Israel has moved forward with a potential game-changing cyber law, which could be taken up by various Knesset committees as early as next month.
The text of the new bill was published over the weekend, and if it is eventually passed, it will become the country’s first permanent cyber law.
Until now, the Israel National Cyber Directorate (INCD) has operated in various capacities for around a decade, largely by executive decisions and temporary emergency regulations issued by the prime minister or the cabinet.
This has not only limited some of the powers of the INCD to protect the country from cyberattacks from adversaries like Iran, Hezbollah, and Hamas, but it has also left Israel behind many other Western countries that have enacted cyber legislation in the last decade.
Balancing protection and privacy
Two of the most significant issues for legislation are determining when and how private-sector companies and government agencies must report to the INCD that they are under cyberattack, and when and how they must report this to their customers and suppliers.
On the one hand, the INCD and agencies like it in other countries want updates from the private sector fast enough to act on them and make a difference, especially to prevent a single penetration from spreading to critical infrastructure across an entire sector of the economy.
On the other hand, there are privacy and business concerns about requiring private-sector companies to disclose certain privileged internal information or trade secrets to the INCD, customers, and suppliers, which, if abused, could unlawfully and unfairly undermine a business.
Under the cyber law proposal, if there is “potential grave damage” to the country, “critical” private-sector and government agencies would be required to report a cyberattack immediately and in real time.
Initial cyber laws in other democracies often set reporting periods of 24-72 hours, but the volume of cyberattacks has increased, and since the Israel-Hamas War began, the Jewish state has become the third-most-cyber-attacked country in the world.
This prompted the INCD to propose a more immediate reporting requirement. Still, this does not apply to much of the private sector, especially not to smaller companies that are not involved in critical infrastructure.
That said, if several years ago there were 31 categories of portions of the economy viewed as “critical,” adding up to possibly a couple of companies, as of 2026, the number of organizations that would fall within these reporting requirements could be as many as between 400 and 600, The Jerusalem Post has learned.
As a balancing requirement to ensure oversight and limits on the INCD’s use of this information, the INCD will need to report to the attorney-general and the Knesset Foreign Affairs and Defense Committee at least once a year regarding cyber attacks and information it has received from private-sector companies.
This is less than the bi-monthly report that the INCD has been giving to the Attorney General’s Office and to the Knesset defense committee, established under the emergency regulations during the war.
However, it is believed that more oversight is needed for emergency regulations that have not been as publicly and thoroughly debated as permanent laws.
In contrast, a permanent law would offer additional protections and be more legitimate, since it would have been passed by the Knesset rather than by a remote, virtual vote by cabinet ministers.
There are still many uncertainties about the law’s passage.
The INCD has been trying to pass such a law for close to a decade, and each INCD chief has gone through different versions of what they thought would strike the right balance.
FORMER INCD chief Gaby Portnoy, in one of multiple exclusive conversations, told the Post shortly after taking office in 2022 that he would finally be the one to get it passed after his predecessors had fought hard and come up short.
In another conversation with the Post in May 2025, Portnoy said, shortly after stepping down from the INCD, that the battle really had been nearly won and the law could be months away from passing. Now it is up to Portnoy’s successor, Yossi Karadi, to try to actually pass the law.
In early 2023, Portnoy presented to Prime Minister Benjamin Netanyahu and his ministers the fact that Israel was already behind Germany, Australia, England, the US, and the EU.
Unlike them, the country has not been providing regulations that obligate the public and private sectors to focus on new critical infrastructure, to file reports within set amounts of time (often 24-72 hours) if there is a hack, and explain what steps the government can take to enforce cyber defense standards and reporting.
If he made so much progress, why did Portnoy himself not finish the job sooner? He responded in May 2025, “We decided that the cyber law needed to be a national cyber law, not just covering the INCD, but also the whole country, which greatly increased its complexity.”
“We needed to identify and delegate specific kinds of authorities to each government ministry and also coordinate with all of the country’s diverse security bodies. Each security body has its idea of how things should be,” he said.
But Netanyahu did push things forward, Portnoy said, even as the two have not had the closest personal relationship.
The Shin Bet (Israel Security Agency) and the IDF needed to define their cyber vision and goals, and each agency had to define its specialty since the INCD “can’t do it alone.”
Defining the INCD for the new law, Portnoy said, “We are an operational body in all ways. We were ready for war... We even had operational ‘reserves’ to call in. But we could still get better, and the length of the war has challenged our reserves.”
At the same time, he stated that INCD is “also a technological body. We need to give state-wide solutions for Israel.”
As for Karadi, he said, “The State of Israel is under constant attack by our enemies who are undertaking efforts to harm the ongoing functionality of operations and our lives.”
Next, Karadi stated that the new law will enable the INCD to move much more quickly to block and contain cyberattacks.
Finally, he added, it “sets a high obligatory [cyber] defense standard for organizations without which it cannot function.” This is a critical move for “national resilience and to protect the security of the economy” and Israeli citizens.