The Cyber Security Ordinance 2025 (Ordinance), which came into effect in Bangladesh on 21st May 2025, is not the country’s first legislative effort to address cyber threats. Initially, Cyber security in Bangladesh was governed by the Digital Security Act, 2018 (DSA). But this was later replaced by the Cyber Security Act, 2023 (2023 Act) in view of severe criticism. The Cyber Security Act 2023 reiterated several controversial provisions of the DSA and was alleged to violate international standards on freedom of expression. The Ordinance aims to identify, prevent and suppress serious cyber offences, including cyber terrorism, data theft, online gambling, dissemination of AI-generated content used for blackmail, sexual harassment, pornography etc. and unauthorized electronic transactions. It further eliminates provisions from the 2023 Act which were subject to controversy.[1]

In this blog, we will examine its implications of the Ordinance for businesses operating in or with Bangladesh and outline practical steps organizations can take to ensure compliance and enhance their cyber resilience framework.

About the Cyber Security Ordinance 2025 The Ordinance primarily aims at:

• Safeguarding Critical Information Infrastructure (CII)
• Establishing cyberemergency response protocols
• Defining roles and responsibilities of national cybersecurity institutions
• Imposing penalties for cyber offences and non-compliance

Who must comply? The Ordinance has extra-territorial application and applies to –

• any person or body corporate, company, partnership, firm or other organization, including, in the case of a digital device, its controller and any entity created by law or artificial legal entity.
• Software developers
• Users of artificial intelligence tools

The Regulator

Currently, the Bangladesh Government’s e-Government Computer Incident Response Team (BGD e-GOV CIRT), Bangladesh Computer Council (BCC) serving as the National Computer Emergency Response Team (NCERT) and the National Security Operation Centre (NSOC) are the regulators which will oversee real-time cyber monitoring, threat detection and coordinated responses. Activities prohibited under the Cyber Security Ordinance 2025 The Ordinance criminalises a wide range of cyber-related activities that pose risks to individuals, institutions or national security. Key compliance obligations under the Ordinance are – Prohibits publication or distribution of obscene digital content amounting to Sexual Harassment, Blackmailing etc. The law prohibits intentional or knowingly transmitting, publishing or disseminating, or threatening to transmit, publish or disseminate, any information, video image, audio visual image, still image, graphics for the purpose of blackmailing, sextortion, sexual harassment, child sexual abuse or revenge porn. Use of Artificial Intelligence (AI) for committing criminal offences Using AI for the purpose of committing any offence like generating and publishing digital content for blackmailing or sexually harassing any person or content amounting to sextortion or child sexual abuse or revenge porn, creating any new data in or damaging any data of critical information infrastructure, altering, destroying or hiding the source code of any computer etc. is prohibited. Prohibits Cyber Terrorism The law prohibits launching cyber-attacks to disrupt essential services, create public panic, adversely affect foreign relations or impersonating others by forging identification documents. Prohibits Online Gambling Creating or administering any portal, apps or device for gambling in cyber space or engaging, assisting or encouraging others in engaging in online gambling is prohibited in the country. Prohibits unauthorized access to digital systems This includes gaining access illegally to any computer, computer system or device or any critical information infrastructure. Prohibits Tampering or Sabotage This includes modifying, deleting or corrupting data or programs intentionally or introducing malware, ransomware or other harmful code into systems for unethical means. Consequences of non-compliance In the event an offence is committed by a company, every owner, chief executive, director, manager, secretary, partner or any other officer or employee or representative of the company who is directly involved in the commission of such offence will be held liable. The penalties can be severe:

• Fines up to Taka 1 crore, and
• Imprisonment up to 10 years, depending on the offence.

Moreover, compliance is essential for protecting company reputation, building trust with customers and authorities and enabling digital resilience. Recommended best practices for businesses While the Regulations around this Ordinance is not yet announced, businesses should adopt the industry aligned best practices for effective cyber security.

A few recommended compliances are suggested below:

• Designating responsible person or team to oversee cybersecurity measures.
• Perform periodic cyber security audits as per set industrial standards.
• Adhere to guidelines on best practices issued by the NCERT and National Information and Communication Technology Policy 2018.
• Prepare effective cybersecurity policies.
• Ensure real time reporting to authorities like NCERT.
• Conduct cybersecurity awareness training for all employees.

Conclusion

The Ordinance is expected to mark a significant shift in how Bangladesh approaches digital resilience. It places a clear responsibility on businesses to ensure their systems and personnel do not become conduits for cybercrime or negligence.

Cybersecurity today is not just about technology, it is about accountability, trust and long-term sustainability. Companies that take proactive steps to secure their data and operations are more likely to gain a competitive edge, build lasting stakeholder confidence and avoid the legal, financial and reputational damage of non-compliance. To help businesses comply, Komrisk acts as a centralized repository of actionable compliance obligations — including those arising from laws like the Cyber Security Ordinance and other regulations. It allows organizations to upload evidence of compliance, track progress in real time, generate audit-ready reports and identify high-risk areas across entities, operating units and departments. By streamlining compliance workflows and offering a real-time view of your organization’s compliance health, Komrisk empowers you to stay ahead of regulatory expectations with confidence. In today’s environment, staying secure and compliant is not optional but a priority. Let Komrisk be your trusted ally in building a cyber-resilient and legally secure future.

Get in touch with us for a demo.

---

[1] The Cyber Security Act 2025 eliminates the 9 provisions from its predecessor dealing with offences like defamation, publishing or disseminating content deemed offensive to national symbols and historical figures, the liberation war of Bangladesh, harmful or which are false, threatening or demeaning to person. Authored by: Debashis Banerjee Co-Authored by: Antara Dasgupta Disclaimer The information provided on this blog is for general informational purposes only and is not a substitute for professional legal advice. We are not a law firm and are not authorized to practice law in your jurisdiction. Laws and regulations are complex and constantly changing, and information that may be true in one jurisdiction may not apply in another. Before acting on any information you read here, you should consult with a qualified lawyer practicing in the relevant jurisdiction for your specific legal issues or concerns. While we strive to provide accurate and up-to-date information, we make no guarantees that the information on this blog is completely current or error-free. We disclaim any liability for any actions taken or not taken based on the information on this blog.

Share this: