Loading...
PECA 2016, PDPB, NCCIA & FIA Cyber Crime Framework
PECA 2016, SBP Cyber Shield, PTA CS Strategy, NCCIA guidelines
Complete guide to Pakistan's cyber laws, data protection requirements, and compliance for IT companies
Act No. XL of 2016 — Pakistan's primary cybercrime legislation. Amended via PECA Amendment Act 2025 (passed by Senate, January 2025).
| Section | Offense | Max Penalty | IT Company Risk |
|---|---|---|---|
| §3 | Unauthorized access to information system | 3 months, fine | Medium |
| §4 | Unauthorized copying of data | 6 months, fine | High |
| §5 | Interference with information system | 2 years, PKR 500K | High |
| §6 | Glitch/copying smart card or device | 6 months, fine | Medium |
| §7 | Unauthorized access to critical infrastructure | 5 years | Critical |
| §8 | Electronic fraud | 7 years, fine | Critical |
| §9 | Unauthorized SIM issuance | 3 years, fine | Low |
| §10 | Spamming | 1 month, PKR 50K | Low |
| §10A | Cyber terrorism | 14 years | Critical |
| §11 | Hate speech online | 7 years, fine | Medium |
| §21 | Online defamation (enhanced 2025) | Up to 5 years | Medium |
| §40 | Mandatory reporting of offenses | N/A ✓ Obligation | Critical |
Penalties increased; expanded scope of online defamation provisions under §21
PEMRA-licensed TV channels are no longer exempt from PECA provisions
Increased penalties for fake news published on electronic media and social platforms
Enhanced regulation of social media platforms and content moderation requirements
Access, correction, deletion, data portability
Explicit consent for data processing; withdrawable
Government approval or adequacy finding required
Sensitive personal data must be stored in Pakistan
Mandatory DPO appointment for qualifying companies
72-hour notification requirement for data breaches
| Feature | PDPB Draft | GDPR (EU) |
|---|---|---|
| Max Penalty | PKR 500 million (per PDPB Draft §36) | ≥20 million or 4% global turnover |
| Data Localization | Yes (sensitive data) | Limited (adequacy-based) |
| DPO Required | Yes | For large-scale processing |
| Breach Notification | 72 hours | 72 hours |
| Cross-Border Transfer | Restricted | Restricted (Chapter V) |
PTA mandates specific data localization and logging requirements for telecom operators and ISPs:
| Document | Year | Scope |
|---|---|---|
| National Cyber Security Strategy 2023-2028 | 2023 | Comprehensive national cyber security framework |
| 5G Security Guidelines | 2026 | Security requirements for 5G deployment |
| Critical Telecom Data Regulations | 2023 | Data handling for critical telecom infrastructure |
| Cyber Security Framework for Telecom | 2022 | Baseline security controls for operators |
The State Bank of Pakistan has issued comprehensive cybersecurity guidelines for the financial sector. While primarily targeting banks, they affect fintech companies and any IT company handling financial data.
Cyber Security Framework — Mandatory for all banks and DFIs. Covers: governance, risk management, incident response, penetration testing, access controls.
SBP guidelines on use of cloud services for banking data. Cloud providers must meet specific security and residency requirements.
| Body | Website | Function | Relevance to IT |
|---|---|---|---|
| NCCIA (National Cyber Crime Investigation Agency) | nr3c.gov.pk | Cybercrime investigation (formerly FIA NR3C, upgraded to independent agency) | Report cyber incidents; respond to investigation requests |
| FIA Cyber Crime Wing | cybercrime.gov.pk | Federal Investigation Agency cyber division | Online crime reporting platform; investigation authority under PECA |
| NTISB (National Telecom & Information Security Board) | ntisb.gov.pk | National cybersecurity policy & standards | Develops national cyber security strategy; coordinates with industry |
| Pakistan Computer Emergency Response Team (PKCERT) | Under MoITT | National CERT → incident response coordination | Report vulnerabilities; receive threat advisories |
| Requirement | Law/Regulation | Action | Priority |
|---|---|---|---|
| Implement access controls | PECA §3, §7 | Role-based access; MFA; audit logs | Critical |
| Maintain traffic logs ≥ 90 days | PTA Regulations | Centralized logging; secure storage | Critical |
| Report cyber incidents | PECA §40 | Report to FIA/NCCIA within 24 hours | Critical |
| Data breach notification | PDPB (pending) | Notify authority within 72 hours | Prepare Now |
| Privacy policy & consent | PDPB (pending) | Website/app privacy policy; consent forms | Prepare Now |
| Content moderation | PECA §11, §21 | Content review process; user reporting | Medium |
| Designate cyber liaison | PECA §40 | Nominate point of contact for investigations | Critical |
| Encryption at rest/transit | SBP / PTA guidelines | TLS 1.3; AES-256; key management | High |
| Annual penetration test | SBP / Industry best practice | Third-party pen test annually | High |
| Employee security training | Industry best practice | Phishing awareness; data handling | High |
| Document | Year | Authority | Key Focus |
|---|---|---|---|
| National Cyber Security Policy 2021 | 2021 | MoITT | National CERT ecosystem, Critical Information Infrastructure (CII) protection, cyber threat intelligence, and incident response framework |
| Pakistan Security Standard (PSS) — IT Security Guidebook | 2020 | MoITT | IT security standards for government and public sector — mandatory compliance for IT vendors to government |
| National Cybersecurity Framework for Telecom 2022 | 2022 | PTA/NCERT | Telecom-CERT incident response, threat intelligence sharing, and security standards for telecom operators |
| PECA Online Content Rules 2021 | 2021 | PTA | Content removal and blocking obligations for social media platforms and online intermediaries |