Laos publishes new law on cybersecurity
15 April 2026
On March 20, 2026, Laos published the Law on Cybersecurity on the Lao Official Gazette, introducing a comprehensive legal framework covering several key areas.
For the first time, the law introduces a series of defined terms in Lao legislation, including cybersecurity and critical national information infrastructure. It also revisits existing terms such as the definition of personal data, which now aligns more closely with international standards.
On the structural side, the law identifies five sectors of critical national information infrastructure: national defence and public security, technology and communications, finance and banking, energy, commerce, transport and logistics. Specific entities responsible for these infrastructures will be identified and assessed by the Ministry of Technology and Communications (MTC). Those entities are subject to specific security obligations, including physical protection, access control and oversight of third-party service providers.
The law also introduces the National Cybersecurity Operations System, a central monitoring and response structure operating around the clock, combining expert personnel with big data analytics and artificial intelligence. The law does not indicate whether the system is already operational. Laos already operates LaoCERT, its national Computer Emergency Response Team, though the law does not address the relationship between the two structures.
For operators broadly, the law introduces several concrete obligations: immediate reporting of cybersecurity incidents; annual cybersecurity reporting to the MTC every January; regular cybersecurity training and awareness-raising; data backup and system recovery procedures; and a cybersecurity registration requirement for entities that provide services or disseminate information online.
On enforcement, the law provides that violations may result in warnings, fines, civil liability, or criminal penalties. However, the law does not tie specific consequences to specific obligations. The details of the sanctions regime are left to subsequent regulations, limiting the operators’ ability to assess their actual exposure at this stage.
Dino Santaniello | an independent consultant
According to Dino Santaniello, an independent consultant, the law introduces several obligations that directly affect businesses operating in Laos, regardless of their size or sector.
“On compliance, all legal entities and organizations must implement cybersecurity measures covering risk assessment, access control, encryption, and network security,” he said. “They must also establish incident response procedures, maintain data backups across multiple locations, conduct regular cybersecurity training, and submit annual reports to the MTC. These obligations apply broadly, with no size or sector threshold, covering entities ranging from large financial institutions to small businesses and non-profit organizations.”
He added that businesses wishing to provide cybersecurity services commercially must obtain a dedicated licence from the MTC, in addition to their standard enterprise registration. “Key eligibility conditions include a permanent office in Laos, qualified technical personnel with a higher education degree in information and communication technology, a manager with at least two years of relevant experience, a stable financial position, and a clean criminal record. Licenses are valid for one year and are not transferable.”
On cross-border digital operations, he said that the law requires entities providing services or disseminating information online to register with the MTC. “This registration requirement targets both commercial service providers (e.g., website hosting, digital payment and telecoms operators) and entities disseminating information online on a non-profit basis. The scope of the latter category raises interpretative questions that will likely require clarification from the authorities. Notably, unlike Decision No. 3648 on Digital Platforms, which explicitly targets offshore providers earning income from Lao-based users regardless of physical presence, the Law on Cybersecurity contains no equivalent provision addressing offshore service providers directly. Foreign businesses operating in Laos or providing services to users in Laos should assess whether they fall within the registration requirement and seek clarification from the MTC where needed,” he said.
According to him, one important gap for businesses to note is the absence of technical standards in the law. “The law acknowledges the need for effective cybersecurity measures but does not specify compliance benchmarks such as ISO 27001 or equivalent frameworks. These details are left to subsequent regulations, which businesses will need to monitor closely,” he said.
With the Lao government's 20-Year National Digital Economy Development Vision (2021-2040), referenced in a 2022 World Bank report on Laos's digital future, the country has set a target for its digital economy to grow from approximately 3 percent of GDP to 10 percent by 2040.
“The Law on Cybersecurity gives legal force to that agenda, formalizing cybersecurity as a top national policy priority and providing the government with legislative tools to protect digital infrastructure and foster a more secure digital environment for investment,” said Santaniello.
He said that in terms of the digital economy, the law is likely to have two effects. “On one hand, it creates a more predictable and structured regulatory environment for businesses and investors, which is generally positive for market confidence. On the other hand, the compliance obligations it introduces, particularly for smaller operators, may represent a new administrative burden, especially given that technical standards and detailed implementing regulations are still pending,” he said.
He added: “On regional alignment, Laos’s law reflects a broader trend across ASEAN. Several ASEAN member states have been developing or updating their cybersecurity frameworks in recent years. Malaysia introduced its national cybersecurity law in 2024, Singapore amended its Cybersecurity Act in the same year, while several others, including Cambodia, are advancing their respective frameworks. Laos’s law joins this movement, signalling a commitment to building a more coherent regional cybersecurity architecture.”
ASEAN’s Cybersecurity Cooperation Strategy 2021-2025 focuses on five dimensions: advancing cyber readiness, strengthening regional policy coordination, enhancing trust in cyberspace, regional capacity building, and international cooperation. “The Lao law aligns with several of these dimensions, particularly through the establishment of the National Cybersecurity Operations System and the requirement for critical national information infrastructure entities to connect to it,” said Santaniello.
“The ASEAN Regional Computer Emergency Response Team was launched in 2024, with substantial support from Singapore. Laos’s existing LaoCERT is positioned to participate in that regional framework, though the law does not specify how the two structures will interact,” he said.
“That said, the cybersecurity landscape across ASEAN remains fragmented, with significant variations in maturity levels and regulatory development across member states,” he continued. “In that regard, Laos is still at an earlier stage of this journey compared to more advanced ASEAN members such as Singapore. The law provides a solid foundation, but its practical impact will depend heavily on the implementing regulations and the MTC’s capacity to enforce and administer the new framework effectively.”
- Excel V. Dyquiangco
