Cyber Security Act 2023 Bangladesh: A Complete Legal Guide for Individuals and Businesses

The way we live, work, and communicate in Bangladesh is now deeply digital. We bank on our phones, run businesses on Facebook and Shopify, file documents online, and share opinions on social media every day. With that shift comes a new category of risk — and a new body of law designed to govern it. At the centre of that law is the Cyber Security Act 2023 Bangladesh (in Bengali, Cyber Niraptta Ain, 2023).

Whether you are an individual posting on social media, a startup founder storing customer data, a journalist publishing investigative work, a student running a meme page, or a corporate executive responsible for compliance, this law can affect you. Yet most people have never read it and only encounter it when something goes wrong.

This guide, prepared by the legal team at Advocate Mintu Kumar Mondal & Associates, explains the Cyber Security Act 2023 in plain language — what it covers, what the penalties are, how it differs from earlier laws such as the Digital Security Act 2018, what rights you have, and what to do if you are accused. We have written it so that a non-lawyer can understand it, while keeping it accurate enough for professionals.

A note on currency: Cyber law in Bangladesh has evolved rapidly. The Cyber Security Act 2023 replaced the Digital Security Act 2018, and the framework has continued to change since. Always confirm the current status of any provision with a qualified cyber crime lawyer in Bangladesh before relying on it.

What Is the Cyber Security Act 2023?

The Cyber Security Act 2023 is the principal piece of Bangladesh cyber law dealing with offences committed using computers, the internet, and digital devices. It was passed by the Jatiya Sangsad (National Parliament) in September 2023 and replaced the earlier Digital Security Act 2018 (DSA 2018).

In simple terms, the Act does three main things:

1. Creates a national framework for protecting the country’s digital infrastructure — government servers, banking systems, telecom networks, and other “critical” systems.
2. Defines cyber offences — from hacking and online fraud to defamation, identity theft, and cyber terrorism.
3. Sets out punishments — imprisonment, fines, or both — and establishes the institutions that investigate and enforce these rules.

The Act is the legal backbone of cyber crime law in Bangladesh. If a crime is committed through a digital medium, this is usually the first statute investigators and prosecutors turn to.

 

Why Was the Cyber Security Act 2023 Introduced?

To understand the Cyber Security Act 2023, it helps to understand the laws that came before it. Cyber security law in Bangladesh did not appear overnight — it evolved over nearly two decades.

From the ICT Act 2006 to the Digital Security Act 2018

The first major cyber law in Bangladesh was the Information and Communication Technology Act 2006 (ICT Act). Its most controversial provision was Section 57, which criminalised publishing material online that was “false,” “obscene,” or that could “deprave or corrupt” or hurt religious sentiment. Critics argued the language was so broad that almost any online post could be prosecuted, and the section was widely used against journalists and ordinary citizens.

Facing sustained criticism, the government repealed Section 57 and enacted the Digital Security Act 2018. The DSA broke offences into many separate, more specific sections. However, it introduced new provisions — and harsher penalties — that human rights organisations, press bodies, and legal experts argued were even more restrictive in practice.

From the DSA 2018 to the CSA 2023

After years of domestic and international criticism of the DSA 2018, the government enacted the Cyber Security Act 2023 as a replacement. The stated aim was to address some of the most heavily criticised features of the DSA — for example, by reducing certain penalties, making several offences bailable, and removing imprisonment as a punishment for online defamation.

Many of the substantive offences from the DSA were, however, carried over into the new Act with similar wording. This is why the CSA 2023 became one of the most debated pieces of legislation in recent Bangladesh cyber law history.

The Current Status of the Cyber Security Act 2023

This is the section most online guides get wrong, so read it carefully.

The Cyber Security Act 2023 was the governing cyber statute when it was passed. Following the major political changes in Bangladesh in 2024, however, the authorities began a process of reviewing, repealing, and replacing the Act, citing concerns about misuse and free-expression rights. Drafting and ordinance-level work on a successor framework (often referred to in public discussion as a Cyber Protection / Cyber Security Ordinance) was undertaken as part of this reform.

What this means for you in practice:

• The keyword “Cyber Security Act 2023” still matters — it is the law most people know by name, and the offences it described shaped how cyber matters are handled.
• The exact provisions in force may have changed. Sections, penalties, and even the name of the operative law can differ from the 2023 text.
• Pending and historic cases filed under the DSA 2018 and CSA 2023 may still be working through the courts, and transitional rules govern how they are treated.

Bottom line: treat the descriptions below as an explanation of the Cyber Security Act 2023 as enacted, and always confirm the currently applicable law with a cyber crime lawyer in Bangladesh before acting. The team at Advocate Mintu Kumar Mondal & Associates tracks these developments and can tell you exactly which rules apply to your situation today.

 

The Institutional Framework Under the Act

The Cyber Security Act 2023 did more than list crimes. It built an institutional structure for managing national cyber security. The main bodies were:

• National Cyber Security Agency (NCSA): the central authority responsible for coordinating cyber security across government and the private sector.
• National Cyber Security Council: a high-level policy body that sets strategic direction.
• Computer Emergency Response Team (CERT / Cyber Tirno): a specialist team that responds to cyber incidents, issues alerts, and provides technical support during attacks.
• Critical Information Infrastructure (CII): the Act allowed the government to designate certain digital systems — such as power grids, banking systems, and government databases — as “critical.” Attacking these carries the heaviest penalties.

For a business, the most important concept here is CII. If your organisation operates or connects to a system that has been designated as critical infrastructure, you face additional security obligations and far greater legal exposure if something goes wrong.

Key Provisions of the Cyber Security Act 2023

The Act groups cyber offences into several broad categories. Below are the most important ones, explained in everyday language. (Section numbers reflect the Act as enacted; verify against the official text.)

Offences Against Critical Information Infrastructure

Unauthorised access to, or damage of, a system designated as Critical Information Infrastructure is treated as one of the most serious offences in the Act. Because these systems run essential national services, the law attaches severe punishment to interfering with them — particularly where the interference causes harm.

Illegal Access, Hacking, and System Damage

The Act criminalises:

• Illegal access to any computer, digital device, or network without authorisation.
• Hacking — gaining access in order to alter, delete, or damage data or systems.
• Damaging computer systems — introducing malware, disrupting services, or destroying data.
• Tampering with source code — altering or hiding a program’s source code without authority.

In simple terms: if you access, change, or break a digital system you have no right to touch, you are likely committing an offence.

Digital Fraud and Identity Theft

Two of the most common real-world offences are:

• Digital or electronic fraud — using a computer or digital device to deceive someone and obtain money, property, or an advantage. Phishing, fake payment links, and online scams fall here.
• Identity fraud and impersonation — pretending to be someone else online, or collecting and misusing another person’s identity information (NID details, photos, account credentials) without authority.

These provisions are the basis for most prosecutions involving online scams, fake Facebook profiles, and financial fraud — issues that affect ordinary citizens and businesses alike.

Defamation and Objectionable Content

The Act addresses the publication of false, offensive, threatening, or defamatory material through digital means. A notable feature of the CSA 2023 was that, for online defamation, it removed imprisonment as a punishment and replaced it with a fine only — a change from the DSA 2018. Other content-related provisions, however, retained the possibility of imprisonment.

This category is the most contested part of the Act, because the line between lawful criticism and a punishable post can be unclear. Journalists and content creators should be especially careful here.

Cyber Terrorism

The Act defines cyber terrorism to include using digital systems to threaten national integrity, security, or sovereignty; to damage critical infrastructure; or to create fear among the public. This is among the gravest offences in the statute and carries some of the heaviest penalties.

Offences Related to Religious Sentiment and Public Order

The Act criminalises publishing content that:

• Hurts religious values or sentiment, or
• Is intended to deteriorate law and order, or to create enmity, hatred, or hostility between groups.

These provisions reflect Bangladesh’s social context but, like the defamation rules, depend heavily on interpretation — which is why legal advice matters so much before publishing sensitive material.

Penalties and Punishments Under the Cyber Security Act 2023

Punishments under the Act range from modest fines to long prison terms, depending on the seriousness of the offence. The table below summarises the general structure of penalties. Treat these as indicative only — exact terms and fine amounts must be confirmed against the official Gazette, and several penalties were among the provisions later reviewed.

Category of offence	Typical maximum punishment (indicative)
Damage to / illegal access of Critical Information Infrastructure	Long-term imprisonment (up to ~14 years for the most serious cases) and/or heavy fines
Cyber terrorism	Severe imprisonment and/or substantial fines
Illegal access, hacking, system damage	Imprisonment (several years) and/or fines
Digital fraud / identity fraud	Imprisonment (several years) and/or fines
Source code tampering	Imprisonment and/or fines (lower range)
Content hurting religious sentiment / disturbing public order	Imprisonment and/or fines
Online defamation	Fine only (no imprisonment under CSA 2023)

Two practical points are worth knowing:

• Repeat offences generally attract higher penalties than first offences.
• Bailability matters. Under the CSA 2023, more offences were made bailable than under the DSA 2018. Whether an offence is bailable or non-bailable can be the single most important factor for someone who has just been accused, because it affects whether they can stay free while the case proceeds.

How the Cyber Security Act 2023 Differs From Previous Laws

If you are comparing the cyber crime law in Bangladesh across its versions, the key differences are these:

1. From the ICT Act 2006: The notorious Section 57 — a single, vague catch-all offence — was abolished. Offences are now defined more specifically.
2. From the Digital Security Act 2018:
   • Lower penalties for several offences.
   • More bailable offences, improving the position of the accused at the early stage.
   • No imprisonment for online defamation — replaced by a fine.
   • Retention of substance. Many of the underlying offences and definitions carried over, which is why critics described the change as more reform than replacement.

For an ordinary user, the practical takeaway is that the types of conduct that can get you in trouble remained broadly similar; what changed most was the severity and the procedural position of an accused person.

Rights of Citizens and Businesses Under the Act

A law that creates offences also operates against the backdrop of constitutional and procedural rights. If you are dealing with a cyber matter in Bangladesh, keep these in mind:

• The right to be informed of the specific allegation and the section under which you are accused.
• The right to legal representation at every stage, including questioning and bail hearings.
• The right to apply for bail, particularly where the offence is bailable.
• Protection against arbitrary search and seizure — investigators generally need proper authority before seizing devices or data, and you can challenge improper procedure.
• The right to a fair trial in the designated Cyber Tribunal, with the ability to appeal.
• For businesses, the right to be heard before regulatory or compliance action, and the right to challenge a wrongful takedown or data request through legal channels.

Knowing these rights does not replace having a lawyer — but it does help you avoid the common mistake of saying or signing something early that damages your position.

Practical Scenarios and Hypothetical Examples

Abstract law is hard to apply. Here are realistic, hypothetical scenarios that show how the Cyber Security Act 2023 can come into play. (These are illustrative, not legal advice for any specific case.)

Scenario 1 — The startup data breach. A Dhaka-based e-commerce startup stores customer names, addresses, and payment details. A former developer still has access credentials and copies the customer database to sell it. This could involve illegal access, data theft, and identity-information offences. The startup may also face questions about whether it took reasonable steps to secure the data. Lesson: revoke access immediately when staff leave, and document your security measures.

Scenario 2 — The journalist’s investigative report. A reporter publishes an online story alleging financial wrongdoing by a public figure, based on documents. The subject files a complaint claiming the post is defamatory and damaging. The defamation provision may be engaged. Lesson: keep evidence, sources, and the public-interest basis for every claim well documented before publishing.

Scenario 3 — The fake Facebook profile. Someone creates a Facebook account using another person’s name and photos to harass them and solicit money from their friends. This can involve impersonation, identity fraud, and digital fraud. Lesson: victims should preserve screenshots, URLs, and timestamps and file a complaint promptly.

Scenario 4 — The angry viral post. A student, frustrated after an exam, posts content that others interpret as inciting hostility between two groups. The post goes viral. Provisions on public order or religious sentiment could be raised. Lesson: emotion plus virality is a legal risk — pause before posting anything that targets a community.

Scenario 5 — The corporate phishing attack. A finance manager receives a convincing email impersonating the CEO and transfers funds to a fraudulent account. The perpetrators have committed digital fraud and impersonation; the company faces both a financial loss and an investigation. Lesson: build payment-verification procedures and train staff to spot impersonation.

Actionable Legal Guidance

Prevention is far cheaper than litigation. Here is practical guidance tailored to different readers.

For Individuals

• Think before you post. Avoid sharing unverified, defamatory, or inflammatory content.
• Never use anyone else’s identity, photos, or NID information online.
• Secure your accounts with strong, unique passwords and two-factor authentication.
• If you are harassed or impersonated online, preserve evidence (screenshots, links, dates) and seek legal help early.

For Businesses and Startups

• Map your data. Know what personal and financial data you hold and where it lives.
• Control access. Use the principle of least privilege; revoke access immediately when staff leave.
• Have an incident response plan. Decide in advance who does what during a breach.
• Check your CII exposure. If you operate or connect to critical infrastructure, get specialist compliance advice.
• Review contracts and policies. Make sure your terms of service, privacy policy, and employee agreements reflect current cyber law obligations.

For Journalists and Content Creators

• Keep records of sources and supporting evidence for every factual claim.
• Distinguish clearly between fact, opinion, and satire.
• Be especially cautious with content touching religion, communal relations, or public order.
• Build a relationship with a cyber crime lawyer in Bangladesh before you need one, so you can get fast advice when a complaint lands.

What to Do If You Are Accused Under the Cyber Security Act

If a complaint is filed against you, the early hours and days matter enormously. A calm, correct response can change the outcome.

1. Do not panic or delete anything. Tampering with evidence can make your position worse.
2. Do not give statements to anyone before speaking with a lawyer.
3. Preserve your own evidence — messages, posts, context, and anything showing your intent or the truth of what you said.
4. Contact a cyber crime lawyer immediately to understand whether the offence is bailable and to prepare a bail application.
5. Follow legal process, not informal pressure or “settlements,” unless your lawyer advises it.

The difference between a quickly resolved matter and a drawn-out ordeal is very often the speed and quality of the legal advice obtained at the start.

Frequently Asked Questions (FAQ)

What is the Cyber Security Act 2023 in Bangladesh? It is the principal cyber law in Bangladesh that defines digital offences — such as hacking, online fraud, identity theft, defamation, and cyber terrorism — and sets out the penalties for them. It replaced the Digital Security Act 2018.

What is the difference between the Cyber Security Act 2023 and the Digital Security Act 2018? The CSA 2023 kept many of the same offences as the DSA 2018 but reduced several penalties, made more offences bailable, and removed imprisonment for online defamation, replacing it with a fine. Critics argued the substance of the older law was largely retained.

Is online defamation a crime under the Cyber Security Act 2023 Bangladesh? Under the CSA 2023, online defamation was punishable by a fine rather than imprisonment — a change from the earlier law. The exact current position should be confirmed with a lawyer, as the framework has been under review.

What are the penalties under the Cyber Security Act 2023? Penalties range from fines to long prison terms depending on the offence. The most serious offences — attacks on critical infrastructure and cyber terrorism — carry the heaviest punishments, while offences like source-code tampering sit at the lower end. Exact terms should be verified against the official text.

Is the Cyber Security Act 2023 still in force in Bangladesh? The Act’s status has been changing since the 2024 political transition, when the authorities began repealing and replacing it. Because cyber law in Bangladesh is evolving, you should confirm the currently applicable law with a qualified cyber crime lawyer before relying on any provision.

Can I be arrested for a social media post in Bangladesh? Potentially yes, if a post is alleged to fall within a defined offence such as defamation, incitement, or hurting religious sentiment. Whether arrest and bail are available depends on the specific offence and the law in force at the time.

What should I do if someone files a cyber case against me? Do not give statements or delete material. Preserve your evidence and contact a cyber crime lawyer in Bangladesh immediately to assess bail and build your defence.

Do businesses have legal obligations under Bangladesh cyber law? Yes. Businesses are expected to take reasonable steps to secure data and systems, and organisations connected to critical infrastructure face additional obligations. A breach can expose a company to both losses and legal scrutiny.

Which court hears cyber crime cases in Bangladesh? Cyber and digital offences are tried by the designated Cyber Tribunal, with avenues for appeal. A lawyer can explain the procedure that applies to your matter.

How can a cyber crime lawyer in Bangladesh help me? A specialist lawyer can advise on whether conduct is lawful, defend you if you are accused, help you file a complaint if you are a victim, secure bail, and guide businesses on compliance to avoid problems in the first place.

Conclusion

The Cyber Security Act 2023 Bangladesh sits at the intersection of two things every person and business now depends on: technology and the law. It defines what counts as a cyber crime, sets the penalties, and shapes how disputes over online conduct are resolved. It also reflects a longer story — from the ICT Act 2006, through the Digital Security Act 2018, to the reforms that have continued since 2023.

For most people, the practical message is straightforward. Understand the broad categories of offences, respect the rights and limits the law sets, secure your data and accounts, think before you publish, and get qualified advice early — whether you are protecting your business, defending yourself against an allegation, or seeking justice as a victim. Because cyber law in Bangladesh keeps changing, the single most valuable step you can take is to work with a lawyer who follows these developments closely.