Bangladesh's Posts, Telecommunications and Information Technology Minister, Faqir Mahbub Anam, told Parliament on June 9, 2026 that the National Cyber Security Agency has completed a preliminary draft of the country's first dedicated Cyber Security Strategy covering 2026 to 2030. For a country that experienced one of the most audacious cyber thefts in history — the $81 million Bangladesh Bank heist of 2016 — and spent nearly a decade cycling through successive digital governance frameworks, the strategy is overdue. Whether it marks genuine institutional maturity, or adds another layer to Bangladesh's complicated relationship between security and civil liberties, will depend on what is in the final document and, critically, who gets to weigh in before it is finalised.
A Decade of Institutional Churn
Bangladesh's cybersecurity governance has gone through at least three distinct legal regimes in eight years. The Digital Security Act of 2018 was ultimately repealed following sustained domestic and international pressure over its use against journalists and activists. The Cyber Security Act of 2023, which replaced it, was itself criticised by civil society organisations including Article 19 for retaining provisions incompatible with free expression standards. It too was superseded — by the Cyber Security Ordinance 2025, promulgated by the interim government that came to power after the political upheaval of mid-2024.
The Ordinance established the National Cyber Security Agency on August 26, 2025, chaired by Prime Minister Tarique Rahman and comprising 25 members drawn from relevant ministries, security agencies, and technical departments. The NCSA absorbed functions previously spread across the National Digital Security Council (established 2018) and the National Cyber Security Council (2023), consolidating what had been a diffuse and frequently ineffective governance structure into a single apex body under the ICT Division.
What the Strategy Must Address
The gaps are well-documented. Bangladesh scores 66.67 out of 100 on the National Cyber Security Index maintained by Estonia's e-Governance Academy, placing it 60th globally — a middling position that masks severe internal imbalances. On cyber crisis management, Bangladesh scores zero out of nine. On personal data protection frameworks, it scores zero out of four.
These are not minor administrative shortcomings. A score of zero on crisis management means Bangladesh has no formally tested procedures for coordinating a national response to a major cyber incident. That gap was visible in July 2024, when hacktivist attacks struck more than 200 government institutions, including the Bangladesh Police, the Bangladesh Telecommunication Regulatory Commission, and Bangladesh Bank. The country's e-Government CIRT (BGD e-GOV CIRT) — established in the aftermath of the 2016 bank heist — responded to individual incidents, but there was no evidence of coordinated national crisis management kicking in.
The 2026-2030 strategy, if drafted seriously, must close these gaps as a first priority. The NCSA has also committed to building a National Security Operations Centre, a National Computer Emergency Response Team, and Network Operations Centres across 35 Critical Information Infrastructure institutions — a capital-intensive project running from July 2026 to June 2029.
The Civil Liberties Tension
The strongest case for a centralised, state-led cyber strategy is straightforward: critical infrastructure operators, financial institutions, and public service platforms face threats that no individual entity can counter alone. Coordinating threat intelligence, mandating minimum security standards for critical sectors, and building a national incident response capability are legitimate state functions. The 2016 Bangladesh Bank heist, attributed by US cybersecurity authorities to North Korea's Lazarus Group, demonstrated that Bangladesh's exposure to nation-state attacks is not hypothetical — $81 million was stolen in a single overnight operation exploiting weaknesses in the SWIFT messaging system.
But Bangladesh's legislative history demands scepticism. The Digital Security Act of 2018 was used to arrest journalists, harass political opponents, and criminalise ordinary social media posts. The Cyber Security Act of 2023 was framed as a fix, then itself criticised. The NCSA's enabling legislation was passed by an unelected interim government. Cyber case filings have risen from roughly 500 in 2018 to approximately 2,200 in 2023 — a quadrupling that reflects both rising cybercrime and a rapidly expanding enforcement architecture. The concern is not theoretical: enforcement capacity built for genuine security threats can be redirected at dissent if the legal framework permits it.
Strategy documents produced in this context require robust public consultation, explicit limitations on surveillance powers, and independent oversight mechanisms — not just technical roadmaps.
What Good Implementation Looks Like
The NCSA's recent outreach programmes are an encouraging signal. A National Cyber Drill in May 2026 drew 68 teams from banks, financial institutions, and Critical Information Infrastructure operators through a structured six-hour exercise in risk auditing, cryptography, and incident response. More than 6,000 students registered for nationwide cybersecurity quiz competitions across 17 regional venues, extending awareness beyond the specialist community. These are the right building blocks — not a strategy that exists on paper while operational capacity remains thin.
The critical test for the 2026-2030 document will be whether it is published in full before finalisation, opened to civil society and industry consultation, and accompanied by independent oversight mechanisms that prevent enforcement powers from being redirected. Bangladesh's institutional foundation — NCSA, BGD e-GOV CIRT, nascent Critical Information Infrastructure standards — now exists. The threat environment is severe and worsening. A proportionate, technically grounded multi-year strategy could be a genuine contribution for developing economies navigating the same tradeoffs. The preliminary draft is a starting point. What happens next — who reads it, who responds, and whether those responses are incorporated — will determine whether 2026-2030 looks different from 2018-2025.