Israel's National Cybersecurity Draft Bill 2026, Practical Compliance Checklist for Banks, Fintechs and Payment Providers

Israel’s national cybersecurity law is moving from policy aspiration to legislative reality. The National Cyber Protection Draft Bill, 5786‑2026, published in early 2026, proposes a unified statutory framework that will impose new governance, incident-reporting and enforcement obligations on every organisation deemed part of the country’s critical infrastructure, with the financial sector squarely in the crosshairs. For Chief Compliance Officers, CISOs and Heads of Risk at banks, fintechs and payment service providers (PSPs), the draft represents both a regulatory step-change and a narrow window in which to shape internal readiness before the bill’s provisions crystallise into binding law.

This article delivers the sector-specific, prioritised cybersecurity compliance checklist that the draft demands, covering scope thresholds, breach-notification timelines, vendor-risk controls, enforcement exposure and a phased 90/180/360-day action plan.

At a Glance, Five Priority Actions

• Appoint or empower a named cyber-compliance lead with a direct reporting line to the board and authority over budget, policy and incident escalation.
• Map every digital asset, data flow and third-party dependency against the draft’s “essential service operator” criteria to confirm whether, and how, your firm falls within scope.
• Build or update your incident-response playbook to align with the draft’s dual-track reporting obligations (preliminary notification to the Israel National Cyber Directorate plus sectoral regulator).
• Audit vendor and outsourcing contracts for cybersecurity clauses, breach-notification pass-throughs and penetration-testing rights.
• Establish a direct communication channel with the INCD and your sectoral regulator (Bank of Israel, ISA or Payments Authority), do not wait for the final enactment.

Background: What the 2026 National Cybersecurity Draft Bill Proposes

The draft bill, formally titled the National Cyber Protection Law, 5786‑2026, was circulated for public comment in January–February 2026. It aims to replace Israel’s fragmented patchwork of government resolutions and sector-specific directives with a single, comprehensive cybersecurity statute. According to analysis published by Arnon Tadmor‑Levy, the draft establishes a statutory mandate for organisational cyber-risk management, formalises the Israel National Cyber Directorate’s (INCD) enforcement powers, and introduces mandatory incident-reporting obligations across designated sectors. The Hebrew University’s Cyber Security Research Center (HUJI CSRCL) has described the draft as “the most significant legislative development in Israel’s cyber governance since the founding of the INCD in 2015,” noting that it consolidates the Directorate’s advisory role into an explicit regulatory authority with teeth.

The bill’s architecture rests on three pillars: organisational duties (governance, risk assessment, technical controls), incident management (detection, reporting, remediation) and enforcement (administrative sanctions, criminal liability, investigatory powers). Critically for the financial sector, the draft does not displace existing Bank of Israel or Israel Securities Authority (ISA) supervisory requirements, it layers additional, cross-sector duties on top of them. The INCD, housed under the Prime Minister’s Office, becomes the lead national authority for coordinating cyber-incident response and exercising the new enforcement powers, while sectoral regulators retain supervisory jurisdiction over licensed entities. According to Barnea’s February 2026 client alert, the bill also introduces data-retention limitations and privacy safeguards governing information collected during cyber-incident investigations.

Key Definitions in the Draft, Israel Cybersecurity Law

Understanding whether your organisation is captured hinges on three defined terms that recur throughout the draft:

• Operator of essential services. Any entity that provides a service the disruption of which could significantly impair public safety, economic stability or national security. Banks, clearinghouses and payment-system operators are expressly cited.
• Critical information infrastructure. The information systems, networks and operational-technology environments that underpin essential services, including core banking platforms, SWIFT gateways and real-time payment rails.
• Significant cyber incident. An event that materially degrades, disrupts or compromises the confidentiality, integrity or availability of critical information infrastructure, or that triggers a statutory reporting obligation.

Who Is Covered, Scope and Thresholds Under the National Cybersecurity Law Israel

The draft casts a wide net. Any entity that meets the “essential service operator” definition, assessed by reference to service type, scale and systemic significance, falls within scope. The INCD is empowered to designate specific organisations by order, but the draft also applies automatically to sectors and sub-sectors listed in a schedule to be annexed once enacted.

For the financial sector, industry observers expect the following categorisation to apply based on the draft’s structural logic and precedent from existing INCD guidance:

Decision Tree, Is Your Organisation Covered?

1. Licensed bank or banking corporation? → Covered. Banks supervised by the Bank of Israel are expressly within the draft’s essential-services schedule.
2. Licensed payment-service provider (PSP) or e-money institution? → Likely covered, particularly if you process above a systemic-volume threshold or connect to national payment infrastructure.
3. Fintech holding a financial licence (ISA-regulated investment platform, peer-to-peer lender, robo-adviser)? → Covered if designated by the INCD or if the fintech’s services are classified as essential by its sectoral regulator.
4. Unregulated fintech (pre-licence stage, SaaS provider to banks)? → Not directly covered as an operator, but likely caught as a critical third-party provider subject to contractual pass-through obligations imposed by covered clients.
5. Payment-infrastructure provider (clearinghouse, card-scheme processor)? → Covered under critical-infrastructure provisions, the highest tier of obligations.

If your entity sits at step 4, the practical effect will nonetheless be substantial: covered banks and PSPs will be contractually obligated to flow down the draft’s requirements to their technology vendors, making compliance a commercial prerequisite for doing business with Israel’s financial sector.

Reporting and Breach-Notification Obligations, Timelines and Content Requirements

The draft introduces a structured, dual-track breach-reporting regime. The provisions distinguish between a rapid preliminary notification designed to mobilise national response resources and a more detailed follow-up report intended for root-cause analysis and regulatory oversight. According to Barnea’s analysis of the bill, the reporting architecture mirrors European models (notably the NIS 2 Directive) but adds Israel-specific elements, including parallel notification to the INCD and the relevant sectoral regulator.

Immediate Incident Reporting

Upon becoming aware of a significant cyber incident, a covered organisation must submit a preliminary notification to the INCD without undue delay. The draft contemplates a tight initial window, with early indications from practitioner commentary suggesting the timeframe will be set in implementing regulations. This preliminary report is deliberately concise: its purpose is to alert the INCD to the nature and potential scope of the incident, not to deliver a complete forensic analysis.

Detailed Follow-Up Report

A comprehensive incident report must follow within a prescribed period. According to analysis by Arnon Tadmor‑Levy, the detailed report must include the nature of the incident, affected systems, estimated impact, containment measures taken and a preliminary root-cause assessment. Covered entities in the financial sector will also need to address customer-data exposure and compliance with sectoral data-protection obligations, an area where Pearl Cohen has flagged the interaction with the draft’s own data-retention limitations.

Notification to Customers and Third Parties

Where a significant cyber incident involves the compromise of personal data or could affect customers’ financial accounts, the draft requires the covered entity to notify affected individuals and, where applicable, downstream service providers. The timing and form of customer notification are expected to be aligned with the Privacy Protection Authority’s existing guidance, supplemented by sector-specific instructions from the Bank of Israel or ISA.

Cybersecurity Compliance Checklist, Priority Actions for the Next 90, 180 and 360 Days

This is the operational core of the article. The cybersecurity compliance checklist below translates the draft’s provisions into discrete, prioritised tasks for banks, fintechs and PSPs. Items marked [Critical] should be initiated within the first 90 days; items marked [Important] within 180 days; and items marked [Recommended] within 360 days.

Governance and Accountability

• [Critical] Appoint a named Cyber Compliance Officer (CCO) or confirm that an existing CISO/compliance lead has explicit authority over the draft’s requirements. Document the reporting line to the board or a designated board committee.
• [Critical] Present a board-level briefing on the draft bill’s scope, obligations and enforcement exposure within 30 days.
• [Critical] Establish or update the organisation’s cybersecurity policy to reference the draft’s obligations, including governance structure, risk appetite and escalation thresholds.
• [Important] Create a cross-functional Cyber Compliance Steering Committee with representatives from IT/security, legal, compliance, operations and finance.
• [Important] Define roles, responsibilities and accountability using a RACI matrix for each compliance workstream.
• [Recommended] Integrate cybersecurity compliance KPIs into executive performance reviews and remuneration frameworks.

Risk Assessment and Asset Inventory

• [Critical] Conduct a full inventory of information assets, data flows and system interdependencies, prioritising those that support “essential services” as defined by the draft.
• [Critical] Perform a gap analysis comparing current cybersecurity controls against the draft’s organisational-duty requirements and existing Bank of Israel / ISA supervisory expectations.
• [Important] Classify all assets by criticality tier (Tier 1: critical information infrastructure; Tier 2: supporting systems; Tier 3: ancillary) and map each tier to the applicable obligation set.
• [Important] Document residual risks and remediation timelines; present to the Steering Committee for sign-off.
• [Recommended] Align the asset-classification methodology with international standards (ISO 27001, NIST CSF) to facilitate cross-border regulatory reporting.

Technical Controls

• [Critical] Validate that network segmentation, access controls and encryption standards meet the baseline specified or implied by the draft’s technical-measures provisions.
• [Important] Deploy or enhance security-information-and-event-management (SIEM) tooling to ensure real-time detection of events that could meet the “significant cyber incident” threshold.
• [Important] Implement multi-factor authentication across all privileged accounts and customer-facing portals handling financial transactions.
• [Recommended] Evaluate adoption of zero-trust architecture principles for internal network access, particularly for remote and hybrid workforce segments.
• [Recommended] Ensure that all security tooling produces audit-ready logs with retention periods aligned to the draft’s data-retention provisions and any Bank of Israel record-keeping requirements.

Incident Response and Playbooks

• [Critical] Develop or update an Incident Response Plan (IRP) that maps directly to the draft’s preliminary-notification and detailed-report obligations.
• [Critical] Draft template notification forms for: (a) preliminary INCD notification, (b) sectoral-regulator notification, and (c) customer breach notification, pre-populate with organisational details to minimise response time.
• [Important] Designate a 24/7 incident-response duty roster with named individuals authorised to submit regulatory notifications.
• [Important] Integrate legal privilege protocols into the IRP: ensure that forensic investigation outputs are channelled through legal counsel to preserve privilege where appropriate.
• [Recommended] Establish a retainer with an external forensic-investigation firm and a specialist cyber-law adviser to supplement internal capabilities during a major incident.

Communication and Regulatory Reporting

• [Critical] Identify and document the specific INCD contact point, the sectoral-regulator cyber-reporting channel (Bank of Israel, ISA or Payments Authority) and any required submission formats.
• [Important] Prepare a stakeholder-communication plan covering board notification, customer communication, media response and law-enforcement engagement.
• [Important] Test the reporting workflow end-to-end: simulate a significant-incident scenario and time the submission of a preliminary notification to confirm it meets the draft’s timeframe.
• [Recommended] Subscribe to INCD threat-intelligence feeds and sectoral-regulator advisories to maintain situational awareness.

Testing and Tabletop Exercises

• [Important] Conduct a tabletop exercise within 180 days, involving senior management and the board, simulating a ransomware attack on core banking or payment-processing systems.
• [Important] Commission an external penetration test of all Tier 1 (critical) assets and remediate high/critical findings within 90 days of the test report.
• [Recommended] Schedule recurring red-team/blue-team exercises at least annually, with findings reported to the Steering Committee and tracked to closure.

Budget and Procurement

• [Critical] Secure board-approved budget allocation for: gap-remediation programme, incident-response tooling, external advisory retainers and staff training.
• [Important] Benchmark cybersecurity spend against peer institutions (industry observers suggest regulated financial institutions in Israel typically allocate 8–12% of total IT spend to cybersecurity).
• [Recommended] Evaluate RegTech solutions for continuous-compliance monitoring, automated reporting and vendor-risk scoring to reduce ongoing operational burden.

Third-Party Cyber Risk Israel, Due Diligence and Contractual Controls

The draft bill’s emphasis on supply-chain resilience means that managing third-party cyber risk in Israel will become a regulated obligation, not merely a best practice. Covered entities will be expected to demonstrate that vendors and outsourcing partners operating critical systems meet equivalent security standards and that contractual arrangements enable rapid incident detection, notification and remediation.

Vendor Onboarding Checklist

• Obtain and review the vendor’s most recent SOC 2 Type II or ISO 27001 certification report.
• Assess the vendor’s incident-response capability, including notification timelines and escalation procedures.
• Evaluate sub-contracting arrangements: identify any fourth-party dependencies that could affect service continuity.
• Confirm that the vendor’s data-handling practices comply with Israel’s Privacy Protection Law and the draft bill’s data-retention limitations.

Contractual Clauses to Include

• Cyber-incident notification pass-through. Require the vendor to notify the covered entity of any cyber incident affecting shared systems within a timeframe that enables the entity to meet its own INCD reporting obligations.
• Right to audit and penetration-test. Reserve the right to conduct or commission security assessments of the vendor’s relevant systems at least annually.
• Remediation obligations and SLAs. Specify maximum remediation timelines for critical and high-severity vulnerabilities discovered during audits or penetration tests.
• Termination rights. Include the right to terminate for material breach of cybersecurity obligations, with appropriate transition and data-migration provisions.

Continuous Monitoring

Contractual controls alone are insufficient. Industry observers expect the INCD’s implementing regulations to require covered entities to maintain ongoing oversight of critical vendors, including periodic reassessment of security posture, monitoring of vendor threat-intelligence feeds and scenario planning for supply-chain disruption events. Early indications suggest that the INCD may issue sectoral guidance on vendor-monitoring frequency and methodology following the bill’s passage.

Enforcement, Penalties and Regulator Powers Under the National Cybersecurity Law Israel

The draft significantly expands the INCD’s enforcement toolkit. According to Barnea’s client alert and the HUJI CSRCL preliminary overview, the bill empowers the INCD to issue binding administrative orders, including directives to remediate vulnerabilities, restrict system access or suspend specific services, and to impose financial penalties for non-compliance. The draft also contemplates criminal liability for the most serious breaches, such as deliberate obstruction of an INCD investigation or wilful failure to report a significant incident.

For financial-sector entities, the enforcement landscape is layered: the INCD’s administrative powers operate alongside the existing supervisory sanctions available to the Bank of Israel and the ISA. The likely practical effect will be dual-track enforcement, where a single cyber incident could trigger parallel proceedings from the INCD (under the new statute) and the sectoral regulator (under existing supervisory powers).

Mitigation strategies include:

• Proactive self-reporting. The draft signals that timely, good-faith reporting may be considered a mitigating factor in enforcement proceedings.
• Documented compliance programme. Maintaining auditable evidence of a robust cybersecurity compliance programme, including policies, training records, testing results and board oversight, will be critical to demonstrating due diligence.
• Engagement with the INCD. Early and constructive engagement with the Directorate during the public-consultation phase may reduce the risk of adversarial enforcement post-enactment.

Implementation Timeline and Practical Next Steps

The draft bill’s progress through the Knesset will determine the final compliance timeline, but regulated entities should not wait for enactment to begin preparation. The table below outlines a phased roadmap anchored to the current legislative trajectory.

A suggested RACI model for compliance activities: the CCO/CISO is Accountable; the Steering Committee is Responsible for workstream delivery; Legal and External Advisers are Consulted; and the Board is Informed through quarterly reporting. Budget categories to plan for include personnel (new hires or reallocation), technology (SIEM, endpoint detection, RegTech tools), external advisory (legal, forensic, penetration testing), training and awareness, and insurance (cyber-liability policy review).

Conclusion, Preparing for the National Cybersecurity Law Israel

The national cybersecurity draft bill Israel has published represents the most consequential regulatory development for the country’s financial sector in over a decade. The obligations it introduces, from board-level governance mandates to granular incident-reporting timelines and vendor-oversight duties, will require material investment in people, processes and technology. But the compliance window is open now, before the bill hardens into statute and the INCD begins exercising its expanded enforcement powers. Institutions that treat this period as an opportunity to build best-in-class cybersecurity compliance programmes will be better positioned not only to satisfy the new law, but to strengthen operational resilience and stakeholder trust.

For a tailored readiness assessment or to discuss how the draft bill applies to your organisation, contact Global Law Experts or browse the GLE lawyer directory to connect with a compliance specialist.

Appendix, Quick Templates and Regulator Contacts

• INCD official department page: Access via the Israel government portal for threat alerts, guidance documents and contact details.
• Preliminary incident-notification template: Pre-populate with your organisation’s legal name, licence number, CCO/CISO contact details and a structured incident-summary field. Detailed templates for Israeli banks and fintechs will be developed as a companion resource to this article (cyber incident response checklist, forthcoming).
• Vendor cybersecurity-clause template: Include pass-through notification obligations, audit rights, remediation SLAs and termination triggers. Adapt to your organisation’s standard procurement terms. A detailed third-party cyber risk checklist for payment providers is forthcoming as a companion resource.
• GLE Lawyer Directory: Browse compliance specialists with experience in cybersecurity regulation, fintech licensing and Israeli regulatory law.

Sources

1. Israel National Cyber Directorate (INCD), Gov.il
2. National Cyber Protection Law Draft Bill, 5786‑2026, Arnon Tadmor‑Levy
3. Barnea, Israel Publishes National Cybersecurity Draft Bill 2026
4. Pearl Cohen, Israel Publishes Draft Bill on National Cyber Protection
5. HUJI CSRCL, The New Israeli Cyber Draft Bill: A Preliminary Overview
6. Baker McKenzie, Key Data and Cybersecurity Laws: Israel
7. RNC Group, Cybersecurity Incident Reporting: Israel