Myanmar: Cybersecurity Law enacted on 1 January 2025

In brief

Myanmar's State Administration Council enacted Cybersecurity Law No. 1/2025 (the Cybersecurity Law) on 1 January 2025, aiming to regulate cybersecurity services, digital platform services (DPS) and the use of virtual private networks (VPN) in Myanmar, among others.

The focal ministry and the department responsible for issuing the required licences and registration certificates have not yet been specified, though we anticipate that information on the relevant processes (including application forms and applicable fees) and the grace period for compliance will be detailed in upcoming notifications.

The Cybersecurity Law does not take immediate effect and will come into force on a date to be specified by the Myanmar president. We are in communications with the authorities and will report further developments once available.


Contents

Competent authority

The Cybersecurity Law's provisions regularly refer to a "Ministry" and "Department". The focal ministry and the department responsible for implementing the Cybersecurity Law are yet to be determined, but in the 2022 draft version of the law, the Ministry of Transport and Communications was designated as the focal ministry, and the Information Technology and Cybersecurity Department was the implementing department.

Licensing for cybersecurity service providers

The Cybersecurity Law requires companies who provide cybersecurity services in Myanmar to be incorporated under the Myanmar Companies Law and hold a cybersecurity service licence from the relevant department. The licence term ranges from three to 10 years and is renewable six months before expiry.

Key responsibilities of cybersecurity service providers

Cybersecurity service providers have the following key responsibilities:

  • Legal compliance: Obtaining necessary permits and documentation as required by applicable laws
  • Preventative measures: Establishing and implementing cybersecurity measures to monitor breaches and support emergency response units
  • Damage notification: Notify customers of potential cybersecurity damages and advise on preventive actions
  • Responsive programmes: Develop and implement solutions for malware or cyberattacks
  • Emergency response: Immediately implement emergency programmes, respond to issues and notify affected/interested parties
  • Technology standards: Use cybersecurity technology and adhere to international standards
  • Information protection: Prevent breaches of, damages to or loss of service users' information
  • Anomaly reporting: Immediately report any cybersecurity anomalies to the Department 
  • Compliance with license terms and conditions: Adhere to the terms and conditions of the applicable license
  • Activity reporting: Prepare and submit cybersecurity activity reports to the Department as required

Administrative actions for non-compliance by cybersecurity service providers

The Department reserves the right to take the following actions against any cybersecurity service     provider that fails to comply with its responsibilities:

  • Issue a warning
  • Impose a fine
  • Suspend the licence
  • Cancel the licence

Penalties for unlicensed cybersecurity service providers

Any individual or entity providing cybersecurity services without a licence may face the following penalties:

  • Individuals: imprisonment for between one and six months and/or a fine ranging from MMK 1 million to MMK 10 million (approx. USD 500 to USD 5,000). Evidence related to the offence will also be confiscated as state property.
  • Companies/entities: A minimum fine of MMK 10 million (approx. USD 5,000), and the confiscation of evidence related to the offence as state property. The Cybersecurity Law does not set out any penalties for officers of companies/entities.

Licensing for digital platform service providers

Any digital platform service provider (DPSP) with at least 100,000 users in Myanmar must be registered as a company under the Myanmar Companies Law, and must apply for service registration with the Department.

  • 'Digital platform service' means any service enabling users to express, send, distribute or use information online using cyber resources or similar technology and related tools.
  • 'Information' means data, database, sound, text, image, code, sign, signal, video, software or application.

The registration term ranges from three to 10 years and is renewable six months before expiry.

Compliance requirements for DPSP

DPSPs must adhere to the following regulations:

  • Legal compliance: Obtain necessary permits and documentation as required by applicable laws
  • Data storage: Maintain data storage devices in accordance with the requirements and user data based on data classification standards. (Since the requirements have not yet been specified, it is unclear whether there will be data localisation requirements.)
  • Commercial activities: Comply with applicable laws for any commercial or profit-driven activities conducted via the platform
  • Registration conditions: Comply with the terms and conditions as specified in the applicable registration certificate
  • Information management: Upon awareness or notification by the Department, prevent the dissemination of destabilising information, misinformation, inappropriate content for public view, child pornography and sexually explicit content, and content violating laws, including infringement of intellectual property rights
  • User data retention: Retain personal data, usage records and additional data as specified by the department for up to three years
  • Information disclosure: Produce required information upon request by the authority

Administrative actions for DPSPs

The Department may take the following actions against a DPSP:

  • Issue a warning
  • Impose a fine
  • Suspend the registration certificate
  • Cancel the registration certificate and blacklist the DPSP

In addition, the Ministry may take the following actions in public interest:

  • Suspend DPS or electronic information
  • Temporarily seize materials related to DPS
  • Shut down a DPS or declare it inappropriate for public use 

Penalties for unregistered DPSPs

Any DPSP with 100,000 or more users in Myanmar that operates without registration may face penalties, namely a fine of at least MMK 1 billion (approx. USD 500,000) and the confiscation of evidence related to the offence as state property.

Virtual Private Network requirements

Ministry approval required to provide VPN services

Individuals or entities wishing to establish or provide Virtual Private Network (VPN) services in the national cyberspace must obtain approval from the Ministry. A VPN is defined in the Cybersecurity Law as a system that independently establishes a secure network within an existing network using technology to ensure secure connections between networks.

We note that "national cyberspace" is not defined, but further guidance from the authorities may be provided.

Penalties for unapproved VPN services

The following penalties apply for establishing or providing VPN services without Ministry approval:

  • Individuals: imprisonment for between one and six months and/or a fine ranging from MMK 1 million to MMK 10 million (approx. USD 500 to USD 5,000). Evidence related to the offence will also be confiscated as state property.
  • Companies/entities: A minimum fine of MMK 10 million (approx. USD 5,000), and confiscation of evidence related to the offence as state property. The Cybersecurity Law does not set out any penalties for officers of companies/entities.

Other offences using cyber resources

The Cybersecurity Law also criminalises other offences concerning the use of cyber resources:

Cyber abuse: Cyber abuse includes altering the quality or capacity of a computer program, software, or information; deleting the information; selling computer programs, software, or information without authorization; unauthorized access to or transfer of a computer program, software, or information; or controlling a computer system, computer program, software, or electronic information. The penalties for cyber abuse are imprisonment for between six months to three years, and/or a fine ranging from MMK 1 million to MMK 20 million (approx. USD 500 to USD 10,000).

Unsolicited message: The penalties for sending unwarranted or unsolicited messages using networks are imprisonment for between one year to two years and/or a fine ranging from MMK 5 million to MMK 20 million (approx. USD 2,400 to USD 10,000).

Online theft: The penalties for online theft of, or mischief to, a person's funds using cyber resources are imprisonment for between two years to seven years and a fine.

Online gambling: The following penalties apply for establishing an online gambling system without authorisation:

  • Individuals: imprisonment ranging from six months to one year, and/or a fine ranging from MMK 5 million to MMK 20 million (approx. USD 2,400 to USD 10,000). Evidence related to the offence will also be confiscated as state property.
  • Companies/entities: A minimum of MMK 20 million (approx. USD 10,000). Evidence related to the offence will also be confiscated as state property. The Cybersecurity Law does not set out any penalties for officers of companies/entities.

Key takeaways

Companies intending to offer cybersecurity services should begin planning to ensure compliance with the licensing and registration regimes established by the Cybersecurity Law. Please reach out if you have any questions, and we would be delighted to assist.

To learn more about these issues and how they affect you, reach out to your usual Baker McKenzie contact.

We will continue to monitor these developments closely. Should you have questions or concerns, please contact any member of our team.

* * * * *

Japanese version

Contact Information

Copyright © 2025 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.