Security Requirements and Breach Notification
Jump to
Security Requirements and Breach Notification Start Comparison
Do data privacy laws or regulations impose obligations to maintain information security controls to protect personal data from unauthorized access or processing?

Last review date: January 2025

Yes

☒         general obligation to take appropriate / reasonable technical, physical and/or organizational security measures

☒         other

The Personal Data Protection Law includes an obligation on both controllers and processors to record a description of data security measures in the maintained record of processing activities.

Do other laws or regulations impose obligations to protect systems from cyberattack?

Last review date: January 2025

Yes

  financial services requirements

The Banking Law obliges licensed financial institutions to provide secure systems that ensure the integrity and confidentiality of customer data and accounts. The Financial Regulatory Authority imposes certain IT system requirements on some of the non-banking financial regulated entities.

☒  telecommunication requirements

The Cybercrimes Law establishes certain cybersecurity obligations on ICT service providers in relation to data retention, security and confidentiality.

☒  digital or connected (IoT) products\

The National Telecom Regulatory Authority’s IoT Framework includes specific requirements, such as an annual cybersecurity assessment (consisting of penetration and vulnerability tests to be performed by reputable providers) and annual report on cybersecurity risks and resilience.

Has there been regulatory activity – including enforcement action, investigations, regulatory guidance or other public statements by the regulator – relating to cybersecurity by the following regulators in the last 12 months?

Last review date: January 2025

          telecommunications

Does data privacy or cybersecurity law impose obligations to make notifications about personal data security breaches?

Last review date: January 2025

Yes

Controllers/Owners have to notify:

        data protection authorities

        cybersecurity authorities

        affected individuals

Processors/Agents have to notify:

Last review date: January 2025

       data protection authorities

       cybersecurity authorities

       affected individuals

Are there any additional sector-specific or non-personal data security breach notification requirements?

Last review date: January 2025

☒         public company obligations (e.g., to notify security incidents that may materially affect an investor's decision)

☒         health regulatory requirements (e.g., to notify incidents affecting safety of medical devices)