What Is the Data Breach Law in Pakistan (2026), Who to Notify, 72‑hour Drafts vs Current Rules

Last updated: 28 June 2026

Key action checklist, first 24 hours after a suspected breach:

1. Contain. Isolate affected systems, revoke compromised credentials, and preserve forensic evidence.
2. Assess scope. Identify the categories and volume of personal data affected, plus whether criminal intrusion is suspected.
3. Alert internal stakeholders. Brief the CEO/founder, legal counsel, and the designated incident‑response lead.
4. Prepare PKCERT incident report. Gather logs, IP addresses, affected record counts, and initial remediation steps.
5. Decide on NCCIA/FIA referral. If criminal conduct is evident (ransomware, extortion, insider theft), prepare a cybercrime complaint in parallel.

Short Answer, What Is the Data Breach Law in Pakistan in 2026?

As of 28 June 2026, Pakistan has no single omnibus data‑protection statute equivalent to the EU’s GDPR. The question “what is the data breach law in Pakistan” therefore does not yield one clean legislative reference. Instead, breach‑related obligations sit across several instruments: the Prevention of Electronic Crimes Act 2016 (PECA), the Pak‑CERT Act, sector‑specific telecom and banking regulations, and contractual obligations imported through enterprise and SaaS agreements. Draft Personal Data Protection rules, reported by both ICLG and DLA Piper, introduce a 72‑hour notification window for data controllers, but that requirement is not yet in force.

Pakistan is not a “GDPR country.” It is not a member of the European Economic Area, and no adequacy decision exists. However, the draft data breach notification requirements in Pakistan 2026 are explicitly modelled on GDPR principles, which means startups processing data of EU residents must already comply with GDPR independently, and may soon face analogous domestic duties once the draft rules are enacted.

Legal Framework, PECA 2016, Pak‑CERT Act, and Other Instruments

PECA 2016: what it covers

The Prevention of Electronic Crimes Act 2016 is Pakistan’s primary cybercrime statute. For startup founders asking what is the data breach law in Pakistan at the criminal level, PECA is the starting point. Key provisions relevant to a data breach include:

• Section 3, Unauthorised access to information system or data. Criminalises gaining access without authorisation or exceeding authorised access, punishable by imprisonment of up to three months, a fine, or both.
• Section 4, Unauthorised copying or transmission of data. Targets the extraction or copying of data from a system without authorisation.
• Section 21, Offences against the dignity of a natural person. Provides that use or distribution of information obtained through an information system to harm, intimidate, or cause damage to a person’s reputation is punishable by imprisonment of up to three years, a fine of up to one million rupees, or both.
• Section 36, Establishment of investigation and prosecution mechanisms. Provides for the Federal Investigation Agency (FIA) to investigate PECA offences, including through its National Response Centre for Cyber Crime (NR3C).

Critically, PECA does not impose a general duty on data controllers to notify regulators or affected individuals after discovering a breach. It is a criminal statute, it punishes perpetrators rather than mandating corporate disclosure. This gap is what the draft Personal Data Protection rules aim to fill.

Pak‑CERT Act: role in incident response

The Pak‑CERT Act established the Pakistan Computer Emergency Response Team (PKCERT) as the national focal point for cybersecurity incident coordination. PKCERT’s mandate includes receiving incident reports from public and private sector entities, issuing advisories, and coordinating technical response. The PKCERT incident report channel is the primary non‑criminal pathway for notifying a government body of a data breach. PKCERT has also published Essential Data Protection and Privacy Controls (2026 edition), a framework that encourages organisations to adopt breach‑notification procedures aligned with international standards.

Other relevant laws and regulatory bodies

Several sector regulators impose their own breach‑response expectations. The Pakistan Telecommunication Authority (PTA) requires licensed operators to report security incidents. The State Bank of Pakistan (SBP) mandates that banks and microfinance institutions notify the central bank of cyber‑incidents within specified time frames under its Technology Governance Framework. Provincial consumer‑protection statutes, such as the Punjab Consumer Protection Act 2005, offer limited recourse for individuals but do not create a standalone data breach notification requirement in Pakistan. For technology startups, the practical upshot is that PECA and the Pak‑CERT Act, combined with contractual obligations, define the current reporting landscape.

Draft Personal Data Protection Rules (2025–2026), The 72‑Hour Concept

Multiple authoritative sources, including ICLG’s Data Protection Laws and Regulations guide and DLA Piper’s Data Protection Laws of the World tracker, report that Pakistan’s Ministry of Information Technology and Telecommunication has circulated draft data protection rules proposing a 72‑hour breach notification window for data controllers. The personal data protection bill Pakistan 72 hours concept would, if enacted, require any entity controlling personal data to notify the designated authority within 72 hours of becoming aware of a breach that poses a risk to individuals’ rights and freedoms.

Which entities would be covered

Industry observers expect the draft rules to adopt a controller–processor model. Data controllers, the entities that determine the purposes and means of processing, would bear the primary notification duty. Processors would be required to notify their controller “without undue delay,” enabling the controller to meet the 72‑hour window. The likely practical effect for startups is twofold: founders must build internal escalation workflows that surface breaches to the responsible officer within hours (not days), and vendor contracts must include processor notification SLAs of 24 hours or less to leave enough margin for the controller’s own assessment and filing.

Penalty and enforcement expectations

The draft rules reportedly contemplate financial penalties and, in aggravated cases, the power to suspend data processing activities. Precise penalty brackets have not been finalised. Early indications suggest that the drafting follows a tiered approach, higher penalties for wilful concealment of a breach, lower penalties for late but good‑faith notification. Until the rules are enacted, enforcement remains limited to PECA criminal proceedings and any sector‑specific regulator action.

Who Must Notify, Data Breach Notification Requirements in Pakistan

Understanding data breach notification requirements in Pakistan requires mapping current obligations (primarily contractual and criminal) against the anticipated statutory duties under the draft rules. The table below summarises the position for each entity type.

Cross‑border processors present a borderline scenario. A foreign SaaS vendor with no legal entity in Pakistan may argue it falls outside PECA’s jurisdiction, but the Pakistani controller using that vendor remains responsible for notifying local authorities and affected data subjects. Contractual allocation of this risk is essential.

Where to Report a Personal Data Breach, PKCERT, NCCIA/FIA, and Other Channels

PKCERT incident report, required fields and evidence checklist

The PKCERT incident report is the standard non‑criminal channel for notifying the government of a cybersecurity event. To file an effective report, prepare the following information:

• Organisation name and contact details, include a designated incident‑response contact (name, email, phone).
• Incident summary, date and time of discovery, nature of the breach (e.g., ransomware, SQL injection, insider exfiltration), and attack vector if known.
• Affected data categories, specify whether personal data (names, national IDs, financial records) is involved and the estimated number of records.
• Containment steps taken, list actions already completed (system isolation, credential rotation, third‑party forensics engagement).
• Supporting evidence, attach relevant log files, screenshots, malware samples (in a secure archive), and network diagrams as applicable.
• Remediation plan, outline the next steps and expected timeline for full resolution.

PKCERT’s portal accepts reports electronically. Response times vary, but industry observers expect acknowledgement within 24–48 hours for incidents flagged as high severity.

NCCIA/FIA cybercrime complaint, criminal vs regulatory pathways

When a data breach involves criminal conduct, unauthorised access, ransomware deployment, extortion, or insider data theft, founders should file an NCCIA cybercrime complaint with the FIA’s National Response Centre for Cyber Crime (NR3C). This is a distinct pathway from the PKCERT incident report: PKCERT coordinates technical response, while the NCCIA/FIA investigates and prosecutes.

To file a complaint, visit the FIA’s Cyber Crime Reporting portal or attend the nearest FIA Cyber Crime Circle in person. Include a written complaint describing the offence, evidence (device images, communication records, ransom notes), and a formal request for investigation under the relevant PECA sections. Early engagement with legal counsel is strongly recommended before filing, as the complaint becomes part of the criminal record.

Reporting to enterprise customers and third parties

Contractual notification duties often impose tighter deadlines than any statutory requirement. Enterprise SaaS agreements routinely require notification within 24 or 48 hours of discovery. Failing to meet these contractual windows can trigger indemnity claims and contract termination rights, a commercial risk that may exceed any regulatory penalty. Map every customer and vendor contract that contains a breach‑notification clause, and maintain a register of required contacts and SLA deadlines.

Timeline and Sample Workflows, 0 to 72+ Hours

The following timeline represents best‑practice for data breach notification in Pakistan 2026, calibrated to the 72‑hour window proposed in the draft rules. Adopt this workflow now so that your team is ready when, not if, the statutory duty enters into force.

Practical Templates and Wording, Regulator Notice, Customer Email, Investor Update

Three core communications are needed after a confirmed breach. The snippets below offer starting language; adapt each to the specific facts and have legal counsel review before sending. Never include language that could be construed as an admission of liability.

1. Regulator notification (PKCERT / future data protection authority)

2. Affected‑user notification email

3. Investor / board update

Data Protection Contractual Clauses and Incident Response in SaaS Contracts

For AI and tech startups operating in Pakistan, contractual protections are currently more enforceable than any standalone statutory breach‑notification duty. Every customer and vendor agreement should include the following clauses:

• Breach notification SLA. Require the processor to notify the controller within 24 hours of becoming aware of a suspected breach, leaving 48 hours for the controller to assess and file with PKCERT within the best‑practice 72‑hour window.
• Cooperation and access. Oblige the processor to cooperate fully with forensic investigations and to provide logs, system access, and personnel interviews on request.
• Audit rights. Reserve the right to audit the processor’s security controls at least annually and following any incident.
• Indemnities. Allocate financial responsibility for breach costs (notification, legal fees, regulatory fines, credit monitoring) based on fault and the nature of the failure.
• Cross‑border transfer clauses. Where data is processed outside Pakistan, specify the applicable legal basis, supplementary safeguards, and the law governing disputes.

Criminal Exposure and Enforcement Risk, When to Involve Law Enforcement

A common question among founders is: “Can you go to jail for a data breach?” Under PECA 2016, the answer depends on whether the breach involves criminal conduct. If a company’s own employee exfiltrates data, that employee faces prosecution under Sections 3 and 4. If the breach results from a third‑party attack, the perpetrator, not the victim company, is the target of criminal proceedings. However, if a company or its officers wilfully conceal a breach to avoid regulatory or contractual consequences, they could face charges of abetment or obstruction, depending on the facts.

File an NCCIA cybercrime complaint when any of the following are present: ransomware or extortion demands, confirmed unauthorised access by an external actor, insider theft of trade secrets or customer data, or evidence that the breach is part of a coordinated campaign targeting multiple organisations. For all other incidents, accidental exposure, misconfiguration, or loss of an unencrypted device, PKCERT notification and contractual reporting are typically sufficient.

Preparing Now, Compliance Checklist for Startups

Use this ten‑point checklist to align with current data breach notification requirements in Pakistan and position your startup to comply with the 72‑hour rule as soon as it becomes law:

1. Adopt a written incident‑response plan, define roles, escalation paths, and decision authorities.
2. Enable forensic logging, ensure all critical systems retain access logs for at least 90 days.
3. Prepare template notifications, regulator notice, user email, and investor memo (see above).
4. Appoint a DPO or privacy contact, designate a single point of contact for regulators and data subjects.
5. Map vendors and sub‑processors, maintain a current register of every third party that processes personal data on your behalf.
6. Review cyber‑insurance coverage, confirm that your policy covers breach‑notification costs, forensic investigation, and regulatory defence.
7. Create an investor notification plan, define materiality thresholds and board‑reporting timelines.
8. Build a customer notification register, list every contractual breach‑notification SLA, contact, and deadline.
9. Document cross‑border data flows, map where personal data travels and under which legal basis.
10. Update contracts, embed the breach‑notification, cooperation, and audit clauses described in this guide.

Conclusion, Recommended Next Steps on Data Breach Law in Pakistan

Understanding what is the data breach law in Pakistan today means accepting a fragmented but rapidly evolving landscape. The four actions every startup founder and in‑house counsel should take immediately are:

1. Implement a 72‑hour internal workflow now, do not wait for the draft rules to become statute. Operating to this standard protects you commercially and positions you for compliance from day one.
2. Register your PKCERT incident report channel, identify the correct portal and test your reporting process with a dry‑run exercise.
3. Audit every vendor contract, ensure processor notification SLAs are 24 hours or shorter and that cooperation and audit rights are enforceable.
4. Engage specialist counsel, a technology‑regulatory lawyer can build bespoke templates, conduct a gap analysis against the draft rules, and represent you in any NCCIA/FIA proceedings.

Appendix, Quick Links to Sources and Regulator Contacts

• PKCERT incident reporting. Submit reports through the official Pakistan Computer Emergency Response Team portal. Contact via email for urgent incidents.
• FIA Cyber Crime / NR3C. File complaints through the FIA Cyber Crime Reporting portal or visit the nearest FIA Cyber Crime Circle office.
• PECA 2016 (full text). Available on the Punjab Commission on the Status of Women website and the National Assembly archives.
• Draft Personal Data Protection rules. Monitor the Ministry of Information Technology and Telecommunication website for the latest published drafts and consultation notices.

Sources

1. DLA Piper, Data Protection Laws of the World: Pakistan
2. ICLG, Data Protection Laws and Regulations (Pakistan)
3. DataGuidance, Pakistan, Data Breach
4. PECA 2016, Prevention of Electronic Crimes Act (statutory text)
5. RSIL, Pak‑CERT Act / Pakistan’s Legal Framework and the Need for Safeguards
6. Legal 500, Pakistan Data Protection & Cybersecurity Guide
7. Accutive Security, Pakistan Prevention of Electronic Crimes Act (PECA) Overview
8. Semantic Scholar, Academic Analysis of Pakistan Cyber and Privacy Law