COMPARATIVE GUIDE
20 August 2025

Cybersecurity Comparative Guide

Yousaf Amanat & Associates

Contributor

Yousaf Amanat & Associates logo
Explore Firm Details
Cybersecurity Comparative Guide for the jurisdiction of Pakistan, check out our comparative guides section to compare across multiple countries
Pakistan Technology
Yousaf Amanat and Sahar Riaz

1 Legal framework

1.1 Does the law in your jurisdiction distinguish between 'cybersecurity', 'data protection' and 'cybercrime' (jointly referred to as 'cyber')? If so, how are they distinguished or defined?

'Cybersecurity' is defined under the Computer Emergency Response Teams (CERT) Rules 2023 as protecting information, data systems, network, infrastructure and operational technology systems from:

  • unauthorised:
    • access;
    • use;
    • exposure;
    • disruption;
    • modifications; or
    • destruction; or
  • unintentional or accidental damages.

The terms 'cybercrime' and 'data protection' are not specifically mentioned in the law; however, they are dealt with under:

  • the Prevention of Electronic Crimes Act 2016; and
  • the CERT Rules.

1.2 What are the key statutory and regulatory provisions that address cyber in your jurisdiction?

The key laws that address cybersecurity in Pakistan are as follows.

PECA: This law addresses cybercrime in the digital age. It:

  • provides a legal framework for identifying, preventing and prosecuting offences;
  • empowers the Federal Investigation Agency to investigate cybercrimes; and
  • authorises the Pakistan Telecommunication Authority (PTA) to regulate and block harmful online content.

This law enhances Pakistan's ability to protect individuals, institutions and critical infrastructure from digital threats.

CERT Rules: These are crucial for Pakistan's cybersecurity posture, providing a legal framework for setting up national and sectoral cybersecurity teams (CERTs) in critical areas such as:

  • finance;
  • energy; and
  • telecommunications.

They define roles and responsibilities among government agencies, private entities and international partners during cyber incidents, in order to:

  • enhance resilience against cyberattacks; and
  • support the implementation of the National Cyber Security Policy.

1.3 Do special cyber statutes or regulations apply to: (a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)? (b) Certain types of information (personal data, health information, financial information, classified information)?

Although Pakistan lacks a dedicated data protection law, policies and frameworks for certain sectors – such as telecommunications, financial services, critical infrastructure and capital markets – have been developed by the bodies regulating these sectors. The PTA Cybersecurity Framework 2020 governs telecoms companies, requiring:

  • ISO 27001 compliance; and
  • incident reporting.

The State Bank of Pakistan Cybersecurity Framework for Banks and Development Finance Institutions 2017 mandates cybersecurity measures and incident response for banks and financial institutions.

The Securities and Exchange Commission of Pakistan issues guidelines for capital markets and insurance sectors.

The National Cybersecurity Policy 2021 designates critical infrastructure sectors for enhanced protection through sectoral CERTs and risk-based standards.

While healthcare lacks specific cyber laws, the sector falls under general PECA provisions. Similarly, sensitive information such as personal, financial and classified data is protected mainly through:

  • PECA;
  • sector-specific regulations; and
  • the National Cybersecurity Policy.

Financial data is tightly regulated by the State Bank of Pakistan, while personal and health data receive limited protection.

The website of the national CERT of Pakistan under the CERT Rules 2023 contains an incident reporting form for reporting cyber issues.

1.4 Do any cyber statutes or regulations have extraterritorial reach? If so, how do they apply extraterritorially and what are the factors or criteria for such application?

Yes, PECA contains provisions with extraterritorial reach, as the preamble states that the act:

shall apply to every citizen of Pakistan wherever he may be and also to every other person for the time being in Pakistan. It shall also apply to any act committed outside Pakistan by any person if the act constitutes an offence under this Act and affects a person, property, information system or data located in Pakistan.

This means that cybercrimes targeting Pakistan's infrastructure, citizens or interests can be prosecuted even if the perpetrator is abroad. The extraterritorial application depends on the connection to Pakistan, such as:

  • the offender's nationality;
  • the location of the data; and
  • the impact on national security.

However, the relevant process is not specified in the law.

1.5 Do any bilateral or multilateral instruments related to cyber have effect in your jurisdiction?

Yes, several bilateral and multilateral instruments related to cybersecurity have effect in Pakistan, although the country has not signed the Budapest Convention on Cybercrime due to sovereignty concerns.

Pakistan cooperates internationally through mutual legal assistance treaties and bilateral agreements for cybercrime investigation and data sharing. It actively engages in regional platforms such as the Organization of Islamic Cooperation, the South Asian Association for Regional Co-operation and the Shanghai Cooperation Organisation to promote cybersecurity cooperation and information exchange. Pakistan also supports global efforts under the United Nations, including participation in the UN Group of Governmental Experts and the Open-Ended Working Group on responsible state behaviour in cyberspace. Additionally, Pakistan's national and sectoral CERTs maintain operational relationships with international CERTs for threat intelligence and incident response.

While Pakistan is not a party to some major cyber treaties, its involvement in regional and global frameworks demonstrates its commitment to international cyber cooperation and security.

1.6 What are the criminal penalties for cybercrime (eg, hacking, theft of trade secrets)?

In Pakistan, criminal penalties for cybercrime are defined under PECA. The act outlines a multitude of offences along with corresponding penalties, including fines, imprisonment or both. Examples include:

  • a fine of PKR 50,000 or imprisonment for up to three months for the offence of unauthorised access to information systems or data; and
  • a fine of PKR 50 million or imprisonment for up to 14 years for the offence of cyber terrorism.

All of these offences and the associated punishments are set out in Sections 3–26 of PECA.

2 Enforcement

2.1 Which governmental entities are responsible for enforcing cyber statutes and regulations? What powers do they have? Can they impose civil and criminal penalties? On whom can penalties be imposed (eg, companies, directors, officers, employees)? Do those entities have extraterritorial reach, and if so what?

A National Cyber Crime Investigation Agency (NCCIA) was established under amendments to the Prevention of Electronic Crimes Act 2016 (PECA) introduced in 2025. According to the latest reports, the NCCIA has formally commenced operations, although a website or registration details for this body cannot be found online. However, details of the Federal Investigation Agency Cyber Crime Wing (FIACCW) can be found online. This body was originally established under PECA and, since 2016, has been extremely active in investigating cybercrime incidents in Pakistan. The FIACCW has the power to:

  • conduct arrests;
  • seize evidence; and
  • prosecute individuals.

The Sessions Court handles criminal trials for cybercrimes under PECA and can impose penalties such as fines and imprisonment.

2.2 Do private parties have a right of action? If so, what type of relief or remedy is available? Is any relief or remedy available against individuals (eg, directors, officers, employees)?

Under PECA, it is the state which prosecutes individuals for cybercrimes:

  • upon its own cognisance; or
  • on a complaint filed:
    • before the FIACCW; or
    • under the Computer Emergency Response Teams (CERT) Rules.

The rights of action available to private parties are restricted to rights available under general criminal and civil law. There is no separate right available under PECA or the CERT Rules.

2.3 What defences are available to companies in response to governmental or private enforcement?

In response to governmental or private enforcement of cybercrimes or regulatory violations in Pakistan, companies may invoke several defences to mitigate or avoid liability. These defences vary depending on:

  • the nature of the alleged offence; and
  • whether the action is civil or criminal.

Suitable defences may include the following:

  • lack of knowledge, where a company may argue that it was unaware of the offence;
  • due diligence, where a company shows efforts to comply with cybersecurity regulations; and
  • lack of causation or harm, where a company asserts that the alleged actions did not cause significant damage.

Authorisation or consent may be invoked if the actions were permitted; while vicarious liability can be used to argue that an employee acted outside the scope of their duties.

Moreover, companies could defend themselves with technical defences, claiming:

  • that no violation of cyber laws occurred; or
  • a lack of jurisdiction if the incident took place outside Pakistan.

Additionally, statutory limitations may be cited if the time for filing claims has expired; and companies may challenge insufficient evidence. In cases involving third-party service providers, companies can argue good-faith reliance, asserting that they outsourced services to trusted vendors.

These defences, if proven, can help companies to avoid or reduce penalties in cybercrime cases.

3 Landmark matters

3.1 Have there been any landmark cyber enforcement actions or judicial decisions in your jurisdiction? If so, what were they?

Several landmark cyber enforcement actions and judicial decisions in Pakistan have helped to shape the legal framework around:

  • cybercrime;
  • data protection; and
  • digital rights.

Examples include:

  • Federal Investigation Agency (FIA) v Arslan (2017) – the 'cyber harassment' case;
  • FIA v Social Media Platform (2018) – the Facebook blasphemy case;
  • the Dawn leaks case (2017); and
  • the TikTok ban (2020–2021).

The best known and most significant of these is the Facebook blasphemy case, in which the FIA, in collaboration with the Pakistan Telecommunication Authority, took aggressive action against blasphemous content circulating on Facebook, particularly targeting material deemed offensive to Islamic teachings. The authorities pressured Facebook to provide user data and remove offensive content deemed blasphemous under Pakistani law. This enforcement action:

  • raised significant questions about:
    • freedom of expression;
    • censorship; and
    • the balance between national security and individual rights in the digital realm; and
  • brought into focus extraterritorial jurisdiction and international cooperation, as it required Facebook's compliance with local laws, emphasising challenges in governing global cyberspace.

Ultimately, this action set a precedent for government regulation of social media platforms under cybercrime laws, significantly influencing Pakistan's approach to digital governance and online content moderation.

3.2 Have there been any pivotal cyber incidents or events (eg, major data breaches, major cyber-related legislative activity, major cyber-related innovation or technology development) in your jurisdiction?

In May 2018, there was a data breach involving the National Database and Registration Authority – the government body tasked with collecting the personal data of citizens, which is then used to prepare computerised national identity cards and passports. This event led to a public outcry and subsequent stricter data privacy regulations.

Another important cyber-related event was the launch of the National Cybersecurity Policy in 2021, which:

  • aimed to create a safe and secure cyberspace for:
    • citizens;
    • businesses; and
    • government operations; and
  • marked a major step forward in strengthening Pakistan's overall cybersecurity infrastructure.

The policy:

  • envisioned improvements in:
    • cyber defence capabilities; and
    • national cybercrime legislation;
  • provided for the establishment of cybersecurity awareness programmes; and
  • focused on collaboration with international organisations to enhance Pakistan's cyber resilience.

This marked a major shift towards a more comprehensive and organised approach to cybersecurity in the country.

4 Proactive cyber compliance

4.1 Have any industry best practices or industry standards in proactive cyber compliance developed over time in your jurisdiction? If so, please briefly describe.

Yes. For instance, after its introduction in August 2019, ISO 27001 was adopted by many organisations in Pakistan – particularly in the financial and telecommunications sectors – to ensure that they:

  • proactively protect sensitive data; and
  • conduct appropriate risk management.

This has helped with:

  • achieving compliance with international information security standards;
  • preventing data breaches; and
  • ensuring the security of personal and organisational information.

4.2 Have any governmental entities issued voluntary guidance or similar documentation on the issue of proactive cyber compliance? If so, please briefly describe.

Yes, several governmental entities in Pakistan have issued voluntary guidance and documentation aimed at promoting proactive cyber compliance. For example, the Pakistan Telecommunication Authority has issued guidelines for internet service providers and telecommunications operators in Pakistan, focusing on:

  • network security;
  • data privacy; and
  • cyber threat mitigation.

These guidelines encourage:

  • the use of encryption and secure data transfer protocols; and
  • the establishment of incident response plans.

The aim is to:

  • enhance the security of Pakistan's telecommunication infrastructure; and
  • promote proactive measures to protect against cybercrime and fraud.

The State Bank of Pakistan and the Security Exchange Commission of Pakistan have both issued frameworks and guidelines for banks and companies respectively. These frameworks and guidelines have been issued along the lines of the National Cybersecurity Policy 2021.

4.3 What legal duties, if any, do corporate officers and directors have with respect to proactive cyber compliance? Under what circumstances might they be considered in breach?

Although nothing is mentioned specifically within PECA or the Computer Emergency Response Teams Rules, under Section 166 of the Companies Act, 2017, the directors of a company must:

  • carry out their duties:
    • with care, diligence and good faith; and
    • in the best interests of the company; and
  • exercise reasonable care and diligence, which would extend to:
    • cybersecurity measures;
    • data protection; and
    • the prevention of cybercrimes.

Failing to ensure adequate cybersecurity practices or neglecting to act on known risks could be seen as a breach of this duty. In that case, depending on the severity of the breach of duty, directors could be subjected to:

  • personal liability;
  • regulatory fines;
  • civil penalties; or
  • even criminal charges.

4.4 Are there special rules, regulations or guidance in the proactive cyber compliance area that apply to public (eg, exchange-listed) entities?

The Code of Corporate Governance Code 2019 does not specifically mention cyber; however, it does require boards of directors to ensure that the company has effective risk management practices in place. Listed companies must also comply with Pakistan Stock Exchange regulations, which require timely disclosure of any material risk incidents that could affect market value.

The adoption of ISO 27001 and other international cybersecurity standards by listed companies is also encouraged, especially where they handle sensitive data.

4.5 Is there scope for companies to share details of actual or potential cybersecurity threats, or other cyber-intelligence information, with industry or other stakeholders?

While incident reporting is encouraged by the National Cyber Crime Investigation Agency and the Federal Investigation Agency Cyber Crime Wing, there is no scope for sharing details of:

  • actual or potential cybersecurity threats; and
  • cyber-intelligence information.

5 Cyber-incident response

5.1 In your jurisdiction, do certain types of cyber incidents (eg, data breaches, unauthorised destruction, data leakage) trigger mandatory or voluntary notification requirements? How are such incidents defined? Are notification requirements dependent on the type of information affected? If so, what types?

No such mandatory reporting is required.

Voluntary notifications are possible in the context of reporting incidents to the National Cyber Crime Investigation Agency and the Federal Investigation Agency Cyber Crime Wing.

5.2 What are the mandatory or voluntary cyber-incident notification requirements? For example, to whom must notification be sent (eg, individuals, regulators, public filings)? Is there a required form or format? What is the timeframe for notification? Is the organisation that suffered the cyber-incident obliged to provide services, compensation or specific information to individuals who were affected? What are the exceptions/safe harbours that would allow organisations to avoid or not make notifications (eg, no risk of harm; information accessed was encrypted)?

There are no mandatory notifications for data breaches.

5.3 What steps are companies legally required to take in response to cyber incidents?

There are no steps mandated for companies to take under the law in response to cyber incidents.

5.4 What legal duties, if any, do corporate officers and directors have with respect to cyber-incident response? Under what circumstances might they be considered in breach?

Apart from the general duty of care required of directors under the Companies Act 2017, no other legal duties are mandated by law.

5.5 Do companies maintain cyber-incident insurance policies in your jurisdiction?

In Pakistan, cyber-incident insurance is still emerging, with larger corporations – particularly in banking and telecommunications – more likely to take out such policies. While it is not yet widespread, demand is growing due to heightened cybersecurity risks. Smaller companies often overlook this, but awareness is rising and cyber insurance may become more common as regulatory pressures and digital risks increase.

6 Trends and predictions

6.1 How would you describe the current cyber landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

The current cyber landscape in Pakistan is evolving, with significant advancements in digitisation, but also increasing exposure to cyber risks. While the country has made strides in building its cybersecurity infrastructure, challenges remain – particularly in terms of:

  • cybercrime;
  • data breaches; and
  • adequate regulation.

The Prevention of Electronic Crimes Act 2016 (PECA) remains the primary legislative framework addressing cybercrime, although enforcement issues and the pace of technological advancements pose ongoing challenges. Awareness of cybersecurity is growing, particularly among large corporations and financial institutions, but many small businesses still lag behind. Regulatory bodies, including the Pakistan Telecommunication Authority and the State Bank of Pakistan, are becoming more active in enforcing cybersecurity regulations – especially in sectors dealing with sensitive data.

Key trends include:

  • a shift towards digitalisation;
  • a growing focus on data privacy; and
  • increased awareness of cyber risks.

However, Pakistan lacks a comprehensive data protection law and calls for one are growing.

In the next 12 months, significant developments are expected:

  • Proposed reforms to PECA may include strengthening data protection provisions.
  • A Data Protection Bill could be introduced to align with international standards such as the General Data Protection Regulation.
  • Sector-specific cybersecurity regulations will likely become stricter, particularly in finance and telecommunications.
  • Pakistan may increase public-private collaboration and establish stronger international partnerships to enhance cybersecurity frameworks and incident reporting.

Overall, Pakistan is focusing on improving cybersecurity resilience, with major legal and regulatory advancements anticipated in the near future.

7 Tips and traps

7.1 What are the top three cyber-related problems or challenges that companies face in trying to secure their networks and data assets, and what are the best ways to address them?

In the current cyber landscape, the main issues that companies in Pakistan face are:

  • a lack of cybersecurity awareness and training;
  • insufficient or outdated cybersecurity infrastructure; and
  • compliance or regulatory challenges.

In the case of awareness and training, many employees – particularly in smaller businesses – lack awareness of common threats such as:

  • phishing;
  • social engineering; and
  • poor password practices.

To address this, companies should:

  • implement regular cybersecurity training;
  • run security awareness campaigns; and
  • enforce strong password policies and multi-factor authentication across their organisations.

As for cybersecurity infrastructure, many organisations are forced to rely on outdated or inadequate security systems, making them vulnerable to sophisticated cyber threats. To mitigate this, companies must modernise their cybersecurity infrastructure by:

  • adopting:
    • next-generation firewalls; and
    • intrusion detection systems; and
  • implementing regular patch management practices.

Leveraging cyber threat intelligence feeds will also help them to stay updated on emerging threats.

Finally, as regards compliance and regulatory challenges, navigating complex regulatory frameworks such as the Prevention of Electronic Crimes Act 2016 and sector-specific guidelines is challenging, especially for organisations handling sensitive data. Companies should:

  • engage legal counsel to assist with compliance;
  • conduct security audits; and
  • implement strong data protection policies.

Regular engagement with regulatory bodies such as the Pakistan Telecommunication Authority and the State Bank of Pakistan is crucial to stay compliant.

Addressing these issues requires companies to invest in:

  • employee training;
  • modern cybersecurity tools; and
  • compliance frameworks.

By doing so, businesses can:

  • strengthen their defences; and
  • safeguard their networks and data assets effectively.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Yousaf Amanat
Yousaf Amanat
Photo of Sahar Riaz
Sahar Riaz
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More