The Iran war has significantly delayed the passage of a cyber law that the Israel National Cyber Directorate (INCD) has been pushing for nearly a decade, the current chief, Yossi Karadi, acknowledged on Tuesday.
Karadi said he hopes that the bill can at least be passed in the first of three Knesset readings before the country goes to elections.
Since elections are set for October, election season would start by mid-summer at the latest.
In all likelihood, this means the law will not be completed fully by the Knesset any earlier than 2027, after the next parliament is sworn in.
In February, shortly before the Iran war began, Karadi had told The Jerusalem Post in an exclusive interview that the latest version of the cyber law, which he publicly proposed on January 25, would be a priority for him in terms of securing passage.
He had hoped that the law would be passed by the Knesset in March, months before election season might kick off.
Prior INCD chiefs have also been trying to get through some kind of cyber law for years, to no avail.
Cyber law stalled as Israel faces war delays
Karadi asked the Post rhetorically: which countries have similar laws defining cyber authorities, and which countries have still failed to pass such laws?
Most European and democratic countries, and even some non-democratic countries with advanced approaches to cyber issues like Saudi Arabia, have a cyber law to create some order on the issue.
“Do we want to be on the bad list?” he followed up during the February interview, noting that the list of countries without such laws tends to be non-democratic, developing countries far less free and far less advanced than Israel.
Getting more specific, he said the law is needed so that the INCD can “understand what companies have [in terms of vulnerabilities and defenses] in advance in order to better manage their defense in real time. The law defines our powers on this and other critical issues.”
According to the cyber law proposal, if there is “potential grave damage” to the country, “critical” private-sector and government agencies are obligated to report a cyberattack immediately and in real time.
Cyber laws in other democracies have set reporting periods of 24-72 hours. However, the volume of cyberattacks has increased, and since the Israel-Hamas War began, the Jewish state has become the third-most-cyber-targeted country on the planet.
This led the INCD to recommend a more immediate reporting requirement.
Several years ago, there were 31 categories of portions of the economy viewed as “critical,” adding up to possibly several hundred companies.
These parts of the economy are a major focus where the cyber law imposes minimal defense and reporting requirements regarding cyber incidents. As of 2026, the number of organizations that would fall within these reporting requirements could be as many as between 400 and 600, the Post has learned.
For example, Karadi said that if a hospital in Israel is brought down by a cyberattack, it impacts the whole country.
A cyber survey in Politico recently noted that a majority of the West would view a cyberattack on a hospital as an act of war.
In 2025, there was an attempted disruption of operations at Shamir Medical Center in Tzrifin during Yom Kippur, a supply-chain attack that targeted a software-service provider managing sensitive data for nursing, and a destructive wiper attack, resulting in the deletion of client servers at a cloud-service provider.
Responding to such attacks, the new law would define when the INCD might send its physical rapid response teams, or alternatively, create a new set of INCD representatives permanently present in government agencies, or provide for remote access to hacked organizations.