Written by: Haim Ravia, Dotan Hammer
The Israeli government has published a draft of the National Cyber Protection Law 2026, marking the third time in recent years that the government has attempted to formalize the country’s cybersecurity regulatory framework. The bill, originating from the National Cyber Directorate under the Prime Minister’s Office, draws heavily on lessons learned during recent military operations, including “Swords of Iron.”
The proposed legislation establishes mandatory cybersecurity requirements for “essential organizations” across critical sectors, including communications, energy, healthcare, hazardous materials, and water infrastructure. These organizations will be required to meet baseline protection standards aligned with internationally recognized frameworks and report significant cyber incidents to authorities.
Central to the bill is the formal establishment of the National Cyber Directorate as an independent operational-technological body responsible for coordinating national cyber defense efforts. The Directorate will operate a national CERT (Computer Emergency Response Team) and maintain a national Security Operations Center to monitor cyber threats.
The law grants authorities substantial powers during severe cyber attacks, including the ability to issue binding instructions to affected organizations. In cases where attacks threaten national security or could spread across multiple sectors, officials may direct organizations to take specific protective measures.
Non-compliance carries significant penalties. Organizations failing to meet security standards or reporting requirements face administrative fines of up to 300,000 NIS. Criminal violations—such as refusing to comply with emergency instructions—could result in up to two years imprisonment.
The bill includes privacy safeguards, limiting the retention of personal data obtained during cyber operations to two years and restricting its use to cybersecurity purposes only.
If enacted, most provisions would take effect three months after publication, with certain requirements for essential organizations beginning after 12 months.
Click here to read the draft National Cybersecurity Bill (in Hebrew).
