Israel’s Draft Cybersecurity Bill: What You Need to Know

Overview

Israel is the third most-attacked nation in cyberspace. Since the 2023 Israel-Hamas and Israel-Iran wars, the volume and severity of cyberattacks, from criminal, state-affiliated, and ideologically driven actors, have surged.

Yet Israel has lacked unified cybersecurity regulation for its private sector. The defense sector and other critical infrastructure operate under the Security in Public Bodies Law 1998, but other organizations face a patchwork of sectoral regulators or none at all.

In early 2026, the government introduced a comprehensive Cybersecurity Bill (the “Bill”), which passed its first Knesset reading. The Bill would codify the Israel National Cyber Directorate’s (NCD) mandate, impose binding obligations on “Essential Organizations” across eleven sectors, and create an enforcement framework modeled on the EU’s NIS2 Directive. If enacted, it will replace fragmented government resolutions and temporary wartime measures with permanent, economy-wide legislation.

The Bill follows years of failed legislative attempts. A 2018 draft was shelved after objections to the NCD’s proposed powers. A 2021 temporary bill faced similar criticism. In December 2023, an emergency statute addressed wartime cyberattacks on digital service providers, but was never intended as a permanent solution.

The 2026 Bill is comprehensive and permanent. It addresses the existing model’s core weaknesses, fragmented authority among sectoral cyber units, unclear lines of responsibility with the NCD, by establishing binding standards for cyber risk management and incident reporting.

The Bill’s primary mechanism is the designation of “Essential Organizations,” which face specific cyber protection obligations. This category includes government bodies, organizations meeting sector-specific criteria in the Bill’s Third Schedule (see list below), or entities designated by a regulator in exceptional circumstances based on national security, public safety, or economic stability concerns:

• Telecommunications– Licensed providers with more than 200,000 subscribers or service recipients.
• Electricity– Owners or operators of power generation facilities with a cumulative capacity exceeding 100 MW.
• Natural Gas– Holders of distribution or compressed natural gas licenses.
• Fuel and LPG– Organizations that purchase or import fuel and LPG above the quantities specified in the schedule.
• Healthcare– General public hospitals, and healthcare providers.
• Chemicals, Toxins, and Hazardous Materials– Hazardous waste storage, treatment, disposal or recovery facilities and landfills.
• Water and Sewage– Water corporations, wastewater treatment plants, and desalination facilities, exceeding the sizes specified in the schedule.
• Transportation– Public transportation operators, airlines, shipping service providers, ports, and transportation management infrastructure companies, as specified in the schedule.
• Local Authorities.
• Food– Emergency warehouses, manufacturers, distributors, and retailers exceeding certain market shares.
• Digital Services and Storage Servicesof various types as listed in the Bill’s third schedule.
• Agriculture– Entities exceeding a certain size engaged in the marketing of eggs.

* Financial Sector – Excluded from this Bill due to existing robust cybersecurity and operational continuity regulation.

Essential Organizations face several core obligations:

• Baseline cyber protection requirements, including risk management, asset protection, incident preparedness, operational continuity, supply chain security, encryption, access control, training, and compliance with recognized standards listed in the Bill.
• Compliance with NCD directives, including real-time directives issued in response to active threats.
• Duty to report significant cyber-attacks, including service disruptions, unauthorized access, or attacks with spread potential.
• Administrative and criminal sanctions for breaches, including personal liability for officers. Office holders may be personally liable for failing to ensure compliance with directives issued by the NCD or the relevant sectoral authority, or for failing to implement adequate measures to address severe cyber-attacks. The Bill further presumes that if such an offense is committed by a corporation or its employees, the office holder breached their supervisory duty unless they prove they took all reasonable steps to prevent it. In addition to personal liability, the Bill provides for administrative fines on organizations and criminal sanctions, including imprisonment of up to two years for serious violations.

The Bill also allows for designation as an “Essential Organization for the Security System,” triggering additional obligations.

The NCD’s Statutory Role

The Bill places the NCD on clear statutory footing. An “operational-technological” body within the Prime Minister’s Office will be responsible for national cyber defense coordination, operating the national CERT (including an incident reporting center and National Security Operations Center), guiding sectoral cyber units, and advising the Prime Minister and government on cybersecurity. This transforms the NCD from a body operating largely under government resolutions into a legally recognized national cyber regulator.

The 2018 draft proposed giving the NCD broad operational powers, including authority to conduct “computer protection actions” in private networks. This drew sharp objections for concentrating intrusive powers in a security-adjacent body without adequate safeguards for privacy, property rights, and business continuity and for blurring the NCD’s roles as adviser, regulator, and operational responder.

The 2021 bill narrowed that proposal but retained many of the same structural problems, still contemplating coercive intervention in private systems.

The 2026 Bill takes a different approach. Rather than granting the NCD sweeping emergency powers, it embeds the NCD within a hybrid model: the NCD becomes the national professional hub, coordinating, setting standards, and managing incidents, while sectoral authorities retain day-to-day regulatory responsibility. This preserves sector-specific expertise while establishing central coordination.

However, we believe that even under this model, certain provisions introduced in the bill still grant disproportionate powers to the NCD: for example, section 11(a) of the Bill allows the NCD to issue directives to any essential organization where a cyber risk exists that could enable a severe cyber-attack. While the term “cyber risk” is not defined, its context is tied to the potential for a severe cyber-attack. Similarly, while the definition of “severe cyber-attack” is provided in Section 13, its grounds, such as attacks that could affect service availability, enable unauthorized access to information, or show potential for spread, may be relatively easy to satisfy, potentially leading to an overbroad application.

Compliance Through International Standards

One of the Bill’s most significant features is a “safe harbor” mechanism. Under Section 52, an Essential Organization in designated sectors can satisfy its statutory obligations by demonstrating compliance with recognized international standards, filing a declaration and supporting documentation to obtain an exemption from most obligations (except incident reporting).

Recognized standards include ISO/IEC 27001, NIST SP 800-53, the NIST Cybersecurity Framework (CSF), ISA/IEC 62443, CIS Critical Security Controls IG3, CMMC Level 3, and AICPA SOC 2 Type 2, among others. Compliance must be verified through third-party audits by accredited certification bodies, with certificates valid for 36 months in most cases.

This is a positive regulatory design. It doesn’t lower the substantive protection level, it reduces friction for organizations that have already achieved compliance through recognized frameworks. It rewards mature compliance programs, encourages investment in international standards, and allows multinational organizations to rely on interoperable frameworks rather than building a separate Israel-specific compliance regime. It also lets regulators focus enforcement resources on higher-risk entities.

However, this may also be the Bill’s most significant flaw: the safe harbor currently applies only to digital services and hosting services. While the Bill provides a mechanism for future expansion (allowing a Regulating Authority to add sectors to the Seventh Schedule after consulting the NCD), passing the Bill in its current form would miss the opportunity to establish standards-based compliance as a broader model for Israeli regulation.

Comparison with the EU NIS2

The Bill’s architecture follows the same regulatory logic as the EU’s NIS2 Directive: cybersecurity as a matter of public resilience requiring binding, cross-sectoral obligations rather than voluntary best practice. Like NIS2, the Bill focuses on organizations whose disruption could affect essential services, economic stability, public safety, or national security, moving Israeli law toward the European model of mandatory cyber risk management and incident reporting.

Substantively, the Bill requires Essential Organizations to adopt appropriate technical, operational, and organizational measures, breaking down cyber protection into concrete compliance families: governance, asset mapping, incident preparedness, business continuity, supply-chain security, secure development, access management, monitoring, and organizational controls. The Bill also adopts NIS2’s hybrid institutional model: sectoral authorities coordinated by the NCD.

A key difference: NIS2 applies across many sectors using general, size-based thresholds. Under NIS2, most medium and large entities in covered sectors are automatically included, with certain entities (including DNS providers, TLD registries, trust service providers, public electronic communications providers) covered regardless of size. The Israeli Bill is more narrowly tailored, using sector-specific criteria like subscriber numbers, production capacity, or service type.

Another notable difference concerns the liability of corporate officers. NIS2 takes a stricter approach than the Israeli Bill, requiring management bodies to approve and oversee cybersecurity risk management measures and mandating cybersecurity training for officers. The Israeli Bill’s officer liability provisions are somewhat narrower, focusing mainly on failure to comply with specific directives.

Conclusion

Israel’s 2026 Cybersecurity Bill marks a turning point in national cyber governance, replacing fragmented government resolutions with coherent statutory architecture and, broadly, aligning Israeli law with leading international frameworks.

Its most significant shortcoming may be the failure to extend the safe harbor mechanism beyond digital and hosting services. This limitation misses the opportunity to establish standards-based compliance as a broader regulatory model.

What to do now: Organizations that may fall within the Bill’s scope should assess their current cybersecurity posture against the recognized international standards in the Bill’s schedules and develop a compliance roadmap. Early preparation will ease the transition and position organizations to benefit from the safe harbor where available. Stakeholders seeking broader safe harbor coverage should engage now, while the Bill remains open to amendment before its second and third Knesset readings.

The above content is a summary provided for informational purposes only and does not constitute legal advice. It should not be relied upon without obtaining further professional legal counsel.