English
עברית
Français
Deutsch
Русский
Español
简体中文
日本語
Dutch
Türkçe
Language
English
עברית
Français
Deutsch
Русский
Español
简体中文
日本語
Dutch
Türkçe
Home
About us
About us
CV at a glance
Global reach
Pro Bono
What we do
Practice area
The team
Knowledge center
Insights & News
Client updates
Credentials
Doing business in Israel
Barnea blog
Join us
Work at Barnea
Intern at Barnea
Contact
© All rights reserved to Barnea Jaffa Lande Law offices

Together is powerful

Client updates
19 February 2026
by Avishay Klein
Masha Yudashkin
         
Antitrust and Competition
Banking & Finance
Capital Markets
Corporate
Employment
High Tech
Infrastructure
Internet
Litigation
NPO
Private Clients
Real Estate
Regulation
Tax
White Collar

Israel publishes National Cybersecurity draft bill (2026): new obligations, enforcement authorities and broad implications

Summary

  1. National Cybersecurity draft bill – the draft bill, published in January 2026,  seeks to regulate the activities of the National Cyber Directorate and establish a binding cybersecurity framework in Israel. The draft bill sets out cybersecurity, reporting and supervisory obligations, as well as significant enforcement mechanisms, including pecuniary sanctions and, in certain cases, exposure to criminal liability.
  2. Applicability of the law – the proposed National Cybersecurity Law will apply mainly to “essential organizations,” including government entities and organizations in vital infrastructure sectors (such as telecommunications, energy, health and transportation), according to defined criteria and classifications. The draft bill also regulates providers of digital services and storage services, including data centers, PaaS, SaaS, cybersecurity services and online platforms.
  3. Statutory obligations and their practical implications – entities subject to the law will be required to fulfill cybersecurity obligations based on their degree of criticality and risk. These obligations may include compliance with stringent information security standards, the obligation to report cyber incidents, ongoing documentation and regulatory supervision. The law is also expected to affect supply chains, since essential organizations will be required to impose stringent standards on suppliers and third parties.
  4. Necessary preparations – although this is still only a draft bill, it reflects a clear trend toward expanding cybersecurity regulation and enforcement. We recommend that relevant companies assess the law’s applicability and prepare accordingly, including by performing gap analyses and updating procedures and information security capabilities.

The draft National Cybersecurity Law (2026) was published in January 2026. This significant regulatory measure is likely to have broad impacts on organizations across the economy, especially digital service providers and entities that provide technological infrastructure.

 

The draft bill sets out cybersecurity and reporting obligations and introduces significant enforcement mechanisms, including, in certain cases, criminal liability. Its purposes are to regulate the activities of the National Cyber Directorate and strengthen cyber defense in Israel by imposing binding standards.

 

Applicability of the proposed law

 

The proposed National Cybersecurity Law will mainly apply to essential organizations, including government bodies and organizations in key sectors such  as communications, energy, health, and transportation, as described in the Third Addendum and related classification mechanisms The draft bill may also indirectly affect other public entities and entities that work with, or provide services to, essential organizations.

 

The draft bill also includes regulations relating to “providers of digital services or storage services” – especially where these services may affect the functioning of essential services in the economy. The draft bill is applicable, inter alia, to cloud computing services, data centers, hosting services, authentication and signing services, SMS services, identity and access management (IAM), cybersecurity services, data brokers, SaaS and PaaS and online platforms, such as search engines and social networks.

 

Providers of digital services or storage services may be included in the regulation if they meet at least one threshold criterion (annual turnover of at least ILS 40 million or at least 50 employees), or if they provide services to the Israeli government or to a service entity of the types specified in the draft bill.

 

What is the impact on companies subject to the law?

 

According to the draft bill, entities subject to the law will be required to fulfill cybersecurity requirements based on their business and the nature of their activities. These may include compliance with stringent information security and cybersecurity standards, the obligation to report cyber incidents, ongoing documentation and supervision by the competent authorities.

 

As stated above, the draft bill also prescribes significant enforcement mechanisms, including pecuniary sanctions of up to ILS 640,000 for violations and, in certain cases, exposure to criminal liability. Please note: the draft bill takes a proportionate approach to regulation. the more essential the entity is, or the greater its exposure to cybersecurity risks, the more robust the obligations that will apply to that entity.

 

The proposed law could have broad impacts not only on organizations defined as “essential organizations,” but also on their supply chains. In practice, entities subject to the law will also be required to impose stringent standards on suppliers and third parties, including through contractual provisions requiring cooperation in relevant audits and reports.

 

Recommended preparations

 

Although it is still only a draft bill, it reflects a clear intent to expand the powers of the National Cyber Directorate and introduce nationwide rules on cybersecurity duties, incident and incident response. If enacted in a similar form, the proposed law is likely to apply broadly and significantly affect Israel’s digital services market. These obligations are reminiscent of regulatory approaches in Europe (such as the Network and Information Systems Directive – NIS2) and elsewhere, but the proposed scope of applicability in Israel appears particularly broad.

 

We recommend that potentially affected companies start by carrying out a preliminary review of the draft bill’s requirements and assessing what changes may be needed.

  • Perform a gap analysis between existing capabilities and the bill’s stricter information security and cybersecurity standards;
  • Examine and update the organization’s information security procedures (including event management and reporting, authorizations management, etc.).

 

***

 

Barnea Jaffa Lande’s Privacy Protection, AI and Cybersecurity Department is at your service to advise you about the risks deriving from the proposed information security requirements, about the applicability of the law to your activities and about necessary preparations for the inception of the National Cybersecurity Law.

 

Dr. Avishay Klein is a partner and heads our firm’s Privacy Protection, Cybersecurity and AI Department.

Adv. Masha Yudashkin is an associate in our firm’s Privacy Protection, Cybersecurity and AI Department.

 

Tags: Cyber | Cyber Security | Privacy
Barnea
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.