Israel Publishes National Cybersecurity Draft Bill: New Obligations, Enforcement Authorities, and Broad Implications

The draft National Cybersecurity Law was published in January 2026. This significant regulatory measure is likely to have broad implications for organizations across the economy, particularly digital service providers and entities that provide technological infrastructure.

The draft bill sets out cybersecurity and reporting obligations and introduces significant enforcement mechanisms, including, in certain cases, criminal liability. Its purpose is to regulate the activities of the National Cyber Directorate and strengthen cyber defense in Israel by imposing binding standards.

Applicability of the Proposed Law

The proposed National Cybersecurity Law will primarily apply to essential organizations, including government bodies and organizations in key sectors such as communications, energy, health, and transportation, as described in the Third Addendum and related classification mechanisms. The draft bill may also indirectly affect other public entities and entities that work with, or provide services to, essential organizations.

The draft bill also includes regulations relating to “providers of digital services or storage services,” particularly where such services may affect the functioning of essential services in the economy. The bill applies, inter alia, to cloud computing services, data centers, hosting services, authentication and signing services, SMS services, identity and access management (IAM), cybersecurity services, data brokers, SaaS and PaaS providers, and online platforms such as search engines and social networks.

Providers of digital or storage services may fall within the scope of the regulation if they meet at least one threshold criterion (annual turnover of at least ILS 40 million or at least 50 employees), or if they provide services to the Israeli government or to a service entity of the types specified in the draft bill.

Impact on Companies 

Under the draft bill, entities subject to the law will be required to comply with cybersecurity requirements based on the nature of their business and activities. These may include adherence to stringent information security and cybersecurity standards, reporting obligations in the event of cyber incidents, ongoing documentation requirements, and supervision by the competent authorities.

As noted above, the draft bill also prescribes significant enforcement mechanisms, including monetary sanctions of up to ILS 640,000 for violations and, in certain cases, exposure to criminal liability. Notably, the bill adopts a proportionate regulatory approach: the more essential the entity or the greater its exposure to cybersecurity risks, the more stringent the obligations that will apply.

The proposed law may have broad implications not only for organizations defined as “essential organizations,” but also for their supply chains. In practice, entities subject to the law will likely be required to impose stringent standards on suppliers and third parties, including through contractual provisions requiring cooperation in audits and reporting.

Recommended Preparations

Although still only a draft bill, the proposed law reflects a clear intent to expand the powers of the National Cyber Directorate and introduce nationwide rules governing cybersecurity obligations and incident response. If enacted in a similar form, the  law is likely to apply broadly and significantly affect Israel’s digital services market.

These obligations are reminiscent of regulatory approaches in Europe (such as the Network and Information Systems Directive (NIS2)) and elsewhere. However, the proposed scope of applicability in Israel appears particularly broad.

We recommend that potentially affected companies begin by conducting a preliminary review of the draft bill’s requirements and assessing what changes may be necessary. In particular:

• Perform a gap analysis between existing capabilities and the bill’s stricter information security and cybersecurity standards.
• Review and update the organization’s information security procedures, including incident management and reporting processes, access and authorization management, and related controls.

***

Barnea Jaffa Lande’s Privacy, Cyber and AI Department is at your service to advise on the risks arising from the proposed information security requirements, the applicability of the law to your activities, and the necessary preparations ahead of the enactment of the National Cybersecurity Law.

Dr. Avishay Klein is a partner and head of our firm’s Privacy, Cyber and AI Department.

Adv. Masha Yudashkin is an associate in our firm’s Privacy, Cyber and AI Department.