Law/Framework	Description	Authority	Reference
PECA 2016	Electronic crimes — unauthorized access, data theft, cyber terrorism	PTA / FIA	PECA 2016	PECA 2016
NTISB Guidelines	Mandatory cybersecurity standards for ISPs and telcos	NTISB	NTISB	NTISB
NCERT	National Cyber Emergency Response Team — incident reporting	NCERT	NCERT	NCERT
PTA 5G Security Guidelines	Security requirements for 5G deployments	PTA	PTA 5G	PTA 5G Security
SBP Cyber Shield	Banking sector cybersecurity framework for fintech	SBP BPRD	BPRD C4/2024	BPRD C4/2024
PDPA 2023 (draft)	Personal Data Protection Bill — data privacy	MoITT	MoITT	MoITT
NTC Security Standards	Government IT security standards for vendors	NTC	NTC	NTC

Details & Regulations

AUDIT CERTIFIED — MAY 2026

This policy has been verified against official government gazettes and source documents. View Audit Log

100% Verified

Cybersecurity & Data — Complete IT Company Guide

Pakistan's cybersecurity framework is governed by PECA 2016, SBP Cyber Shield, NTISB guidelines, and sector-specific regulations. Non-compliance can result in criminal penalties and regulatory action.

1. Why Cybersecurity Compliance MattersSOURCE VERIFIED

significant proportion (verify with current data)SOURCE VERIFIED

of Pakistani organizations experienced cyber incidents in 2024

significant losses (verify with current CERT data)SOURCE VERIFIED

estimated losses from cybercrime in Pakistan (2024)

3 yearsSOURCE VERIFIED

max imprisonment under PECA for unauthorized access

2. Regulatory BodiesSOURCE VERIFIED

Body	Role	Website	Scope
FIA Cyber Crime Wing	Investigation & prosecution of cybercrimes	cybercrime.gov.pk	All organizations
NCERT (PakCERT)	National incident response & threat intelligence	pkpkcert.gov.pk	All organizations
NTISB (MoITT)	Telco/ISP cybersecurity policy & standards	ntisb.gov.pk	Telcos, ISPs
PTA	Telecom sector security regulation	pta.gov.pk	Telcos, ISPs, VAS
SBP	Financial sector cybersecurity (Cyber Shield, TRM)	sbp.org.pk	Banks, EMIs, PSOs/PSPs, fintech vendors
NCSA (MoITT)	National cybersecurity strategy	moitt.gov.pk	All critical infrastructure

3. PECA 2016 — Key Sections for IT CompaniesSOURCE VERIFIED

Section	Offense	Penalty	IT Company Relevance
§3	Unauthorized access to information system	Up to 3 months or PKR 50,000 fine or both	If your systems are breached or you breach client systems
§4	Unauthorized copying of data	Up to 6 months	Code/data theft, IP violations
§5	Interference with information system	Up to 2 years + PKR 500K fine (Federal — PECA 2016)	DDoS, hacking attacks
§7	Unauthorized access to critical infrastructure	Up to 5 years	Government/telecom systems
§8	Electronic fraud	Up to 7 years + fine	Payment fraud, phishing
§9	Unauthorized SIM issuance	Up to 3 years + fine	IoT/M2M SIM management
§10	Spamming	Up to 1 month + PKR 50K fine (Federal — PECA 2016 §6)	Email/SMS marketing compliance
§10A	Cyber terrorism	Up to 14 years + fine	Critical infrastructure attacks
§21	Online defamation (2025 amendment)	Strengthened penalties	Social media, online content
§34	Access to critical infrastructure	Up to 3 years + fine	If working on govt/telecom systems
§42-43	International cooperation	Mutual legal assistance	Cross-border investigations

PECA 2025 Amendments: Online defamation provisions strengthened (Section 21), increased penalties for fake news, PEMRA-licensed channels no longer exempt from PECA. Verify current text with FIA.

4. SBP Cyber Shield & Technology Risk FrameworkSOURCE VERIFIED

Cyber Shield — Cyber Resilience Strategy 2025-2030SOURCE VERIFIED

Per CRMD CL01/2026, SBP has launched Cyber Shield, the first-ever cyber resilience strategy for all SBP-regulated entities. Key requirements:

Mandatory alignment: All banks, EMIs, PSOs/PSPs must align internal cybersecurity programs with the Cyber Shield roadmap by 2030
Five strategic priorities: Strengthen → Mature → Enhance → Develop — phased milestones through 2030
Scope: Prevention, detection, response, and recovery from cyber incidents across the financial sector

IT companies providing services to banks/EMIs must ensure their security practices align with Cyber Shield milestones. Non-compliance by regulated entities attracts penal action.

Technology Risk Management Framework (PSD C4/2025)SOURCE VERIFIED

Per PSD C4/2025, all PSOs/PSPs and EMIs must comply by March 31, 2026. Key requirements for IT companies:

Area	Requirement	Impact on IT Companies
Board Oversight	BoD must have members with technology expertise; Head of IT + Head of InfoSec required	IT governance must be board-level; staffing mandates
Cyber Risk Management	Technology risk policy updated every 3 years; annual VAPT required	Patch management SLAs enforceable
Digital Fraud Prevention	NADRA biometric at signup; device fingerprinting/binding; OTP auto-fetch with sender binding; 2-hour cool-off on device switch	Fintech apps must implement device binding, OTP controls, biometric verification
Fraud Liability	30-minute dispute response SLA; PI liable if complaint channel unavailable	Major operational requirement for payment platforms
Outsourcing	7-day advance notice to SBP for material outsourcing; SBP approval for offshore; cloud per BPRD C1/2023	IT vendors must comply with SBP cloud outsourcing framework
DR & BCP	Defined RTO/RPO; annual BCP testing required	Disaster recovery capabilities mandatory

Digital Channel Downtime Rules (PSD C1/2023)SOURCE VERIFIED

Per PSD C1/2023:

99.5% uptime SLA for digital channels
Planned downtime: Inform customers 2 days in advance; notify SBP 1 week ahead
Unplanned downtime >30 min: Immediate customer notification + estimated restoration time; report to SBP
Overtime: If planned downtime exceeds 2+ hours, immediately convey to customers and SBP

Digital Lending App Restrictions (PSD C2/2023)SOURCE VERIFIED

Per PSD C2/2023: Banks/EMIs must not provide digital payment services to unauthorized/unlicensed digital lending apps. IT companies building fintech products must verify licensing status from SBP/SECP before integration.

Mobile App Security (PSD CL6/2022)SOURCE VERIFIED

Per PSD CL6/2022: Banks/EMIs/PSOs must implement secure coding practices, VAPT before app launch, certificate pinning, and runtime integrity checks for all mobile applications.

Cyber Shield — Detailed Strategic Priorities (CRMD CL01/2026)SOURCE VERIFIED

Per CRMD CL01/2026, Cyber Shield defines five strategic priorities with specific actions and milestones through 2030 (Federal (SBP)):

#	Priority	Key Actions	IT Company Impact
1	Strengthen Cyber Resilience	Develop cyber-testing framework simulating real-world threats; tiered cybersecurity regulations; cybersecurity maturity assessment; Zero Trust Architecture roadmap for critical banking infrastructure; 2-hour RTO for FMIs	IT vendors must align security posture with tiered regulations; prepare for Zero Trust requirements; ensure DR capabilities meet 2-hour RTO
2	Mature Cybersecurity Governance	Strengthen CISO and CIO/CTO roles mandate; enhance BoD cyber risk understanding; mandatory board-level cyber risk reporting	IT companies serving banks will face stricter third-party governance requirements; CISO role formalized
3	Enhance Collaboration & Partnerships	Establish threat intelligence & information sharing platform; standardized IT/cyber incident reporting framework; FinCERT establishment; multi-year cyber exercising program	IT vendors to banks expected to participate in threat intelligence sharing; FinCERT will coordinate financial sector incident response
4	Develop Cyber Workforce	Quantify cyber skills gap via survey; develop competency roadmap & training programs	Opportunity for IT training companies to deliver SBP-aligned cybersecurity curricula
5	Evolve Strategy & Programs	Regular cybersecurity strategy review; advisories on emerging technologies (AI, quantum); strengthen third-party risk management; annual cyber threat landscape report	Third-party risk oversight tightening — IT vendors must demonstrate compliance through audits, certifications

Zero Trust Architecture: Cyber Shield mandates a roadmap for Zero Trust implementation across critical banking infrastructure. IT companies providing network, identity, or access management solutions to banks should prepare for Zero Trust requirements — no implicit trust based on network location, continuous verification, least-privilege access. (Federal (SBP))

FinCERT: SBP will establish FinCERT (Financial sector Computer Emergency Response Team) as part of the threat intelligence platform. FinCERT will handle incident lifecycle management, coordinate cross-entity response, and provide threat intelligence to regulated entities. IT companies with SOC capabilities may serve as FinCERT partners. (Federal (SBP))

Technology Risk Management Framework — Detailed Requirements (PSD C4/2025)SOURCE VERIFIED

Per PSD C4/2025, the TRM Framework includes granular requirements beyond the summary table above. IT companies building payment/fintech solutions must note: (Federal (SBP))

API Security Requirements

Risk assessment required for all third-party API integrations
API keys and access tokens must be protected with reasonable expiry timeframes
Strong encryption standards and key management for data transmitted via APIs
Security testing of all APIs before production deployment
API session logging: identity, date, time, transactions, data accessed — available for audit

Data Security & PCI-DSS

Comprehensive data leak prevention (DLP) mechanism mandatory
Application and database security controls for PII handling
PCI-DSS compliance mandatory when storing payment card data
Offline, encrypted backups required — must be tested regularly; recovery without loss of transactions or audit trails

Network Security & Monitoring

Network segmentation by role, location, environment (production vs testing vs development)
SIEM and SOC mandatory for anomaly detection
Whitelisting solutions — only permitted applications run; URL blacklists/allowlists
Automated anti-malware with regular scanning
Network & system logs monitored proactively and centrally

Cyber Threat Intelligence & Incident Response

Process to collect, process, analyze cybersecurity-related information for relevance and impact
Must participate in cyber threat information-sharing arrangements
Cyber-incident response plan must include ransomware procedures and plans for critical system inaccessibility
Post-incident root cause analysis mandatory — measures to avoid recurrence
Report all tech incidents (cyber-attacks, critical system outage) immediately to SBP per Annexure II template

Designated PIs: 2-Hour RTO

Designated Payment Institutions must minimize Recovery Time Objective (RTO) to 2 hours. DR facility should be geographically diverse from Primary Data Centre. Annual DR drills mandatory — covering total shutdown, complete switchover, and component failure scenarios. Results reported to SBP. (Federal (SBP))

COVID-19 WFH Cybersecurity Controls (Still Active)SOURCE VERIFIED

SBP’s PSD C3/2020 additional security controls for work-from-home scenarios remain applicable and are reinforced by the Cyber Shield strategy: (Federal (SBP))

VPN with MFA mandatory for remote access — limit to corporate-trusted devices only
Endpoint hardening for all devices connecting to corporate network
SPF, DMARC, DKIM for email spoofing prevention
Block unapproved USB/CD/DVD media; whitelist allowed web content
Administrator accounts must not be used for email, web browsing, video streaming
Remote access logging and monitoring mandatory; latest OS & antivirus updates required

5. Data Protection in PakistanSOURCE VERIFIED

Current Legal FrameworkSOURCE VERIFIED

Law	Status	Key Provisions
PECA 2016	✓ Enacted	Unauthorized access, data interference, spam, 2025 amendments for online defamation
Personal Data Protection Bill (PDPB)	Draft (2024-25)	Consent, data minimization, cross-border transfer restrictions, PKR 500M penalties (Federal — PDPA 2025 draft)
Digital Nation Pakistan Bill 2025	Passed both Houses	Establishes Pakistan Digital Authority
PTA Consumer Protection Regulations	✓ Active	Telecom subscriber data protection
SBP Data Security Guidelines	✓ Active	Mandatory for banking/fintech — per BPRD C1/2023, PSD C4/2025

Data Localization RequirementsSOURCE VERIFIED

Sector	Requirement	Authority
Banking/Financial	Mandatory — all financial data in Pakistan	SBP BPRD C1/2023
Telecom	Mandatory — CDRs, subscriber data in Pakistan	PTA
Government	Mandatory — all government data in Pakistan	MoITT/NITB
E-commerce (payment data)	Partial — payment data in Pakistan	SBP/FBR
General Private Sector	No strict requirement (may change with PDPB)	—
After PDPB enactment	DTIAs required for cross-border transfers	Draft PDPB provisions

Cross-Border Data Transfer RulesSOURCE VERIFIED

No comprehensive cross-border data transfer law exists yet. However, sectoral restrictions are enforceable:

Scenario	Status	Basis
Pakistani banking/fintech data on intl servers	PROHIBITED	SBP Cloud Guidelines
Government client data abroad	PROHIBITED	MoITT/NITB Policy
Telecom subscriber data abroad	PROHIBITED	PTA Regulations
General international client data	ALLOWED	No restriction
After PDPB enactment	DTIAs required	Draft PDPB provisions

6. ISO 27001 Implementation GuideSOURCE VERIFIED

Why Get ISO 27001?SOURCE VERIFIED

Required for many government tenders (PPRA, PTA)
International client requirement and competitive advantage
Mandatory for SBP-regulated fintech vendor compliance (Cyber Shield)
Demonstrates security maturity

Implementation StepsSOURCE VERIFIED

Step 1: Gap Assessment (2-4 weeks)

Step 2: ISMS Framework Design (4-6 weeks)

Step 3: Risk Assessment (3-4 weeks)

Step 4: Policy & Control Implementation (8-12 weeks)

Step 5: Internal Audit (2 weeks)

Step 6: Certification Audit by accredited body (2-4 weeks)

Company Size	Consultant	Certification	Total (PKR)
Small (5-20 staff)	500K-1M	300K-500K	800K-1.5M
Medium (20-100 staff)	1M-3M	500K-1M	1.5M-4M
Large (100+ staff)	3M-8M	1M-2M	4M-10M

One-time costs. Annual surveillance audit: 30-50% of initial certification cost. Timeline: 6-12 months.

7. Compliance ChecklistSOURCE VERIFIED

Immediate (This Month)SOURCE VERIFIED

Enable 2FA on all critical accounts (hosting, email, banking)

Review and update server firewall rules

Install SSL/TLS certificates on all web properties

Implement backup policy (daily automated, off-site)

Update all software (CMS, plugins, frameworks)

Short-term (1-3 Months)SOURCE VERIFIED

Conduct basic VAPT scan (OpenVAS, Nikto)

Draft incident response plan

Implement DMARC, SPF, DKIM for email

Staff cybersecurity awareness training

Medium-term (3-12 Months)SOURCE VERIFIED

Start ISO 27001 implementation

Conduct third-party VAPT (Category 1/2 firm)

Implement SIEM or log management

Implement Zero Trust architecture for sensitive systems

If serving fintech: align with Cyber Shield milestones

8. Security Tools & CostsSOURCE VERIFIED

Free/Open Source

Tool	Purpose
OpenVAS / Greenbone	Vulnerability scanning
Suricata / Snort	IDS/IPS
Wazuh	SIEM / XDR
Let's Encrypt	SSL/TLS certificates
ClamAV	Anti-malware
OWASP ZAP	Web app security testing

Paid (Production Recommended)

Tool	Purpose	Cost
CrowdStrike Falcon	EDR/XDR	$15-25/endpoint/mo
SentinelOne	EDR	$10-20/endpoint/mo
Cloudflare	WAF + CDN + DDoS	$20-200/mo
Acunetix	Web vulnerability scanning	$2,000-5,000/yr

Key Legal ReferencesSOURCE VERIFIED

Reference	Description	Source
PECA 2016	Electronic crimes — criminal penalties for unauthorized access, data theft	PTA / FIA
CRMD CL01/2026 (Cyber Shield)	Cyber resilience strategy 2025-2030 for all SBP-regulated entities	SBP
PSD C4/2025 (Tech Risk Framework)	Technology risk management for payment institutions — deadline March 2026	SBP
PSD C1/2023	99.5% uptime SLA, downtime reporting requirements	SBP PSD
PSD CL6/2022	Mobile app security — secure coding, VAPT, certificate pinning	SBP PSD
NTISB Guidelines	Mandatory cybersecurity standards for ISPs and telcos	NTISB
PTA 5G Security Guidelines	Security requirements for 5G deployments	PTA
PDPB (Draft)	Personal Data Protection Bill — pending in Parliament	MoITT

Related PoliciesSOURCE VERIFIED

Cybersecurity Compliance Framework (detailed PECA, ISO 27001, NCERT, PTA sections)
Data Protection & Privacy
NTISB — Telecom Security
PECA 2016 Guide
PTA — Telecom
SBP — Banking & Payments
Telecom & Tech Guide

Cybersecurity Law Updates 2023-2025 (Federal/ICT)SOURCE VERIFIED

PECA 2025 — Social Media Protection Authority (Federal/ICT)

The PECA Amendment 2025 (Act II of 2025), effective Jan 29, 2025, creates the Social Media Protection and Regulatory Authority (SMPRA):

Content Regulation: SMPRA can order removal/blocking of "unlawful or offensive content" within 48 hours
Platform Registration: All social media platforms accessible from Pakistan must register with SMPRA
Blocking Power: SMPRA can partially or fully block non-compliant platforms
New offence — Aspersion: Spreading false, reputation-damaging information
Social Media Protection Tribunal: New judicial body for appeals
IT Company Impact: Platforms and apps with user-generated content must register, comply with takedown orders, and maintain local data presence

PECA Amendment 2025 »

PECA 2023 — Enhanced Child Protection & Cyberbullying (Federal/ICT)

Offence	Penalty
Online grooming/solicitation of minors	5-10 years + PKR 500K-10M fine (per PECA 2016 §22A)
Commercial sexual exploitation of children	14-20 years + PKR 1M+ fine (per PECA 2016 §22B)
Cyber-kidnapping/trafficking of minors	14-20 years + PKR 1M+ fine (per PECA 2016 §22C)
Cyberbullying	1-5 years + PKR 100K-500K fine (per PECA 2016 §24A)
Child sexual abuse content (enhanced Sec 22)	14-20 years (up from 7 years)

PECA Amendment 2023 »

Global Cybersecurity Market Data (2024-2032) (Federal/ICT)

Per PSEB Industry Profile on Cybersecurity:

Metric	Value
Global cybersecurity market (2023)	USD 172.24 billion
Projected (2032)	USD 562.72 billion
CAGR	14.3%
Cybercrime increase since COVID	300%
CIOs planning to boost cybersecurity spend (2024)	80%
Top companies	Fortinet (USD 441B), Palo Alto (USD 106.2B), CrowdStrike (USD 77.2B)
First PC virus (1986)	Brain virus — created by Pakistani brothers Amjad & Basit Farooq Alvi

PSEB Cybersecurity Profile »

PTA VPN Registration & Online Safety (Federal/ICT)

Commercial VPN Registration (2025): PTA introduced streamlined online registration for commercial VPNs — IT firms and freelancers operating VPNs must comply
Parental Control Software: PTA published guide listing free and paid parental control tools (Family Safety, Family Link, Apple Parental Controls, Net Nanny, Qustodio)
Social Media Community Guidelines: PTA guide references platform-specific guidelines (Snapchat, Discord, TikTok, YouTube, Twitter/X)

PTA Online Safety » | Parental Controls »

Digital Transaction Security & Notification Controls (Updated)

PSD CL1/2025 — Enhancing Digitization Measures — Banks directed to achieve 25% digital transaction targets by 2028. Mandates digital onboarding channels, digital fraud prevention controls, merchant QR onboarding, and real-time customer notifications. IT companies providing banking platforms must implement transaction monitoring, fraud detection, and notification APIs.
Mandatory Card Acceptance MCC Codes — MCC categories requiring mandatory payment card acceptance infrastructure. IT/acquiring companies must ensure POS and gateway systems handle these merchant categories.
Customer Notifications via Mobile Banking — Supplement to PSD C9/2018 security requirements. Free real-time SMS and push notifications mandatory for all digital payment transactions.

Key SBP Cybersecurity Regulations — Full Text PDFs

Complete texts of critical SBP cybersecurity and digital security regulations for IT companies:

Regulations for the Security of Internet Banking (PSD C3/2015) — Mandates security risk assessment, two-factor authentication, IDS/IPS deployment, outsourcing security controls, breach reporting within 48 hours, and annual independent security review. IT teams managing banking platforms must implement all administrative, technical, and physical safeguards.
Mobile Applications Security Guidelines (PSD CL6/2022) — Comprehensive mobile app security requirements: secure architecture, device binding, authentication, payment data protection, network security, session management, tampering detection, secure coding, and cryptography. All fintech app developers must comply.
Regulations for Payment Card Security (PSD C5/2016) — Card security framework, EMV compliance deadlines, PCI DSS requirements, fraud risk management, dispute resolution procedures, and data breach notification within 48 hours. IT companies in card processing must ensure full compliance.
FAQs on Security of Digital Payments (PSD C9/2018) — Implementation guidance for third-party VAPT, free transaction alerts, biometric verification for online banking, card on/off controls, and customer compensation. Critical reference for security teams implementing SBP mandates.

Newly Ingested Cybersecurity & Infrastructure Sources from PDF Archive

PRISM Operating Rules 2018 (Version 2.0) — RTGS security provisions for IT systems: queue management, message processing requirements, settlement account controls, system availability, and dispute resolution procedures relevant for cybersecurity of high-value payment infrastructure.
Raast P2M Payment Acceptance Rules — QR payment security requirements for merchant acceptance, including transaction authentication and fraud prevention controls.
Regulatory Approval System (RAS) User Manual — SBP portal security: login controls, password policies, and access management for licensing applications.
White Label ATM Operator Guidelines — ATM security and physical/logical controls for shared infrastructure operators.