Myanmar’s Cybersecurity Law Comes into Effect: Key implications for international stakeholders

Key provisions

• Extraterritorial reach: The Cybersecurity Law extends its jurisdiction outside Myanmar, allowing enforcement against Myanmar citizens for violations committed abroad.
• Ministry approval for virtual private networks (“VPNs”): A VPN is defined as a system that independently establishes a secure network within an existing network using technology to ensure secure connections between networks. Government approval is now required prior to offering VPN services. For individuals, non-compliance carries imprisonment for 1-6 months, a fine of between MMK 1–10 million (USD 476–4,760), or both, and if the violator is a company or organization, a minimum fine of MMK 10 million (USD 4,760) will be imposed.
• Licensing requirements: Entities offering (i) cybersecurity services or (ii) operating digital platforms with over 100,000 users must secure a license, which will be valid for 3-10 years. Non-compliance may result in fines starting at MMK 100 million (USD 47,600). Moreover, organisations that provide cybersecurity services in Myanmar must be incorporated under Myanmar Companies Law.
• Cyber offences and penalties: The Cybersecurity Law also introduces specific penalties for engaging in various cyber offences:
  • Transmitting unsolicited communications carries up to 2 years’ imprisonment or fines of up to MMK 20 million (USD 9,525).
  • Engaging in cyber misuse, including unauthorized access, alteration, or sale of data is punishable by up to 3 years’ imprisonment.
  • Online theft or mischief carries penalties of up to 7 years’ imprisonment.

Takeaways for organisations internationally

The Cybersecurity Law’s licensing mandates require prompt compliance for any organisation with Myanmar-based users or operations. Additionally, the regulation of VPNs and digital platforms may affect cross-border data flows. Companies should begin preparing for licensing logistics and be aware of the potential impact on operations.

Conclusion

Organisations offering or planning to offer cybersecurity services or operate digital platforms in Myanmar must ensure immediate compliance with the registration and licensing regimes established under the Cybersecurity Law.

Both domestic and international stakeholders should closely monitor regulatory developments and proactively adapt operations and data transfer mechanisms to ensure alignment with the Cybersecurity Law’s requirements.

Should you need assistance or have enquiries about whether and how this Cybersecurity Law affects your organisation, please reach out to your usual contact at Hogan Lovells or the authors.

Authored by Charmian Aw and Ciara O'Leary.