Laos Cybersecurity Law: A Pillar of Digital Transformation

PREAMBLE

In today’s digital era, technology has become inseparable from daily life. Communication, financial transactions, and business operations increasingly rely on online platforms. Yet, alongside these convenience, cyber threats have grown more sophisticated and dangerous. To address this challenge, the Lao PDR enacted the Law on Cybersecurity No. 87/NA, 2025– a landmark framework designed to safeguard national information systems, protect users, and strengthen trust in the digital ecosystem.

‍

‍

KEY PROVISIONS

‍

A. Foundations of Cybersecurity

1. Objective

To protects national security, social order, and the interests of both the State and the public, thereby reinforcing international trust and regional integration. The law strictly enforces the three pillars of information security in the digital era which consist of integrity to ensure information remains accurate and unaltered, confidentiality to safeguard sensitive data against unauthorized access, and availability to guarantee systems remain accessible to authorized users when needed.

‍

2. Definition

Cyberspace refers to the virtual world interconnected through the internet, databases, and mobile networks that people rely on daily communication, business, and transactions. Despite its convenience, this digital environment contains inherent risks. Cyber threats include deceptive activities such as phishing, which tricks users into disclosing confidential information, as well as malware, and various forms of online scams. Cyber-attacks involve deliberate actions such as hacking and Distributed Denial-of-Service (DDoS) attacks aimed at disrupting, damaging, or disabling digital systems. 

To mitigate these risks, cybersecurity serves as a digital safeguard built upon three key pillars. First, data and system protection ensure the confidentiality and integrity of information through measures such as encryption, electronic signatures, and robust backup procedures to maintain business continuity. Second, access screening and control authenticates user identities, limits access rights according to job responsibilities, and implements regular system monitoring and audits. Third, evidence retention and legal accountability preserves comprehensive activity logs and digital records that may be used as evidence in investigations and legal proceedings, ensuring that offenders are subject to appropriate disciplinary, civil, or criminal sanctions.

‍

‍

B. Scope and Governance

The law applies to individuals, legal entities, and organizations, whether domestic or foreign, operating within the Lao PDR. The Law on Cybersecurity entered into force from September 1, 2025 onwards, following the promulgation of the Presidential Decree by the President of the Lao People's Democratic Republic and its publication in the Official Gazette on March 20, 2026. The Department of Cybersecurity under the Ministry of Technology and Communications is the principal authority responsible for the implementation and enforcement of the law. Acting as the central coordinating body among relevant sectors, the Department oversees, monitors, and protects Information and Communications Technology (ICT) systems, including National Critical Information Infrastructure, from cyber threats, cyberattacks and systemic disruption.

‍

‍

C. National Critical Information Infrastructure (CII)

As the Lao PDR transitions advances toward a fully developed digital economy, daily life and business operations have become increasingly dependent on computers, digital systems, and internet connectivity. While this transformation delivers significant convenience and economic opportunities, it also heightens exposure to cyber threats capable of causing substantial national harm. In response to these emerging risks, the Lao PDR has introduced measures to strengthen and protect its National Critical Information Infrastructure (“CII”), which constitutes the digital backbone of the country.

Critical Information Infrastructure refers to high-priority technological systems, networks and digital infrastructures that are essential to the national security, economy stability and public welfare of the Lao PDR. Due to their integral role in maintaining essential services, any disruptions, compromise, or destruction of such infrastructure could result in immediate and severe consequences, including nationwide power or water outages, failures within the banking and financial system preventing monetary transactions, or large-scale communications blackouts.

Accordingly, the law identifies several key sectors as National Critical Information Infrastructure requiring enhanced protection measures. These sectors include national defense and public security, technology and communications, finance and banking, energy, trade, transportation and logistics, as well as other high-risk sectors that may affect national stability and public order.

‍

‍

‍

D. Cyber Prevention Measures: 

1. The 24-Hour Cyber Command Center and Preventive Framework

To strengthen the protection of critical systems and infrastructure, the Lao PDR has established a twenty-four-hour Cyber Command Center tasked with continuously monitoring and responding to cybersecurity threats. Operators of both public and private infrastructure are required to implement emergency response plans, maintain redundant backup systems, and conduct regular cybersecurity risk assessments to ensure operational resilience and continuity. 

These operations are supervised by the National Cybersecurity Operations Center, which utilized Big Data analytics and Artificial Intelligence technologies to monitor, detect, prevent and respond to cyber threats and malicious activities on a twenty-four hours basis. The system is designed to enhance the country’s capability to identify vulnerabilities, mitigate cyber incidents, and safeguard critical digital infrastructure from disruption or unauthorized access. 

‍

2. Primary legal pillars for prosecuting cybercrimes in Lao PDR

The Cybersecurity Law establishes a comprehensive legal framework aimed at combating cyber-related offenses and strengthening national digital security. Its primary objectives include the strict prosecution of hackers, malware distributors, and online scammers, while also requiring digital platforms and financial institutions to maintain the confidentiality and security of customer information. 

‍

The Law further seeks to suppress the dissemination of false or misleading information that may adversely affect public order and social stability, prevent cyber-terrorism, and attacks against essential public utilities, and safeguard critical infrastructure necessary for national security and economic stability. In addition, the framework aims to strengthen public confidence in digital payment systems and e-commerce in order to support the continued growth of the digital economy.

‍

3. Legal Framework Governing Cybersecurity and Online Offenses

a. Criminal Liability for Cyber Offenses and Online Fraud

Online offenses and cyber-related fraudulent activities are subject to severe penalties under Lao Law, including imprisonment and substantial monetary fines. Authorities are empowered with broad investigative and enforcement powers to prosecute individuals and entities involved in cybercrime, online fraud, unauthorized system access, and other unlawful digital activities, 

‍

b.  Law on Resisting and Preventing Computer Crimes (2015)

The Law on Resisting and Preventing Computer Crimes enacted in 2015 serves as the primary legislation governing computer-related offenses in the Lao PDR. The Law defines and criminalizes unlawful acts involving computer systems, electronic networks, and digital technologies that may cause harm to the State, organizations, or society.

‍

c. Law on Electronic Data Protection (2017) 

The Law on Electronic Transactions enacted in 2017 establishes legal protections for electronic data and digital information. The Law aims to prevent unauthorized access, use, disclosure, alteration, or destruction of electronically stored data and imposes obligations on relevant parties to maintain data security and confidentiality.

‍

d. The Law on Electronic Transactions (2021) 

The Law on Electronic Transactions enacted in 2021 regulates electronic commerce, digital contracts, and online transactions. It provides legal recognition for electronic documents and electronic signatures while imposing criminal liability for acts such as forging electronic signatures, falsifying electronic records, or unlawfully manipulating digital transaction systems. 

‍

e. The Law on Telecommunications (2021) 

The Law on Telecommunications enacted in 2021 governs the operation, security, and management of telecommunications networks and infrastructures. The law strictly prohibits unlawful interception, unauthorized interference with telecom systems. 

‍

f. Decree on Internet Information Management (2014)

The Decree on Internet Information Management enacted in 2014 regulates Internet Service Providers and end-users, strictly prohibiting the dissemination of online content that threatens national security or social order.

‍

‍

E. International Cooperation Vision and Cybercrimes to Watch Out for in Lao PDR

With respect to its vision for international cooperation, the Lao PDR has continued refining its domestic legal framework to align with key international instruments, including the Budapest Convention on Cybercrime, the United Nations Convention against Transnational Organized Crime, and ASEAN Cooperation Frameworks. These efforts are aimed at strengthening regional collaboration in combating transnational cybercrime, particularly online fraud schemes and call center operations. 

In parallel, the country has enhanced its digital forensic capabilities and cross-border investigative mechanisms to meet global standards, thereby reducing jurisdictional loopholes through twenty-four-hour evidence-sharing systems and more efficient evidence retrieval procedures among treaty partners. Furthermore, significant emphasis has been placed on the protection of children and vulnerable persons from online sexual exploitation and human trafficking, supported by specialized technical assistances provided by the United Nations Office on Drugs and Crime (UNODC).

‍

‍

F. Compliance Guide: Lawfully Launching a "Cyber Business" in Lao PDR

1. For Entrepreneurs Intending to Operate a Cybersecurity Business

The cybersecurity sector in Lao PDR represents a high-potential and rapidly developing industry within the country’s digital economy. Entrepreneurs seeking to establish a cybersecurity-related business must comply with a structured regulatory framework before commencing operations.

The process generally begins with the lawful incorporation and registration of the business entity under the relevant industrial and commercial classification categories with the Ministry of Industry and Commerce. Thereafter, operators are required to obtain a sector-specific cybersecurity operations license from the Ministry of Technology and Communications prior any cybersecurity-related technical services or digital security solutions.

2. Types of Cybersecurity Businesses 

Licensed cybersecurity activities may include the following services: 

• Cybersecurity consulting
• Development and installation of security systems
• Penetration testing
• Incident response
• Cybersecurity training and capacity-building programs
• Compliance and standards auditing
• Surveillance and monitoring services
• Data and system recovery
• Cloud security services
• Other related cybersecurity operations

Each type of cybersecurity business is subject to specific regulatory and licensing requirements. Operating without proper registration or authorization constitutes a criminal offense and may result in imprisonment ranging from three months to one year, re-education measures, and fines ranging from LAK 5,000,000 to LAK 10,000,000.

3. Critical Violations Leading to Business Termination

Cybersecurity operators must maintain strict regulatory compliance to avoid severe administrative and criminal penalties. Authorities may impose immediate suspension, license revocation, and criminal prosecution where businesses engage in serious violations, including:

• Operating beyond the approved scope of business objectives
• Concealing cybersecurity breaches
• Failing to report cyber incidents to the competent authorities
• Non-compliance with tax, customs, or other statutory obligations
• Leasing, transferring, or allowing unauthorized third parties to use the operating license.

‍

‍

G. Enforcement Notice

Any violation causing serious harm to national security, public infrastructure, or the national economy may result in the immediate shutdown of operations. Revocation of the business license may also be publicly announced through national media channels within five working days, with offenders subject to criminal prosecution to the fullest extent permitted under Lao law.

‍

‍

CONCLUSION

The Law on Cybersecurity serves as a foundational digital constitutional pillar designed to safeguard and stabilize the national information infrastructure of Lao PDR. It scope extends far beyond technical countermeasures against hackers or computer viruses. The law also establishes comprehensive governance mechanisms for the protection of critical infrastructure, defines the obligations and liabilities of digital service providers, and creates a structured national framework for cybersecurity incident.

‍

In summary, the Law on Cybersecurity should not be views as a technical compliance instrument, but rather as a broader "Trust Ecosystem" framework that supports the country's digital transformation agenda. By strengthening legal certainty, institutional resilience, and cybersecurity governance, the law aims to ensure that Lao PDR’s digital economy develops in a secure, efficient, and sustainable manner capable of responding to evolving cyber threats in the future.

‍

‍

ABOUT ILAW LAOS

ILAW LAOS is ready to provide legal advisory services to help businesses mitigate regulatory risks, strengthen compliance, and protect organization and executives from potential liabilities, while supporting the development of a secure digital Trust Ecosystem in Lao PDR.

‍