implement the Law’s stated objectives. The CCC will further establish a Steering Committee which will in turn assign tasks and responsibilities to relevant Ministries.

Critical information infrastructures (CII)

The Law defines CII as electronic information infrastructures relating to national defence and security, the electronic government service system, finance, transportation, telecommunications, health, electricity and energy, and other such infrastructure as may be determined by the CCC.

“Electronic information” is defined as information created, transmitted, received or stored with electronic technology, including fax and e-mail, electromagnetic wave technology or any other technology.

The CCC shall direct the relevant government departments to develop cybersecurity plans for CII, establish cybersecurity incident response teams, appoint a person to be responsible for the management and maintenance of CII, and submit a cybersecurity report to the Steering Committee established by the CCC on an annual basis.

Licensing and registration

The Law provides for licensing and registration for cybersecurity service providers and digital platform service providers as set out below.

The Law defines “cybersecurity services” as services using cyber resources or similar technology and related equipment or other services determined by the relevant Ministry. Persons or organisations providing cybersecurity services are required to be licensed as a cybersecurity service provider. To be eligible to provide cybersecurity services, a provider must be a company registered in accordance with the Myanmar Companies Law (“MCL”).

The Law defines “digital platform services” as services that enable its users to display, transmit, distribute or use information online using cyber resources or similar technology and related equipment. Digital platform providers with 100,000 or more users in Myanmar must be a company registered in accordance with the MCL and must apply for registration under the Law.

The licence and registration for providers of both cybersecurity and digital platform services will be valid for a minimum of three years to a maximum of 10 years. Both types of providers must apply for a renewal of their licence or registration six months prior to the expiration of the licence or registration period.

Service providers that do not comply with licensing and registration requirements will be subject to a fine of at least MMK100 million and any proceeds resulting from the violation will be confiscated.

Digital platform service providers

Digital platform service providers are required to have adequate measures in place to identify relevant information and cyber resources in the event of certain circumstances, including where information on their service “disrupts unity”, is “false news”, or is information not suitable for public viewing.

The service provider must retain data of users of its service including personal information and usage records for three years, and disclose it to the relevant authorities if requested in writing pursuant to this Law.

VPN service providers

The Law defines virtual private networks (“VPNs”) as a system that is set up as a separate network within the original network using specific technology to ensure security when connecting to a network.

VPN service providers must obtain permission to establish a VPN or provide VPN services within the national cyberspace. Failure to do so will result in the following penalties:

  • If an individual: Imprisonment for a term of not less than one month and not more than six months, or a fine of not less than MMK1,000,000 and not more than MMK10,000,000, or both. The evidence relating to the case shall be confiscated as property of the State; and
  • If a company or organisation: A fine of not less than MMK10,000,000. The evidence relating to the case shall be confiscated as property of the State.

Seizing of cyber resources

The Law allows for the seizure and analysis in a digital laboratory of cyber resources from individuals who are believed to be implicated in any cybersecurity threat, cyberattack or cyber abuse incident. It is noted that support will be provided as necessary to companies and organisation providing telecommunications services according to the Telecommunications Law for conducting data analyses and dispatches to a digital laboratory for examination. A digital laboratory is a technology-assisted laboratory that can identify, retrieve, process, analyse and report data stored electronically.

The relevant Ministry is further empowered to temporarily suspend digital platform services or electronic information, temporarily control materials relating to digital platform services and close digital platform services or declare them unfit for public use.

Penalties

The Law sets out penalties for unsolicited communications, cyber misuse, online theft or mischief, and unapproved online gambling. The penalties for these offences range from imprisonment (the maximum stipulated is for a term of seven years for online theft or mischief) and fines (the maximum prescribed is MMK20 million). With regard to unapproved online gambling, the Law provides that if the offender is a corporation or organisation, the minimum fine is MMK20 million and the illicit proceeds will also be confiscated. The Law does not specify how online gambling platforms can obtain official approval.