Following its enactment earlier this year, Myanmar's Cybersecurity Law No. 1/2025 (the “Cybersecurity Law”) came into effect on 30 July 2025. It introduces a comprehensive framework regulating both domestic and international digital platform operators and cybersecurity service providers serving individuals in Myanmar.
As a result, the Cybersecurity Law applies to any organisation offering cybersecurity services or providing digital platforms to users in Myanmar, whether based locally or abroad.
Key provisions
- Extraterritorial reach: The Cybersecurity Law extends its jurisdiction outside Myanmar, allowing enforcement against Myanmar citizens for violations committed abroad.
- Ministry approval for virtual private networks (“VPNs”): A VPN is defined as a system that independently establishes a secure network within an existing network using technology to ensure secure connections between networks. Government approval is now required prior to offering VPN services. For individuals, non-compliance carries imprisonment for 1-6 months, a fine of between MMK 1–10 million (USD 476–4,760), or both, and if the violator is a company or organization, a minimum fine of MMK 10 million (USD 4,760) will be imposed.
- Licensing requirements: Entities offering (i) cybersecurity services or (ii) operating digital platforms with over 100,000 users must secure a license, which will be valid for 3-10 years. Non-compliance may result in fines starting at MMK 100 million (USD 47,600). Moreover, organisations that provide cybersecurity services in Myanmar must be incorporated under Myanmar Companies Law.
- Cyber offences and penalties: The Cybersecurity Law also introduces specific penalties for engaging in various cyber offences:
- Transmitting unsolicited communications carries up to 2 years’ imprisonment or fines of up to MMK 20 million (USD 9,525).
- Engaging in cyber misuse, including unauthorized access, alteration, or sale of data is punishable by up to 3 years’ imprisonment.
- Online theft or mischief carries penalties of up to 7 years’ imprisonment.
Takeaways for organisations internationally
The Cybersecurity Law’s licensing mandates require prompt compliance for any organisation with Myanmar-based users or operations. Additionally, the regulation of VPNs and digital platforms may affect cross-border data flows. Companies should begin preparing for licensing logistics and be aware of the potential impact on operations.
Conclusion
Organisations offering or planning to offer cybersecurity services or operate digital platforms in Myanmar must ensure immediate compliance with the registration and licensing regimes established under the Cybersecurity Law.
Both domestic and international stakeholders should closely monitor regulatory developments and proactively adapt operations and data transfer mechanisms to ensure alignment with the Cybersecurity Law’s requirements.
[View source.]
