Pakistan is set to establish a Federal Cyber Security Authority to safeguard critical digital infrastructure and sensitive data. The Ministry of Information Technology (IT) and Telecom reportedly has drafted the Pakistan Cyber Security Act 2025 and is seeking stakeholder feedback. Federal Minister Shaza Fatima Khawaja terms the Cybersecurity Act “essential for national security and reflected the government`s whole-of-nation approach” to cybersecurity, marking a major reform initiative. This initiative aligns with the National Cyber Security Policy and the Digital Economy Enhancement Program.
Prospects of Cyber Security Act 2025
The increased use of information and communication technologies enhanced global connectivity, mobility, Artificial Intelligence and versatility of digital services exposes information assets to a host of new and evolving Cyber Security threats. The Fourth Industrial Revolution has made these assets highly valuable. Linking the concept of cybersecurity with geo-politics, the Global Cybersecurity Outlook Report, 2023 noted that 91% of the respondents (that included business and cyber leaders) feared that ‘global geopolitical instability’ might result in “a far reaching, catastrophic cyber event” in the ‘next two year’. Amid the prevailing risks in the digital and cyber domain, the government has decided to establish a Cybersecurity Authority at the federal level. The authority has reportedly drafted the Cyber Security Act 2025 and will propose cybersecurity measures for critical national infrastructure and implement cybersecurity initiatives across the country.
The current legal framework for cybersecurity is governed by the Prevention of Electronic Crimes Act 2016 (PECA). The PECA was enacted to curb the rising cybercrimes in Pakistan and offences relating to information systems. It lays out the procedure for investigation and specifies the penalties for electronic crimes. The PECA provides for the constitution of a computer emergency response team. Its role is to respond to any threat against or attack on critical infrastructure information systems or critical infrastructure data, or widespread attack on information systems within Pakistan.
Cyber Security & Pakistan
Federal Minister for Information Technology and Telecom Shaza Fatima Khawaja said the Cybersecurity Act 2025 was essential for national security and reflected the government`s whole-of nation approach to cybersecurity, marking a major reform initiative. Highlighting Pakistan’s Tier-1 position in the ITU Global Cybersecurity Index, she said this achievement reflects the collective commitment of government, academia, and youth toward a secure technological future. She also pointed to advancements in AI-driven cybersecurity, dark-web monitoring, cloud security, and secure digital identity under the Cloud-First Policy.
According to her the Act will establish the National Cybersecurity Authority (NCA) to lead nationwide incident response and threat intelligence, while expansion of the Pakistan Computer Emergency Response Team (PKCERT), and the development of secure digital public infrastructure under the Digital Economy Enhancement Project (Deep) will further strengthen national cyber resilience.
Pitfalls of Pakistan’s Cybersecurity Act 2025
Cyber threats in the country are escalating at an alarming rate. In 2023, cyber-attacks in Pakistan surged by 17%, with 16 million attacks blocked by one of the leading cyber security firms. Despite, the pitfalls of Pakistan’s Cybersecurity Act 2025 and its associated PECA amendments revolve around concerns that the legislation prioritizes state control and surveillance over fundamental rights and transparency.
Key pitfalls identified by civil society, legal experts, and digital rights advocates include:
- Suppression of Free Speech and Press Freedom: Vague and broad definitions of offenses, particularly the criminalization of “fake news” under Section 26-A of the PECA Amendment, can be used to target journalists, critics, and political opponents.
- Lack of Transparency and Independent Oversight: The law has been criticized for being passed without meaningful public consultation and for lacking robust, independent oversight mechanisms, just like the Social Media Protection Authority (SMPRA) and the National Cybersecurity Authority (NCA).
- Vague Legal Terminology: Terms like “fake news,” “unrest in the general public,” and “critical infrastructure” are not clearly defined, leaving broad discretion to enforcement agencies like the Federal Investigation Agency (FIA). This ambiguity creates a risk of arbitrary application and misuse of authority.
- Expanded Surveillance Powers: The new framework is seen as expanding government surveillance capabilities, including potential for real-time access to user data and the ability to order blanket website shutdowns. This raises significant privacy concerns and potentially violates constitutional guarantees of fundamental rights.
- Focus on Control over Technical Excellence: Concerns exist that the new framework prioritizes political control and censorship over developing a coherent, civilian-led cybersecurity architecture with a focus on technical expertise and resilience.
- Inadequate Protection Against State Abuse: The legislation fails to provide robust safeguards against the state’s potential misuse of data and power, which has been a concern in the past with data leaks and the targeting of activists.
- Economic and Practical Concerns: The law introduces significant compliance costs for businesses, particularly regarding potential data localization requirements, which could deter global investment and impact the economy.
The Cybersecurity Act will only succeed if implemented with openness, independent oversight and a commitment to protecting fundamental rights. Without this, the law risks amounting to little more than an expanded surveillance tool, adding to concerns raised by civil society in the wake of recent amendments to cybercrime regulations, threats to block VPNs and Pakistan’s latest ‘Not Free’ score in the Freedom House internet freedom report.
By
Editorial, Infocus
