The Pakistan Electronic Crimes Act 2016 criminalizes unauthorized access, data theft, and cyber terrorism. All IT companies must comply with data protection and incident reporting requirements.

The Prevention of Electronic Crimes Act 2016 (PECA 2016) is Pakistan's primary cybercrime law. For IT companies, key sections: Section 3 — Unauthorized access to information systems (up to 3 months imprisonment, Rs 50,000 fine, or 3 years for critical infrastructure); Section 4 — Unauthorized copying of data (up to 6 months, Rs 100,000); Section 5 — Glorification of offenses (up to 5 years); Section 21 — Cyber stalking (up to 3 years); Section 24 — Cyber terrorism (up to 14 years or death). IT companies MUST: report cyber incidents to NCERT (pkcert.gov.pk) within 24 hours, implement data protection measures, and comply with SBP Cyber Shield (March 2026) if handling financial data.

The top SROs affecting IT companies: (1) SRO 981(I)/2015 — Zero-rates IT services from sales tax across all provinces; (2) Section 154/152A ITO 2001 — 0.25% WHT on IT exports (PSEB-registered), 1% non-PSEB; (3) Finance Act 2024 — WITHDREW Clause 133 (old 100% exemption), now 0.25%/1% final tax applies; (4) SRO 545(I)/2026 — Social media taxation (new Chapter VA & IIA in ITO); (5) SRO 546(I)/2026 — Social media income taxation for platforms; (6) SRO 1366(I)/2025 — Exemption from Digital Presence Proceeds Tax; (7) SRO 288(I)/2026 — Online integration of businesses; (8) SRO 540(I)/2018 — Customs duty exemption for IT equipment.

Common structures: (1) Private Limited Company (most popular): 2+ directors, limited liability, SECP registration at leap.secp.gov.pk, corporate tax rate 29%; (2) Single Member Company: 1 person, limited liability, simpler compliance; (3) Sole Proprietorship: simplest, no SECP registration, unlimited personal liability, individual tax slab rates; (4) Partnership: 2+ partners, no limited liability. For IT exporters, Pvt Ltd is strongly recommended: limited liability protects personal assets, PSEB registration is smoother, international credibility is higher, banking channels prefer corporate entities, venture capital requires corporate structure.

Pakistan IP protection for software: (1) Copyright: Software is protected under Copyright Ordinance 1962 (amended 2000). Registration at ipo.gov.pk is not mandatory but recommended for evidence. Protection lasts 50+ years from creation. (2) Trademark: Register business name/logo at ipo.gov.pk under Trade Marks Ordinance 2001. (3) Patent: Software per se is NOT patentable, but software combined with hardware may be. (4) Trade secrets: No specific law, but PECA 2016 provides some protection. Practical steps: use NDAs with employees and clients, register copyrights, trademark your brand, include IP clauses in all contracts.

Filing penalties under ITO 2001: (1) Section 182: Late filing penalty — Rs. 1,000/day for individuals, higher for companies (can accumulate significantly); (2) Section 182A: Additional penalty for non-compliance; (3) Default surcharge under Section 205: 12% per annum on unpaid tax; (4) Section 173: Penalty for incorrect return (up to 25% of understated tax); (5) Section 197: Concealment penalty (100-200% of evaded tax); (6) Non-filer penalties: Higher WHT rates everywhere. Recommendation: File on time even if estimated return, then revise.

Companies Act 2017 is Pakistan's primary corporate law. Key provisions for IT companies: (1) Minimum 2 directors for Pvt Ltd; (2) Annual return (Form 29) due 30 days after AGM; (3) AGM within 120 days of financial year-end; (4) Maintain statutory registers (members, directors, charges); (5) File changes with SECP within prescribed time; (6) Audit requirement for companies with paid-up capital > Rs. 3M; (7) SRO 201(I)/2024: Companies Regulations 2024 updated e-filing requirements. Use SECP eZfile (leap.secp.gov.pk) for all filings.

Steps: (1) Contain the breach — isolate affected systems; (2) Document everything — timestamps, screenshots, logs, affected data; (3) Report to NR3C (FIA) at nr3c.fia.gov.pk within 24 hours; (4) Report to PTA if telecom/network involved; (5) Report to SBP if banking data involved (per Cyber Shield BPRD CL 01/2026); (6) Notify affected customers per PECA 2016 requirements; (7) Preserve digital evidence for minimum 90 days; (8) Engage forensics if needed (National Forensics Agency at nfa.gov.pk); (9) File FIR under PECA 2016 Sections 3-21. PECA penalties range from 3 months to 14 years imprisonment + fines.