On January 22, 2026, the National Cyber Protection Law Draft Bill, 5786-2026, was published by the National Cyber Directorate at the Prime Minister’s Office.
The Draft Bill is the first comprehensive legislative proposal of its kind in Israel and is intended to broadly regulate national cyber protection. The Draft Bill ratifies the status of the Cyber Directorate and creates a sectoral cyber protection unit within each government ministry listed in the law.
The Draft Bill also seeks to establish the status of a “Critical Organization,” which will be subject to various cyber protection obligations. According to the Draft Bill, government bodies or organizations meeting one of the following conditions will be defined as critical organizations. This definition applies to entities operating in various sectors, including:
- Telecommunications – Licensed providers with more than 200,000 subscribers or service recipients.
- Electricity – Owners or operators of power generation facilities with a cumulative capacity exceeding 100 MW.
- Natural Gas – Holders of distribution or compressed natural gas licenses.
- Fuel and LPG – Organizations that withdraw or import fuel and LPG above the quantities specified in the schedule.
- Healthcare – Hospitals and healthcare providers.
- Environmental Quality – Hazardous waste storage or treatment facilities and landfills.
- Water and Sewage – Water corporations, wastewater treatment plants, and desalination facilities exceeding the size specified in the schedule.
- Transportation – Public transportation operators, airlines, shipping service providers, ports, and infrastructure companies.
- Local Authorities.
- Food – Emergency warehouses, manufacturers, distributors, and retailers exceeding a certain market share.
- Digital Services and Storage Services of various types as listed in the schedule.
- Agriculture – Entities exceeding a certain size engaged in the cultivation, import, and storage of wheat or eggs.
The Draft Bill imposes a series of obligations on Critical Organizations, including:
- Compliance with baseline cyber protection requirements, including risk management, protection of cyber assets, preparation for cyber incidents, operational continuity, supply chain protection, encryption, access control and training, as well as compliance with relevant provisions of one of the standards listed in the Draft Bill.
- Compliance with Cyber Directorate directives regarding cyber protection, which may also be issued to a specific organization in real time based on cyber attack warnings.
- A duty to report significant cyber attacks, including impacts on service availability/continuity, unauthorized access to information, or attacks with potential for spread.
- Administrative and criminal sanctions in the event of a breach of these obligations, including liability for office holders within the organization.
Beyond this, the Draft Bill also allows for the designation of an organization as a “Critical Security Organization” and the imposition of additional obligations.
However, with respect to the digital services and storage services sector, the bill allows an organization to submit proof its inclusion in the FedRAMP Marketplace with “Authorized” status, or a declaration regarding implementation of cyber protection guidelines in accordance with the NIST 800-53 standard for the organization’s core activities, and receive an exemption from the above obligations (except for the duty to report a cyber attack) for a period of two years.
The deadline for submitting comments on the bill has been set for February 21, 2026 at 23:59.
Our firm’s Regulation and Government Affairs Department will continue to monitor further developments and updates on this matter, and remains at your disposal for any questions or consultations.
___________________
The above content is a summary provided for informational purposes only and does not constitute legal advice. It should not be relied upon without obtaining further professional legal counsel.
