Quamrun Nahar Mahmud
Advocate Supreme Court of Bangladesh
Bangladesh’s Cyber Security Act, 2026 (CSA 2026) is a sweeping new law, enacted on April 10, 2026, that replaces the Cyber Security Ordinance, 2025. It creates a broad framework of cyber‐crimes and enforcement powers. Key features include criminalizing online harassment (e.g. non‑consensual sharing of images, “revenge porn”, blackmail), cyber extortion, fraud, “cyber terrorism,” and unauthorized access to digital systems. The Act establishes a new National Cyber Security Agency (Sections 5–6) and empowers regulators (e.g. BTRC) to order removal or blocking of “harmful” content (Section 8), subject to expedited judicial review. It also recognizes Internet access as a civic right and has extraterritorial reach (Section 48). Penalties are severe: e.g. up to 2 years’ imprisonment (5 years if victim is woman/child) and large fines for distributing intimate images without consent up to 5 years/ Tk. 5 million for cyber‐extortion (Section 22). Investigations must be completed within 90 days (fast‑track).
Civil society and rights groups warned that CSA 2026 retains many vague and broad provisions from earlier laws (Digital Security Act 2018 and Cyber Security Act 2023) that risk chilling free speech. Sections on “insulting” or “hurting religious sentiments” and “spreading chaos” remain largely intact. Law enforcement may exercise warrantless search/arrest (Section 35) and public intimidation (Section 46). Stakeholders note no significant narrowing of criminal speech offenses and warn that the law focuses on punishing individuals rather than imposing duties on platforms.
Legislative History and Stakeholders
CSA 2026 traces its roots through a political upheaval. The Digital Security Act (DSA) 2018 under the previous government was widely criticized for suppressing dissent. In August 2023, that government enacted a replacement “Cyber Security Act 2023,” but civil society found it nearly as bad. After mass protests in mid-2024 led to a caretaker administration, a new “Cyber Safety Ordinance” was promulgated in May 2025. This ordinance removed the most blatant DSA clauses (nine sections) and granted amnesty for old cases. However, critics noted it preserved many problematic provisions.
In the 2026 Parliament (first session of the 13th Jatiya Sangsad), the interim ordinance was passed as CSA 2026 in a single sitting (voice vote, no amendments). Lawmakers reported minimal debate – reportedly none of the civil-society amendments were adopted. On April 10, 2026, the Act was enacted; the President gave assent, and it was gazetted accordingly.
Stakeholders took clear positions: the government maintains the law is necessary for national security and public order. The PM’s Adviser on ICT publicly stated the ordinance was thoroughly reviewed and thus passed unchanged. BTRC officials emphasized needing blocking powers to handle misinformation and abuse. In contrast, opposition legislators and civil society (Nagorik Coalition, journalists’ unions, UNESCO etc.) decried the law as “repressive” and warned it would encourage arbitrary arrests. Legal experts noted that some intimidating provisions (e.g. “spreading anxiety”) were slightly softened from the draft ordinance, but not sufficiently. On balance, the government presents CSA 2026 as a modernizing reform, while rights groups view it as a continuation of the old “Digital Security Act” paradigm.
Analysis of the Key Provisions
Definitions (Section 2): The Act contains detailed definitions. Notably, it defines terms such as “communication service provider,” “critical information infrastructure,” “cyber space,” “digital forensic,” “internet,” etc. (These reflect standard usage in Bangladesh law; for example, “cyber terrorism” is defined broadly to include unauthorized actions affecting national security). Key definitions include:
“Critical Information Infrastructure – CII”: defined as any communication or ICT system whose compromise could threaten public order, national security or economic life.
“Global Threat intelligence: is the process of gathering and analyzing cyber threat information to help stakeholders detect, prevent, and respond to cyber risks.
“Digital Device”: is broadly defined as any electronic, digital, magnetic, optical, or data-processing device or system, including its hardware, software, networks, applications, databases, and communication functions. The definition expressly covers modern technologies such as artificial intelligence, cloud computing, blockchain, machine learning, quantum computing, large language models (LLMs), Internet of Things (IoT), gaming systems, and other advanced computing technologies.
“Digital Forensic Lab”: as an approved laboratory that adheres to national laws, international standards, cyber security protocols, and internationally recognized compromises. It is equipped with professional technical capabilities to lawfully and acceptably collect, preserve, verify, and present digital evidence.
Perhaps one of the most important aspects of this Act is defining the “Digital Child Sexual Abuse Related Materials”. It is defined as any material created using digital or electronic media that:
(a) Visually, audibly, textually, or otherwise depicts or describes actual or simulated explicit sexual acts, genitalia, sexual attire/instruments, sexual services, private sexual communication with another person, or sexual offenses under relevant laws (e.g., Children Act 2013).
(b) Promotes, encourages, or directs anyone to engage in or observe actual/simulated sexual acts, display genitals, use sexual attire/instruments, engage in sexual services, private sexual communication, or assist in sexual offenses (including facilitating or receiving sexual services for money, controlling someone for sexual purposes, or preparing someone for sexual aims).
(c) Through any aid or arrangement, encourages or directs a person to engage in or observe any of the above activities, display genitals, use sexual attire/instruments, involve in sexual services, private sexual communication, or assist in sexual offenses.
“Sexual Harassment” in cyberspace is defined as:
(a) Harassment by repeatedly requesting nude photos or proposing unlawful physical relationships by abusing administrative or professional power.
(b) Unauthorized transmission of someone’s genital images, sexually provocative material, or pornographic content; or altering someone’s image into pornographic or sexualized material using technology without their consent.
(c) Threatening, pressuring, or intimidating someone for not responding to a relationship proposal in cyberspace, to establish a sexual relationship.
The definition of “Revenge Porn” as: spreading someone’s private or personal photos, videos, or similar data using any publishing technology, without that person’s permission, with the intention of causing them harm.
A wide definition of “Cyberspace” refers to the entire physical and virtual environment of interconnected digital devices and networks (internet, telecom, AI, IoT, social media, etc.) where all online activities occur, including data creation, storage, and transmission. It also covers computers, systems, and AI-generated data.
Another essential definition that is “Sextortion” is defined as a form of fraud or extortion where someone, by claiming to possess a person’s private photos, videos, or recordings, threatens to publish them to obtain money, benefits, or attempt to establish a physical relationship.
Extraterritorial Application (Section 4): Any offense committed by a Bangladeshi citizen outside the country is treated as if committed within Bangladesh. Furthermore, if a person outside Bangladesh uses a computer, network, or digital device to commit an offense inside Bangladesh, or if a person inside Bangladesh commits an offense outside Bangladesh, the entire offense is legally deemed to have occurred within Bangladesh.
National Cyber Security Agency (Sections 5–6): The Act establishes a National Cyber Security Agency under the ICT Ministry, headed by a Director General. It empowers this agency to collect cyber-crime complaints, coordinate responses, and maintain a National Cyber Emergency Response Team (N-CERT) and Security Operations Centre. (These reflect the government’s push for centralized cyber-monitoring. Recruitment of experts is mandated).
Chapter Three of the Act deals with Preventive Measures. Section 8 empowers authorities to remove or block digital content posing cyber security threats. The Director General may order removal, blocking, or transfer of such data and can request assistance from BTRC. If law enforcement believes content threatens national security, public order, religious harmony, or incites violence, they may act through the Director General or BTRC. Upon receiving a request or tribunal order, BTRC or the ICT Division will direct tech companies to act, notify the government, and publish details of blocked content for transparency. Any removal or blocking must receive tribunal approval within three days; otherwise, the content must be restored. Further rules may prescribe additional procedures.
This chapter also deals with in depth scope of work of Computer Emergency Response Team and Digital Forensic Lab.
Offences (Chapter 6): The Act then lists multiple offences. Key offences among them are:
Sections 17-18 deals with offences like Hacking and unauthorized access to computer systems.
Section 17 dealt with unauthorized access, hacking, or AI-assisted damage to critical information infrastructure (e.g., stealing, altering, destroying data or source code). This offence attracts up to 5 – 7 years of imprisonment or up to Tk. 5 million to Tk.10 million fine, or both.
Section 18 criminalizes unauthorized access to computers, digital devices, computer systems, or networks. It specifies that any person who intentionally gains or assists unauthorized access (clause a), does so with the intent to commit an offense (clause b), or through such unauthorized access steals, destroys, alters, reduces the value of any information, generates new data using AI agents, or otherwise causes harm (clause c), shall be guilty of an offense. Penalties include up to 1 year imprisonment or a fine up to Tk. 1 million, or both, for offenses under clause (a); and up to 2 years imprisonment or a fine up to Tk. 2 million, or both, for offenses under clause (b).
Section 20 penalizes gambling in cyberspace. Any person who creates or operates any portal, app, or device for online gambling, participates in gambling, assists or encourages gambling, or engages in advertising for gambling, directly or indirectly, commits an offense punishable by up to 2 years imprisonment, or a fine up to Tk. 100 thousand, or both.
Section 21 penalizes scams in cyberspace. Any person who scams another through cyberspace commits an offense punishable by up to 2 years imprisonment, or a fine up to 20 Tk. 2 million, or both. Section 22 penalizes fraud committed through cyberspace. Any person who uses cyberspace to commit fraud commits an offense punishable by up to 5 years imprisonment, or a fine up to Tk. 5 million, or both.
A very important section of this Act is Section 23. It defines cyber terrorism as any intentional act where a person creates obstacles to lawful access or gains unauthorized access to any computer, network, or internet with the intention of spreading fear among the public regarding state instability, security, or sovereignty; or modifies or gains access to digital resources with malicious intent resulting in death, grievous hurt, or the likelihood thereof; or attacks computer systems or servers to disrupt or damage the supply of essential goods or services; or accesses or infiltrates any computer, network, or database that may be used in the interest of a foreign state or entity, unless done in public interest through official authorization; or conceals identity, assumes another person’s identity, distributes someone’s national ID, or uses another’s personal information to commit any of the above acts. Any person committing such acts is guilty of cyber terrorism and liable to punishment under the Act.
This offense is punishable by up to 10 years imprisonment, or a fine up to Tk. 10 million, or both.
Another significant section of this act is section 25 dealing with sexual harassment in cyberspace. Section 25 penalizes the publication or transmission of sexually harassing, defamatory, or obscene content in cyberspace. If any person intentionally or knowingly creates, possesses, stores, or transmits through a website or any digital or electronic medium any data, video, image, audio, visual, still picture, profile, or AI-generated or edited content related to defamation, sexual harassment, revenge porn, digital child sexual abuse material, or sextortion, with the intent to cause harm or spread fear, or threatens to do so, such act shall be an offense. The offender shall be punishable with up to 2 years imprisonment, or a fine up to Tk. 1 million, or both.
If the above offence is committed towards a woman or children under the age of 18, then the offender shall be punishable with up to 5 years imprisonment, or a fine up to Tk. 2 million, or both.
Section 26 deals with Offense and Penalty for Publishing Content Inciting Violence, Hatred, or Hostility on Religious or Racial Grounds in Cyberspace. The offender shall be punishable with up to 2 years imprisonment, or a fine up to Tk. 1 million, or both.
Also, this chapter dealt with the laws of Abatement, false allegations and offenses by companies.
Sections 31 to 47 of the Act dealt with Procedural Powers. Section 32 Requires that investigations into cybercrimes be completed within 90 days (fast track”), after which charges must be filed or dropped.
Section 35 establishes that in urgent cases, police may search premises, seize digital devices, and even arrest suspects without a warrant. Section 36 promulgates that electronic evidence is admissible in court; authorities may compel tech companies or ISPs to provide data.
Section 48 dealt with Mutual legal assistance – Bangladesh can cooperate with other countries under international treaties (e.g. Mutual Legal Assistance in Criminal Matters Act, 2012). Offences by foreigners against Bangladeshis are prosecutable under local law.
( to be continued …)
