Israel Israel Privacy Protection Law amendment

Israel's New Cyber Defense Bill Builds a Second Breach-Reporting Regime Alongside, Not Through, Its Privacy Regulator

The Knesset's unanimous first-reading vote gives essential organizations a new cyber duty that runs parallel to, not integrated with, existing privacy-law obligations.

Israel's Cyber Defense Bill, by the Numbers People of Internet Research · Israel 400-600 Essential organizations covered Entities across energy, health, wa… NIS 640K Fine per violation Administrative fine for most viola… 10+ Years of failed attempts Length of time INCD chiefs tried a… peopleofinternet.com
Israel's Cyber Defense Bill, by the Nu… People of Internet Research · Israel 400-600 Essential organizations co… NIS 640K Fine per violation 10+ Years of failed attempts peopleofinternet.com

Key Takeaways

The Knesset did something on June 8, 2026 that a decade of Israeli cyber officials could not: it passed a comprehensive national cyber defense bill through a first reading, unanimously. The National Cyber Defense Bill, 5786-2026, cleared the plenum with zero opposing votes, a milestone The Jerusalem Post reported came "amid the rising intensity of cyberattacks during the ongoing war against Iran." Yossi Karadi, head of the Israel National Cyber Directorate (INCD), called it "a historic milestone for cyber defense in Israel." He is not exaggerating the wait: prior INCD chiefs tried and failed to pass comparable legislation for close to ten years, operating instead through temporary emergency regulations issued by the prime minister or cabinet.

What the Bill Actually Does

The law creates, for the first time, a unified statutory framework for "essential organizations" — entities in communications, energy, healthcare, hazardous materials, water, and digital or hosting services. As of 2026, estimates put that population at 400 to 600 organizations, up sharply from the roughly 31 categories and couple hundred companies covered by earlier, narrower frameworks. Covered entities must meet a mandatory defense threshold based on "accepted international concepts and benchmarks," report "significant cyberattacks" to the INCD and their sector regulator, and comply with urgent mitigation directives during severe incidents. Violations draw administrative fines of NIS 640,000, doubled for repeat offenses. Corporate officers face a distinct and sharper obligation: they must "diligently supervise and do everything possible to prevent violations," and the law presumes an officer breached that duty whenever a violation occurs, unless the officer can show reasonable preventive steps were taken.

The Case for the Bill Is a Real One

It's worth stating plainly why this legislation has backing across the aisle. Israel has spent the past decade governing critical-infrastructure cybersecurity through ad hoc executive orders rather than binding law — a gap that leaves essential services operating at wildly uneven security levels with no enforceable floor. The war with Iran has made that gap costly in real time, not theoretical. A statutory reporting duty gives the INCD visibility it currently lacks by default, and personal officer liability is a deliberate response to a familiar governance failure: boards treat security spending as discretionary until it is legally not. Fines alone rarely move a company with real infrastructure at stake; a credible threat to individual officers usually does. None of that reasoning is unsound.

Where the Design Gets Disproportionate

The presumption-of-breach standard for officers is the sharpest instrument in the bill, and it is also the least calibrated. Reversing the ordinary burden of proof — guilty unless the officer affirmatively demonstrates reasonable steps — creates real exposure for officers at smaller essential organizations (water utilities, regional hospitals, mid-size ISPs) who lack the compliance budgets of a bank or telecom giant. The practical effect is likely to be defensive over-compliance and rising D&O insurance costs concentrated exactly where security capacity is thinnest, rather than a proportionate, risk-scaled response.

The deeper structural problem is that this bill does not exist in a vacuum. Since Amendment 13 to the Privacy Protection Law took effect on August 14, 2025, organizations that process personal data already answer to the Privacy Protection Authority (PPA) for data-security failures, with its own incident-notification duties, mandatory Data Protection Officer appointments, and fines the PPA has described as reaching into the millions of shekels. A large share of the 400–600 organizations the new cyber bill targets — hospitals, telecoms, water utilities, digital service providers — are also data controllers under Amendment 13. That means many essential organizations are on track to answer to two regulators, under two statutes, with two separate definitions of a reportable incident and, quite plausibly, two separate notification clocks. Neither the bill's own explanatory materials nor the legal analyses tracking it describe any mechanism to reconcile the two regimes. That is a compliance-architecture failure, not a security one — but it will be experienced by covered organizations as exactly the kind of regulatory friction that makes security programs harder to run, not easier.

A Fix That Doesn't Require Weaker Security

None of this argues for scrapping breach reporting or officer accountability — both are defensible responses to a genuine threat environment. It argues for finishing the bill properly before it locks in. Two changes would preserve the security goal while avoiding needless duplication. First, the Foreign Affairs and Defense Committee, which now holds the bill for second and third readings, should write in a coordination clause: a single incident-notification channel, or at minimum a memorandum of understanding, between the INCD and the PPA for organizations that qualify under both statutes. Second, the presumption-of-breach standard for officers should be replaced with a codified safe harbor — compliance with a recognized security standard (ISO 27001 or an INCD-published equivalent) should count as the "reasonable steps" defense, rather than leaving officers to prove a negative after the fact in every case.

What Happens Next

The bill now moves to the Foreign Affairs and Defense Committee for the work that actually determines its shape: committee markup ahead of second and third readings. Karadi has himself acknowledged that election timing — a vote expected around October 2026 — could delay final passage into 2027 or later. That delay is not entirely unwelcome. A unanimous first-reading vote reflects genuine consensus that Israel needs a binding cyber-defense floor. Whether the law that eventually reaches the statute book is a workable framework or a duplicative compliance burden depends entirely on what the committee does with the months it now has.

Sources & Citations

  1. Jerusalem Post: National Cyber Defense Bill passes first reading during war with Iran
  2. Jerusalem Post: Israel moves forward with potential game-changing cyber law
  3. Jerusalem Post: Israel cyber chief hopes cyber law bill can pass first reading before elections
  4. Gornitzky GNY: National Cyber Defense Bill client alert
  5. IAPP: Israel marks a new era in privacy law — Amendment 13 ushers in sweeping reform
  6. WIPO Lex: Israel Protection of Privacy Law, 5741-1981 (official statute text)
  7. Government memorandum: National Cyber Protection Law draft bill text, 5786-2026