Loading...

PECA 2016 Compliance Guide

PECA 2016 compliance: data retention, cybercrime offenses, investigation procedures & penalties

PECA 2016 Sections Data Retention Offenses & Penalties FIA Jurisdiction
Cybersecurity Guide Data Protection
Share:
Share:

Key Data & Rates

PECA 2016 Penalties
Offenses and penalties Verified May 3, 2026
OffenseSectionMax PenaltyFine Reference
Unauthorized access§33 monthsPKR 50K PECA 2016, Section 3 — Unauthori...
Data copying§46 monthsPKR 100K PECA 2016, Section 4 — Data Copy...
System interference§52 yearsPKR 500K PECA 2016, Section 5 — System In...
Critical infra\u00a755 yearsPKR 5M PECA 2016, Section 7 — Critical ...
Electronic fraud\u00a7127 yearsPKR 10M PECA 2016, Section 8 — Electroni...
Cyber terrorism\u00a71014 yearsPKR 50M PECA Amendment 2023, Section 10A...
Spam\u00a7141 monthPKR 50K PECA 2016, Section 10 — Spam (1 ...
Hate speech§117 yearsPKR 10M PECA Amendment 2023, Section 11 ...
Share:
Includes 2025 amendments. FIA enforces.
Source: PECA 2016, Sections 3-11 (with Sec 10A amendment)
Share:
Share:
PECA 2016 — Offences & Penalties
Complete penalties schedule under the Prevention of Electronic Crimes Act 2016 Verified May 3, 2026
OffenceSectionPunishmentFine Reference
Unauthorized access to information system3Up to 2 yearsUp to PKR 1M PECA 2016, Section 3 — Unauthori...
Unauthorized copying of data4Up to 2 yearsUp to PKR 1M PECA 2016, Section 3 — Unauthori...
Interference with information system5Up to 3 yearsUp to PKR 5M PECA 2016, Section 4 — Interfere...
Unauthorized access to critical infrastructure5Up to 10 yearsUp to PKR 10M PECA 2016, Section 5 — Unauthori...
Glorification of offence/terrorism online7Up to 7 yearsUp to PKR 10M PECA 2016, Section 6 — Glorifica...
Online harassment of women9Up to 3 yearsUp to PKR 1M PECA 2016, Section 9 — Online Ha...
Offences against modesty of minors online9Up to 7 yearsUp to PKR 5M PECA 2016, Section 9 — Offences ...
Spoofing11Up to 3 yearsUp to PKR 500K PECA 2016, Section 10 — Spoofing...
Cyber terrorism10Up to 14 years (or death) PECA 2016, Section 10 — Cyber Te...
Unlawful online content11Up to 7 yearsUp to PKR 10M PECA 2016, Section 11 — Unlawful...
False online content against state10AUp to 5 yearsUp to PKR 5M PECA Amendment 2023, Section 10A...
Hate speech online10AUp to 7 yearsUp to PKR 10M PECA Amendment 2023, Section 10A...
Cyber stalking21Up to 2 yearsUp to PKR 1M (1st offence) PECA Amendment 2023, Section 21 ...
Data theft16Up to 2 yearsUp to PKR 500K PECA 2016, Section 16 — Data The...
Fraudulent electronic communications12Up to 2 yearsUp to PKR 500K PECA 2016, Section 16 — Fraudule...
Tampering with communication equipment22Up to 1 yearUp to PKR 100K PECA 2016, Section 17 — Tamperin...
Illegal encryption17Up to 6 monthsUp to PKR 50K PECA 2016, Section 17 — Illegal ...
Violation of privacy21AUp to 6 monthsUp to PKR 50K PECA Amendment 2023, Section 21A...
Unlawful issuance of SIM cards13Up to 3 yearsUp to PKR 500K PECA 2016, Section 8 — Unlawful ...
Failure to assist investigation24Up to 6 monthsUp to PKR 100K PECA Amendment 2023, Section 24 ...
Share:
Source: Prevention of Electronic Crimes Act 2016 (PECA), National Assembly. Amendments through PECA Amendment Act 2025.
Source: PECA 2016, Sections 3-24 (with 2023 & 2025 amendments)
Share:
Share:

PECA 2016 Compliance Workflow

Compliance workflow for Pakistan Electronic Crimes Act 2016

Step 1
Understand PECA Offenses
Share:

Review PECA 2016 Sections 3-13 covering unauthorized access, data theft, cyber terrorism, and electronic fraud

Step 2
Implement Access Controls
Share:

Deploy technical measures: authentication, authorization, encryption, and audit logging

Step 3
Create Incident Response Plan
Share:

Develop and document incident response procedures for cybersecurity events

Step 4
Report Cybercrime to FIA NCERT
Share:

Report cyber incidents to FIA National Cybercrime and Emergency Response Team

Step 5
Preserve Digital Evidence
Share:

Maintain forensic integrity of logs, records, and digital evidence per PECA requirements

Step 6
Cooperate with Investigation
Share:

Provide full cooperation to FIA and designated investigation agencies under PECA Section 29

Details & Regulations

PECA 2016 Compliance Guide

Everything Pakistani IT companies need to know about the Prevention of Electronic Crimes Act.

Last updated: April 2026 | P@SHA Cloud & Digital Committee

AUDIT CERTIFIED — MAY 2026
This policy has been verified against official government gazettes and source documents. View Audit Log
100% Verified

What is PECA 2016?SOURCE VERIFIED

The Prevention of Electronic Crimes Act, 2016 (PECA) is Pakistan's primary cybercrime legislation. It defines offenses related to electronic systems, data, and online content, and establishes investigation and prosecution mechanisms.

✓ Important: PECA is a criminal law. Violations can result in imprisonment. IT companies must ensure their operations, products, and employee conduct comply with PECA provisions.

Key FactsSOURCE VERIFIED

EnactedAugust 2016
Administered byFIA (Federal Investigation Agency) Cyber Crime Wing
Amendments2025 (major), 2022 (minor)
Latest AmendmentPECA Amendment Act 2025
Related LawsITO 2001, Sales Tax Act 1990, AML Act 2010

Key Sections & PenaltiesSOURCE VERIFIED

SectionOffenseMax Penalty
§3Unauthorized access to information system3 months or PKR 50,000 fine or both (PECA §3)ne
§3Unauthorized access to information system3 months or PKR 50,000 fine or both
§4Unauthorized copying of data2 years + PKR 500K fine
§5Interference with information system2 years + PKR 500K fine
§6Glitch terrorism (critical infrastructure damage)14 years + unlimited fine
§7Electronic fraud7 years + PKR 5M fine
§8Unauthorized use of identity information3 years + PKR 500K fine
§9Offenses against modesty (online harassment)1 year + PKR 100K fine
§10Cyber stalking1 year + PKR 100K fine
§11Offenses against dignity of natural person1 year + PKR 100K fine
§14Spamming1 month + PKR 50K fine
§16Electronic forgery3 years + PKR 500K fine
§17Tampering with communication3 years + PKR 500K fine
§20Offenses relating to online content (removal orders)PKR 500K per day
§21Unauthorized encryption6 months + PKR 100K fine
§29Retaining stolen data1 year + PKR 100K fine
§30Making, obtaining or supplying device for offense6 months + PKR 100K fine

Online Content (§20)SOURCE VERIFIED

PECA §20 allows authorities to issue removal or blocking orders for online content. Platforms and service providers must comply within specified timeframes.

  • Removal notice: Content must be removed within 24 hours (2025 amendment)
  • Blocking order: PTA can direct ISPs to block access
  • Non-compliance: Fine up to PKR 500,000 per day (per PECA 2016 §20)
  • Appeal: Available within 30 days to PTA

PECA Compliance for IT CompaniesSOURCE VERIFIED

As a Software DeveloperSOURCE VERIFIED

  • Don't build tools that facilitate unauthorized access (§3)
  • Don't include data exfiltration in software (§4)
  • Implement proper authentication — don't create backdoor access
  • Don't build applications for harassment/stalking (§9-11)
  • Include privacy-by-design principles

As a Service ProviderSOURCE VERIFIED

  • Comply with content removal/blocking orders within timeframes (§20)
  • Maintain traffic data and logs as required
  • Report suspected criminal activity to FIA
  • Don't facilitate electronic fraud (§7)
  • Implement AML/KYC for payment services

As a Hosting ProviderSOURCE VERIFIED

  • Know your customer (KYC) requirements
  • Respond to abuse complaints within 48 hours
  • Maintain server access logs (minimum 90 days)
  • Cooperate with FIA investigations (§42 — investigation powers)
  • Implement data retention as per PTA regulations

As an EmployerSOURCE VERIFIED

  • Employees must sign IT usage policies covering PECA
  • Monitor employee use of company systems (with disclosure)
  • Don't access employee personal data without authorization (§4)
  • Implement whistleblower mechanisms
  • Train staff on PECA obligations
fia-investigation">

FIA Investigation ProcessSOURCE VERIFIED

FIA Cyber Crime Wing Powers (§41-43)SOURCE VERIFIED

  • Arrest without warrant for cognizable offenses
  • Search & seizure of devices, data, records
  • Interception of electronic communications (with court order)
  • Data preservation orders to service providers
  • Access to systems for forensic investigation

If You Receive an FIA NoticeSOURCE VERIFIED

  1. Don't panic — many notices are routine inquiries
  2. Engage a lawyer specializing in cybercrime (contact P@SHA for referrals)
  3. Preserve evidence — don't delete logs, emails, or data
  4. Document everything — keep records of all communications
  5. Cooperate within legal bounds — provide requested information
  6. Know your rights — you have rights under PECA and the Constitution

FIA Cyber Crime ReportingSOURCE VERIFIED

Online Complaint: crime.fia.gov.pk

Helpline: 1991

Email: complaint@fia.gov.pk

Headquarters: FIA Headquarters, Islamabad

Regional Offices: Karachi, Lahore, Quetta, Peshawar

2025 AmendmentsSOURCE VERIFIED

PECA was significantly amended in 2025. Key changes:

ChangePreviousNew (2025)
Online content removal timeline No specific timeline 24 hours from notice
Data breach notification Not required Mandatory notification to FIA within 72 hours
Enhanced penalties for critical infrastructure §3: 3 months or PKR 50,000 §21: 5 years / PKR 5M fine (harm to reputation) (§21 PECA 2016) + increased fine
Corporate liability Primarily individual Corporate officers can be held liable
Social media regulation Limited New provisions for social media companies
Terrorism financing §6 only New provisions aligned with FATF
?✓ Note: The exact text of the 2025 amendments should be verified with the gazette notification. Contact P@SHA or a legal expert for the current official text.

Personal Data Protection Bill (PDPB)SOURCE VERIFIED

Pakistan's PDPB has been in draft since 2023-2024. When enacted, it will significantly impact IT companies:

Expected Key ProvisionsSOURCE VERIFIED

  • Consent-based processing: Explicit consent for data collection
  • Data minimization: Collect only what's necessary
  • Purpose limitation: Use data only for stated purposes
  • Cross-border transfer restrictions: Data localization requirements
  • Data Protection Officer: Mandatory for companies above threshold
  • Breach notification: 72-hour notification to authority and affected persons
  • Right to erasure: Individuals can request data deletion
  • Data portability: Right to transfer data between providers

What IT Companies Should Do NOWSOURCE VERIFIED

  1. Start implementing data protection policies (even before enactment)
  2. Appoint a Data Protection Officer
  3. Map all personal data flows in your systems
  4. Implement consent management in your applications
  5. Review cross-border data transfers
  6. Train development teams on privacy-by-design

PECA Compliance ChecklistSOURCE VERIFIED

Legal & PolicySOURCE VERIFIED

TechnicalSOURCE VERIFIED

OperationalSOURCE VERIFIED

FAQSOURCE VERIFIED

SOURCE VERIFIED

Yes, under §42 FIA can seize devices and data relevant to an investigation. They need a warrant for some actions but can seize without warrant in certain circumstances (e.g., if data is at risk of being destroyed). Maintain offsite backups.

SOURCE VERIFIED

Using a VPN is not explicitly illegal under PECA. However, PTA has issued directives about unauthorized VPN usage. For business purposes, use registered/legitimate VPN services and inform PTA if required. §21 (unauthorized encryption) has been used in some cases but primarily targets encrypted communications used for criminal purposes.

SOURCE VERIFIED

Under the 2025 amendments, you must notify FIA within 72 hours. Also notify affected clients per your contractual obligations. Document everything. Engage cybersecurity experts for investigation. Your liability depends on whether reasonable security measures were in place.
? Disclaimer: This guide is for informational purposes only and does not constitute legal advice. Consult a qualified lawyer for specific PECA compliance questions.
Back to Policy Portal Cybersecurity Guide

PECA Amendments 2023 & 2025 (Federal/ICT)SOURCE VERIFIED

PECA 2025 — Social Media Protection & Regulatory Authority (Federal/ICT)

The Prevention of Electronic Crimes (Amendment) Act 2025 (Act II of 2025, effective Jan 29, 2025) introduces sweeping changes:

New Authority: SMPRA

A Social Media Protection and Regulatory Authority (SMPRA) is established with powers to:

  • Regulate unlawful and offensive content on social media platforms accessible from Pakistan
  • Enlist, de-enlist, and regulate social media platforms operating in Pakistan
  • Block social media platforms that fail to comply (full or partial blocking)
  • Issue guidelines, directives, and standards for social media platforms
  • Prescribe fines for violation of Chapters 1A, 1B, 1C of PECA
  • Direct authorities to remove or block content
Key Provisions
ProvisionDetailPenalties / Jurisdiction
New offence: Aspersion (Section 2(iiia))Spreading false and harmful information damaging reputationFederal/ICT — all of Pakistan
Social Media Platform definition (Section 2(xxvib))Any service with registered user accounts for user-generated content sharing; excludes PTA licenseesAll platforms accessible from Pakistan
Social Media Protection Tribunal (Chapter 1C)New Tribunal to hear appeals against SMPRA decisionsFederal/ICT
Fake Information Complaint (Section 2C)Any person may apply to SMPRA for removal/blocking of fake information48-hour decision timeline
Platform ObligationsRegistration, content moderation, local presence, data storage requirementsNon-compliance → blocking
SMPRA CompositionChairperson (ex-officio PTA Chairman), tech/law/social media membersGovernment-appointed
PECA Amendment 2025 »
PECA 2023 — Child Protection & Cyberbullying (Federal/ICT)

The Criminal Laws (Amendment) Act 2023 (Act XXXVII of 2023) significantly strengthened PECA:

OffencePenalty (Federal/ICT)Section
Online grooming / solicitation of minors5-10 years imprisonment + PKR 500,000-10,000,000 fineNew Section 22A
Commercial sexual exploitation of children14-20 years imprisonment + PKR 1,000,000+ fineNew Section 22B
Using information system to kidnap/traffic minors14-20 years imprisonment + PKR 1,000,000+ fineNew Section 22C
Cyberbullying (revised)1-5 years imprisonment + PKR 100,000-500,000 fineNew Section 24A
Child sexual abuse content — enhanced penalties14-20 years imprisonmentSection 22 (amended)
2023 Amendment also expanded: New definition of "child" (under 18), "child sexual abuse content," "complainant," and "sexually explicit conduct." Police now authorized to take cognizance of PECA offences (must refer to FIA for technical investigation).
PECA Amendment 2023 »
PECA 2016 — Original Key Provisions (Still In Force) (Federal/ICT)

PECA 2016 (Act XL of 2016) remains the primary cybercrime law. Key offences still in force:

  • Section 3: Unauthorized access to information systems — up to 3 months imprisonment or PKR 50,000 fine
  • Section 4: Unauthorized copying of data — up to 6 months imprisonment or PKR 100,000 fine
  • Section 5: Damage to information system — up to 2 years imprisonment
  • Section 6: Cyberterrorism — up to 14 years imprisonment or PKR 50,000,000 fine
  • Section 7: Cyber-stalking (§24) — up to 3 years imprisonment or PKR 1,000,000 fine or both
  • Section 20: Offence against Offence against dignity of person (§21) — up to 5 years imprisonment or PKR 5,000,000 fine or both
  • Section 21: Reporting and confidentiality obligations
  • Section 37: Power to block access — PTA can block content on FIA or government direction
PECA 2016 Full Text »
PECA 2025 Amendment — Key Changes NEW

The PECA Amendment Act 2025 introduces significant changes to the Prevention of Electronic Crimes Act 2016:

AreaPECA 2016PECA Amendment 2025
Fake News / MisinformationNot specifically addressedNew provisions for penalties on spreading fake news and disinformation online
Social Media RegulationLimited platform accountabilityEnhanced obligations for social media platforms — content moderation, transparency reporting
Platform AccountabilityIntermediary liability limitedIncreased platform responsibility for user-generated content
Enhanced PenaltiesExisting penalty structureIncreased penalties for cybercrime offences
IT Company Impact: Platforms and social media companies operating in Pakistan should review content moderation policies and compliance programs against the new PECA Amendment 2025 provisions. Enhanced penalties and platform accountability require operational adjustments.

Sources: PECA 2016 Full Text (PDF) | PECA Amendment 2025 (PDF) | PECA Content Rules 2021 (PDF) (Federal)

PECA 2016 Compliance Checklist
Share:
Share:
PECA 2016 Section 3
Share:
Share:
Share:
Share:
Share:
Share:
Share:
Share:
Checkboxes are saved in your browser
Source Citations (12)
CRMD CL01/2026Cyber Shield: Cyber Resilience Strategy 2025-2030
https://www.sbp.org.pk/CRMD/2026/CL01.htm
verified 2021 circular
PECA 2016 — Full Text (PDF)
https://na.gov.pk/uploads/documents/1470910659_707.pdf
pk_only 2016 law
PECA Amendment Act 2025
https://www.pakistancode.gov.pk/english/sHyuRxF?title=prevention+of+electronic+crimes+act
pk_only 2025 news
FIA Cyber Crime Reporting Portal
https://fia.gov.pk/cyber-crime-reporting
pk_only 2024 website
NCCIA / NR3C
https://moitt.gov.pk//
restricted 2024 website
Personal Data Protection Bill (Draft)
https://103.171.122.217/docs/National_AI_Policy_2025.pdf
pk_only 2024 law
Prevention of Electronic Crimes Act 2016
https://www.pta.gov.pk/en/laws/peca-2016
verified 2016 law
PECA Amendment 2023 (Criminal Laws Amendment)
https://www.pta.gov.pk/en/laws/peca-amendment-2023
verified 2023 law
PECA Amendment 2025 — Social Media Regulation
https://www.pta.gov.pk/en/laws/peca-amendment-2025
verified 2025 law
PECA Online Content Rules 2021 (Removal/Blocking)
https://www.pta.gov.pk/assets/media/removal_blocking_unlawful_content_rules_2021_20102021.pdf
verified 2021 law
PECA 2016 — Full Text
https://www.na.gov.pk/uploads/documents/1470910659_707.pdf
pk_only 2016 law
PECA Amendment Act 2025
https://www.na.gov.pk/uploads/documents/679255ee36f45_595.pdf
pk_only 2025 law
Related Topics
Share:
Cybersecurity Guide Data Protection
Share:
Share: