Loading...

Frequently Asked Questions

Source-verified answers to real questions IT professionals ask about Pakistan regulations.

Short answer: Yes — within 24 hours
Yes, NCERT (National Cyber Emergency Response Team) requires reporting of significant cyber incidents within 24 hours.
Share:
Share:
Short answer: No — freelancers can operate as sole proprietors with just an NTN. SMC registration is optional (Rs 2,500).
SECP company registration is NOT mandatory for freelancers operating as sole proprietors. You can operate as an individual with just an NTN from FBR. However, if you want limited liability protection or plan to scale, you can register as a Single Member Company (SMC) for Rs 2,500. Benefits of SMC: limited liability, separate legal entity, easier to open corporate bank accounts, PSEB registration. Most freelancers start with sole proprietorship (NTN only) and register with PSEB for the 0.25% WHT benefit, then upgrade to SMC as they grow.
Share:
Share:
Short answer: Register at pseb.org.pk. Rs 10,000 (company) or Rs 5,000 (freelancer). Get certificate in 2-4 weeks. Present to bank for 0.25% rate.
Step-by-step PSEB registration for the reduced WHT rate: (1) Check eligibility — you must be an IT/ITeS company or freelancer; (2) Prepare documents — SECP certificate (or CNIC for freelancer), NTN, bank statement, project portfolio; (3) Submit online application at pseb.org.pk or techdestination.com; (4) Pay registration fee — Rs 10,000 for companies, Rs 5,000 for freelancers; (5) PSEB reviews application (2-4 weeks); (6) Receive PSEB registration certificate; (7) Present certificate to your bank for 0.25% WHT deduction; (8) File quarterly export reports to maintain active status; (9) Renew annually (Rs 5,000 companies, Rs 2,500 freelancers).
Share:
Share:
Short answer: SBP Cyber Shield (Mar 2026) applies to banking sector IT vendors. Zero Trust Architecture required by 2028. Set cybersecurity standard for all IT.
SBP Cyber Shield (CRMD CL 01/2026) was launched in March 2026 and applies to ALL Banks, MFBs, DFIs, EMIs, PSPs, PSOs, and Digital Banks. If your IT company provides services to any SBP-regulated entity, you must comply with its requirements: (1) Tiered cybersecurity investment framework; (2) Mandatory simulation exercises; (3) Zero Trust Architecture roadmap by 2028; (4) FinCERT integration for incident reporting; (5) Penetration testing and vulnerability assessment. Even if you do not serve banks directly, SBP Cyber Shield sets the standard that regulators expect across all IT companies.
Share:
Share:
Short answer: Report to FIA NR3C (nr3c.fia.gov.pk or 1991), NCCIA, or NCERT (pkcert.gov.pk). PECA 2016 applies. Report within 24 hours.
To report a cybercrime in Pakistan: (1) FIA NR3C (National Response Center for Cybercrime) at nr3c.fia.gov.pk or hotline 1991; (2) NCCIA (National Cyber Crime Investigation Agency, independent since Sep 2025) — accepted as separate from FIA; (3) PTA complaint portal for telecom-related cybercrime; (4) SBP (if banking-related) through your bank's cyber incident response team. Under PECA 2016, organizations must report cyber incidents. For IT companies: report data breaches to NCERT within 24 hours at pkcert.gov.pk. Keep forensic evidence. Key sections: PECA Section 3 (unauthorized access, up to 3 years), Section 21 (cyber stalking), Section 24 (cyber terrorism, up to 14 years).
Share:
Share:
Short answer: SECP → NTN → PSEB → Bank → Provincial → EOBI/SESSI = minimum compliance. ~Rs 20,000-50,000 total.
Complete compliance checklist for a new IT startup: (1) SECP company registration via eZfile (Rs 2,500 for SMC); (2) FBR NTN registration on IRIS (free); (3) Sales tax registration if applicable; (4) PSEB IT registration (Rs 10,000 for 0.25% WHT); (5) Open corporate bank account; (6) Provincial sales tax registration (SRB/PRA/KPRA/BRA for 0% IT rate); (7) EOBI registration if 5+ employees (5% + 1%); (8) SESSI/PESSI registration if 5+ employees (6%); (9) Annual FBR tax return (deadline Sep 30); (10) PSEB quarterly export reports; (11) Monthly WHT returns (by 15th); (12) SECP annual return and audit (if required).
Share:
Share:
Short answer: PECA covers unauthorized access, cyber terrorism, fraud, stalking, spoofing; report violations to FIA NR3C
Prevention of Electronic Crimes Act 2016 (PECA) covers: (1) Unauthorized access to information systems (Section 3, up to 3 months / fine); (2) Unauthorized copying of data (Section 4, up to 6 months / fine); (3) Cyber terrorism (Section 6, up to 14 years / fine); (4) Electronic fraud (Section 14, up to 2 years); (5) Cyber stalking (Section 24, up to 3 years); (6) Spamming (Section 22, up to 3 months / fine); (7) Spoofing (Section 17, up to 3 years); (8) Identity theft (Section 18, up to 3 years). Report cybercrime to NR3C at nr3c.fia.gov.pk.
Share:
Share:
Short answer: PTA rules apply to ISPs/telecom; all IT companies should get ISO 27001 and report breaches
PTA cybersecurity requirements primarily apply to telecom licensees and ISPs, not general IT companies. However, if your IT company: (1) Operates as an ISP or telecom service provider — must comply with PTA Cyber Security Strategy 2023-2028; (2) Handles critical telecom data — must comply with Critical Telecom Data Regulations; (3) Registers IP/VPN — must use ipregistration.pta.gov.pk. For all IT companies: (1) Get ISO 27001 certification (strongly recommended); (2) Report data breaches per PTA guidelines; (3) If serving banks, comply with SBP Cyber Shield (BPRD CRMD CL 01/2026).
Share:
Share:
Short answer: Creates Pakistan Digital Authority with data protection, digital identity, and AI governance mandates
The Digital Nation Pakistan Bill 2025 was approved by both Houses of Parliament and creates the Pakistan Digital Authority (Chair: Dr. Sohail Munir). Key provisions: (1) National digital governance framework; (2) Digital identity and authentication standards; (3) Data protection and privacy requirements; (4) E-government services mandate; (5) Digital economy promotion; (6) AI governance structure. For IT companies: this will create new compliance requirements for data handling, digital identity services, and participation in e-government platforms.
Share:
Digital Nation Pakistan Bill 2025; AI Policy 2025 103.171.122.217 Telecom & Licensing Intellectual Property
Share:
Short answer: FBR returns, provincial ST returns, SECP annual return, EOBI, social security, PSEB renewal
Annual compliance checklist for Pakistan IT companies: (1) FBR: Income tax return (Sept 30), monthly withholding statements (Section 165), quarterly/biannual advance tax; (2) Provincial Revenue Board: Quarterly 0% sales tax returns; (3) SECP: Annual return (Form 29, Form A within 30 days of AGM), AGM within 120 days of year-end; (4) EOBI: Monthly contribution (6% employer + 1% employee of minimum wages); (5) Social Security: Monthly/quarterly (SESSI/PESSI); (6) PSEB: Annual renewal; (7) Worker's Welfare Fund: If employees >= 20; (8) Provincial Labor Department: Annual return; (9) NADRA: Employee CNIC verification.
Share:
Share:
Short answer: No enacted data protection law yet; PDPB in draft since 2020; adopt ISO 27001 and GDPR proactively
As of April 2026, Pakistan does not have a comprehensive enacted data protection law. The Personal Data Protection Bill (PDPB) has been in draft since 2020 and is still under review. Key points: (1) No specific data protection law currently enforceable; (2) PECA 2016 provides some protections for unauthorized data access; (3) SBP has data security guidelines for banking clients; (4) PTA has data protection requirements for telecom licensees; (5) If serving EU clients, GDPR compliance is still required; (6) The Digital Nation Pakistan Bill 2025 may include data protection provisions. Recommended: adopt ISO 27001 and GDPR-compliant practices proactively.
Share:
Share:
Share: