How Israeli Banks Should Prepare for the National Cybersecurity Law (2026): a Practical Compliance Playbook for AML, KYC and Sanctions Screening

Last updated: 18 May 2026

The 2026 National Cyber Protection Bill is set to reshape bank cybersecurity compliance in Israel by introducing a statutory “Critical Organization” designation, mandatory incident-reporting windows and prescriptive data-retention rules that cut directly across existing AML, KYC and sanctions-screening programs. Banks, fintechs and payment service providers (PSPs) that fall within the bill’s scope face a dual challenge: meeting the new cyber obligations while ensuring those obligations do not degrade, and ideally strengthen, their financial-crime controls. This playbook translates the bill’s headline provisions into concrete operational steps, vendor-management criteria and governance timelines that compliance officers, CROs and RegTech procurement leads can act on immediately. The quick-action box below provides a starting framework for the first 180 days.

Background, What the 2026 National Cyber Protection Bill Changes

Israel has maintained a robust national cybersecurity posture for over a decade, coordinated by the Israel National Cyber Directorate (INCD). Until now, however, the regulatory framework for private-sector entities, including banks, has relied on a patchwork of government resolutions, voluntary INCD guidance and sector-specific supervisory directives such as those issued by the Bank of Israel on the management of IT, information security and cyber protection risks. The 2026 National Cyber Protection Bill consolidates and elevates these obligations into primary legislation for the first time.

At its core, the bill introduces three mechanisms that directly affect bank cybersecurity compliance in Israel. First, it establishes a formal “Critical Organization” category with heightened duties. Second, it imposes mandatory incident-reporting obligations with defined notification windows. Third, it sets minimum data-retention and access-control standards for cyber-event logs, security telemetry and related records. The bill also grants the INCD expanded supervisory and enforcement powers over designated entities, creating a parallel compliance layer alongside the Bank of Israel’s existing oversight.

For compliance officers already managing AML sanctions screening workflows, the practical question is not whether these obligations apply, industry observers expect most licensed banks and major PSPs to be designated, but how to integrate them into existing financial-crime programs without duplication or gaps.

Who Is Covered, “Critical Organization” Designation and Bank of Israel Supervision

The bill empowers the INCD to designate entities as Critical Organizations based on criteria including the volume of personal data processed, the entity’s role in national financial infrastructure and the potential systemic impact of a service disruption. For the banking sector, the Bank of Israel already classifies institutions under its Proper Conduct of Banking Business directives, and the new legislation is expected to interact closely with these existing classifications.

Industry observers expect that systemic banks, large deposit-taking institutions and central clearing or payment infrastructure operators will receive Critical Organization status by default. Smaller banks, credit-card companies and licensed PSPs are likely to be evaluated individually, though conservative compliance planning should treat designation as probable for any entity holding a Bank of Israel licence. The critical organization obligations triggered by designation include mandatory implementation of baseline security controls prescribed by the INCD, submission to periodic audits and assessments, adherence to the new incident-reporting timelines and compliance with data-retention and access-control standards.

Crucially, Bank of Israel supervision does not disappear upon INCD designation. The two frameworks operate in parallel: BoI directives on the management of IT, information security and cyber protection risks remain binding, and institutions must satisfy whichever standard is stricter on any given control. Compliance teams should map every new INCD obligation against the corresponding BoI directive to identify overlaps and, more importantly, the gaps where one framework exceeds the other.

Mapping Cyber Duties to AML, KYC and Sanctions Controls

The most operationally significant challenge for compliance teams is ensuring that the new cyber duties reinforce rather than conflict with AML sanctions screening, KYC verification and transaction-monitoring processes. The controls matrix below maps the bill’s headline obligations to the specific financial-crime controls they affect and recommends practical steps for each.

Transaction-Monitoring and Telemetry Integration

One of the most frequently asked questions from compliance teams is how banks should align threat-detection telemetry with transaction-monitoring alerts. The answer lies in correlation. Cyber-event telemetry, such as anomalous login patterns, API call spikes to screening endpoints or unexpected database queries, can serve as early-warning indicators of attempts to manipulate AML controls. The practical step is to feed relevant cyber alerts from the SIEM or security operations centre (SOC) into the transaction-monitoring alert queue, tagged as cyber-originated. This allows the AML investigations team to evaluate whether a suspicious transaction pattern coincides with a potential cyber intrusion, enabling faster escalation and more accurate suspicious-activity reporting.

KYC Authentication and Digital-ID Hardening

The bill’s requirements for strong access controls and identity verification intersect directly with KYC cybersecurity standards. Banks that rely on digital onboarding, biometric verification, video-KYC or electronic-ID validation, must ensure that these channels meet the prescribed security baselines. In practice, this means requiring liveness detection for biometric checks, encrypting identity documents end-to-end during transmission and retaining verified identity artefacts (hashed copies) for the mandated retention period. Compliance officers should coordinate with the CISO to ensure that any change to authentication protocols triggered by the cyber bill does not inadvertently weaken the CDD evidence chain required under Israel’s Prohibition on Money Laundering Law.

Sanctions Screening Integrity and Data Provenance

AML sanctions screening depends on the integrity of three data flows: the customer or counterparty data submitted for screening, the sanctions-list data fed into the screening engine and the screening-result output. A cyber incident that compromises any of these flows can produce false negatives, missed hits, with severe regulatory and financial consequences. The bill’s data-integrity and logging requirements provide an opportunity to strengthen provenance controls. Banks should implement cryptographic checksums on sanctions-list updates at the point of ingestion, maintain immutable logs of every screening run (including the list version applied) and establish automated alerts when list-update feeds are delayed, corrupted or tampered with.

Data Retention, Access and Cross-Border Transfer Rules, Implications for AML and Sanctions Logs

The national cyber protection law introduces prescriptive data retention rules for cyber-event logs, security telemetry and incident records. For banks, these requirements interact with existing AML record-keeping obligations under the Prohibition on Money Laundering Law and the related orders, which already mandate retention of transaction records, CDD files and sanctions-screening logs for defined periods.

The practical challenge is reconciliation. Where the cyber bill’s retention period exceeds the AML minimum, the longer period governs. Where AML rules are stricter, for example, requiring retention of full CDD files for a period beyond the cyber bill’s requirements, those obligations remain. Compliance teams should build a unified retention schedule that maps every data category (transaction logs, screening hit records, KYC documents, SIEM logs, incident investigation files) against both the cyber bill and AML requirements and applies the longer of the two.

Access controls must also be harmonised. The bill requires that access to retained cyber logs be restricted on a need-to-know basis with auditable access trails. For AML officers, this means formalising how investigators access SIEM data or security-incident files when pursuing a financial-crime investigation. Role-based access control (RBAC) models should include specific compliance-investigation roles with time-limited, logged access to cyber datasets. Cross-border data-transfer provisions in the bill add a further layer: banks that use offshore or cloud-hosted screening platforms must confirm that their data-transfer mechanisms (standard contractual clauses, adequacy determinations or binding corporate rules) satisfy both the cyber bill’s requirements and any parallel privacy obligations under the Protection of Privacy Law.

Incident Reporting, Notification Timelines and Templates

The bill’s reporting obligations represent one of the most operationally demanding changes for bank cybersecurity compliance in Israel. The specific timelines for reporting to the INCD vary by entity classification and incident severity, but the overarching requirement is clear: banks must report qualifying cyber incidents within a compressed notification window.

Internal Escalation Matrix

Before any external notification, banks need a defined internal escalation path. The moment a cyber incident is detected that could affect the integrity of AML, KYC or sanctions-screening systems, the following chain should activate: SOC analyst → CISO → MLRO/Head of Compliance → CRO → General Counsel → Board cyber committee (if applicable). Each handoff should be logged with a timestamp. The MLRO must be notified immediately, not after technical triage, because any compromise of screening data may require the bank to pause automated sanctions decisions and switch to manual screening until system integrity is confirmed.

Regulator Notification Template

A notification to the INCD (and, where required, the Bank of Israel) should include at minimum: date and time of detection; nature of the incident; systems affected (specifying any AML/KYC/sanctions systems); estimated data-compromise scope; containment measures taken; expected timeline for restoration; and a named point of contact for follow-up. Industry observers expect the INCD to publish standard notification forms, but banks should prepare internal templates now to avoid delays when the reporting clock starts.

Customer Notification Considerations

Where a cyber incident affects customer data processed for KYC purposes, banks may also face notification obligations under Israel’s privacy framework. The key compliance question is sequencing: regulators typically expect to be notified before customers. The compliance team should work with legal counsel to pre-draft tiered customer-notification letters (data breach affecting identity documents, data breach affecting transaction records, etc.) and establish sign-off protocols that allow rapid deployment once regulator approval is secured.

Vendor and Third-Party Management, RegTech Procurement for Sanctions Screening and Cyber Monitoring

Third-party risk management is a cornerstone of the national cyber protection law, and it carries special significance for banks that rely on external RegTech sanctions screening platforms, cloud-hosted AML solutions or outsourced KYC-verification services. The bill requires Critical Organizations to ensure that their vendors meet minimum security standards and participate in incident-response processes.

Minimum Technical Specifications

When evaluating or re-qualifying a RegTech vendor, compliance and procurement teams should verify the following minimum specifications:

• Certification. SOC 2 Type II report (issued within the past 12 months) or ISO 27001 certification with scope covering the specific services provided to the bank.
• Penetration testing. Independent annual penetration test with remediation evidence for all critical and high-severity findings.
• Data encryption. AES-256 (or equivalent) at rest; TLS 1.3 in transit; documented key-management procedures.
• Data provenance. Ability to produce immutable, timestamped logs of all sanctions-list ingestion events, screening runs and result outputs.
• Business continuity. Documented disaster-recovery plan with recovery-time objective (RTO) and recovery-point objective (RPO) aligned to the bank’s critical-services classification.
• Incident notification. Contractual commitment to notify the bank of any security incident affecting the bank’s data within a defined window (no longer than 12 hours for critical incidents).

Sample Contract Clauses

Vendor contracts should be amended (or new RFPs should include) the following clause categories:

• Right-to-audit clause. The bank (or its designated auditor) may conduct on-site or remote security audits of the vendor’s systems and processes with reasonable notice, at least annually.
• Incident-notification clause. Vendor shall notify the bank in writing within [12/24] hours of detecting any security event that affects, or is reasonably likely to affect, the confidentiality, integrity or availability of the bank’s data.
• Data-retention and return clause. Upon termination, vendor shall return or securely destroy all bank data within [30] days and certify destruction in writing.
• Sub-processor restrictions. Vendor shall not engage sub-processors to handle the bank’s data without prior written consent and shall ensure equivalent security obligations flow down to all sub-processors.

SLA and Incident-Response Expectations

Beyond contract clauses, procurement teams should score vendors on incident-response SLAs: maximum response time for critical incidents, availability of a named incident-response coordinator, participation in the bank’s table-top exercises and willingness to share post-incident root-cause reports. A vendor unable or unwilling to commit to these expectations may represent an unacceptable concentration of third-party cyber risk, a conclusion that should be documented in the bank’s vendor risk register.

Israeli Banks Compliance Checklist and Sample Controls

The following Israeli banks compliance checklist consolidates the key actions described in this playbook into a role-assigned, time-bound format. Compliance teams can adapt it to their institution’s size and risk profile.

Implementation Timeline and Governance, Who Does What and When

Effective implementation requires clear governance. The board (or its designated cyber/risk committee) should receive quarterly updates on the bank’s progress against the 180-day roadmap outlined above. Day-to-day execution sits with a working group co-chaired by the CISO and the MLRO, with standing members from legal, procurement, AML technology and data governance.

A recommended six-month governance cadence looks as follows: Month 1, board briefing and mandate; gap assessment completed. Month 2, vendor review initiated; incident-response playbook drafting begins. Month 3, RFPs issued; cyber-to-AML log integration design finalised. Month 4, vendor contract amendments negotiated; retention schedule drafted. Month 5, table-top exercise conducted; remediation items logged. Month 6, attestation prepared; board sign-off; residual-risk items escalated to risk register. Throughout, the CRO retains escalation authority to accelerate any workstream where delays threaten the bank’s regulatory standing.

Reporting Obligations and Enforcement by Entity Type

The likely practical effect of these tiered deadlines will be that systemic banks invest in automated detection-and-notification workflows (SOAR platforms feeding pre-populated regulator notification templates), while smaller institutions focus on streamlining manual escalation paths. Regardless of size, every institution should pre-test its notification process at least annually, ideally as part of the table-top exercise recommended in the checklist above.

Conclusion, Next Steps for Bank Cybersecurity Compliance in Israel

The 2026 National Cyber Protection Bill marks a structural shift for bank cybersecurity compliance in Israel, moving the regulatory baseline from supervisory guidance to statutory obligation. Compliance officers who act within the first 30 days, inventorying systems, briefing the board and confirming vendor SLAs, will be best positioned to meet the 180-day implementation horizon without operational disruption. For specialist guidance on integrating cyber obligations with AML, KYC and sanctions-screening programs, find a compliance lawyer through the Global Law Experts directory or contact Global Law Experts directly.

Sources

1. Bank of Israel, Management of IT, Information Security, and Cyber Protection Risks
2. Israel National Cyber Directorate (INCD)
3. Gornitzky & Co., Client Update on Cybersecurity Legislation
4. Pearl Cohen, Bank of Israel Directive on Cybersecurity
5. Law.co.il / DataGuidance, Israel Cybersecurity Overview
6. FATF, Publications on Money Laundering, Terrorist Financing and Cyber-Enabled Financial Crime
7. F6S, Compliance and RegTech Companies in Israel
8. Israeli Ministry of Justice / Privacy Protection Authority