Global Data and Cyber Handbook

Bahrain

Select a Topic
Start Comparison
Security Requirements and Breach Notification
Jump to
Security Requirements and Breach Notification Start Comparison
Do data privacy laws or regulations impose obligations to maintain information security controls to protect personal data from unauthorized access or processing?

Last review date: 31 December 2024

Yes

  • general obligation to take appropriate / reasonable technical, physical and/or organizational security measures
  • requirement to undertake third party due diligence (security assessment of third party providers)

Further details on technical and organizational measures to guarantee protection of personal data are set out in Executive Order No. 43 of 2022.

Do other laws or regulations impose obligations to protect systems from cyberattack?

Last review date: 31 December 2024

Yes

  • other

If yes, please provide brief details of the relevant law or regulation.

  • Law No. 16 of 2014 regarding the Protection of Information and State Documents, which mandates the protection of sensitive information and state documents.
  • Prime Ministerial Decree No. 36 of 2018 sets technical requirements for sending, receiving, and updating electronic records and signatures of public bodies.
Has there been regulatory activity – including enforcement action, investigations, regulatory guidance or other public statements by the regulator – relating to cybersecurity by the following regulators in the last 12 months?

Last review date: 31 December 2024

  • National Cyber Security Center ("NCSC"): The NCSC has been proactive in enhancing cybersecurity awareness and education. In 2024, they launched the National Cybersecurity Awareness Campaign, which included comprehensive training programs tailored for public sector employees. These initiatives aim to bolster the overall cybersecurity posture of Bahrain by equipping individuals with the necessary skills and knowledge to combat cyber threats.
  • General Directorate of Anti-Corruption and Economic and Electronic Security ("MOI"): This directorate plays a crucial role in the implementation of Bahrain's National Cybersecurity Strategy. Their efforts are focused on safeguarding critical national infrastructure and ensuring a robust response to cyber threats.
Does data privacy or cybersecurity law impose obligations to make notifications about personal data security breaches?

Last review date: 31 December 2024

Yes

The primary obligation is set out in the PDPL with supplementary requirements in Executive Order No. 43 of 2022.

Controllers/Owners have to notify:

Last review date: 31 December 2024

  • data protection authorities
  • affected individuals
  • other

Executive Order No. 43 of 2022 requires controllers to establish communications channels with data subjects to enable them to report breaches or potential violations.

Processors/Agents have to notify:

Last review date: 31 December 2024

N/A

Are there any additional sector-specific or non-personal data security breach notification requirements?

Last review date: 31 December 2024

Yes

Telecommunication requirements

The Telecommunications Regulatory Authority ("TRA") has specific guidelines for telecom operators regarding data security and breach notifications. Operators are required to report any significant data breaches that could impact the confidentiality, integrity, or availability of telecommunications services.

Providers of critical infrastructure

Organizations that manage critical infrastructure are subject to stringent cybersecurity requirements. They must report any cyber incidents that could compromise the security and functionality of essential services.

Other

The Central Bank of Bahrain ("CBB") mandates that financial institutions must notify the CBB of any material data breaches. This includes breaches that could affect the financial stability or integrity of the institution.

{{ $store.state.loadingScreen.message }} ...