Cyber Crime Laws & Penalties in Bangladesh (2026) – Cyber Security Act Guide

Bangladesh's approach to regulating cyber crime has evolved through three major legislative phases. Understanding this progression is essential for anyone dealing with cyber law matters in 2026:

• Phase 1 – ICT Act 2006: The Information and Communication Technology Act 2006 (amended in 2013) was Bangladesh's first comprehensive cyber law. Section 57, which criminalised online content deemed 'defamatory' or 'offensive', became particularly controversial due to its frequent misuse against journalists and dissidents. While the DSA 2018 superseded many provisions, Section 57 cases filed before the DSA's enactment continue under the original Act.
• Phase 2 – Digital Security Act 2018 (DSA): The DSA 2018 was introduced with the stated goal of combating cyber crime more effectively. However, it drew intense criticism from press freedom organisations, civil society, and international human rights bodies due to its broad definitions and harsh penalties. It was formally replaced by the CSA 2023, though pending DSA cases continue to be tried under DSA provisions.
• Phase 3 – Cyber Security Act 2023 (Current Law): The CSA 2023 is the current governing legislation for cyber crimes in Bangladesh. It narrows several overbroad provisions of its predecessor, introduces new offences specific to modern cyber threats, restructures penalties, and establishes a clearer institutional framework. The Bangladesh government, the Digital Security Agency (DSA), and the Bangladesh Telecommunication Regulatory Commission (BTRC) all play roles in the CSA 2023's implementation.

In parallel, the Penal Code 1860, the Evidence Act 1872 (as updated for digital evidence), the Women and Children Repression Prevention Act 2000, the Pornography Control Act 2012, and the Money Laundering Prevention Act 2012 all apply to various categories of cyber crime.

The transition from the Digital Security Act 2018 to the Cyber Security Act 2023 brought several important changes. The table below compares the two laws across the most important dimensions:

Important: If your case was originally filed under the DSA 2018, it continues to be governed by DSA provisions — the CSA 2023 does not retroactively apply to cases already initiated under the DSA.

The Cyber Security Act 2023 defines a comprehensive range of cyber offences. Below is a detailed table of the key sections, the offences they cover, and the applicable penalties:

Note: Penalties may be compounded where multiple sections are violated simultaneously. Courts also have discretion to impose both imprisonment and fines, and repeated offenders face enhanced penalties under Section 54 of the CSA 2023.

Despite the enactment of the Cyber Security Act 2023, the Information and Communication Technology Act 2006 (ICT Act 2006) remains relevant in several important ways in 2026:

• Pending Cases: All cases registered under the ICT Act 2006 prior to the DSA 2018's enactment, and all DSA 2018 cases filed before the CSA 2023 came into effect, continue to be tried under those original Acts. The CSA 2023 does not retroactively dismiss or modify these cases.
• Electronic Contracts and Transactions: Part IV of the ICT Act 2006 governing electronic records, digital signatures, and electronic contracts remains in force and is supplemented by subsequent regulations. These provisions underpin the legal validity of e-commerce transactions, digital documents, and online agreements in Bangladesh.
• Certificate Authorities: The framework for licensed Certificate Authorities (CAs) that issue digital signatures is established under the ICT Act 2006 and continues to operate.
• IT Policy Framework: Several government IT regulations and guidelines are still issued under the authority of the ICT Act 2006 in areas not specifically covered by the CSA 2023.

The most practically important continuing application of the ICT Act 2006 is in old Section 57 cases. Hundreds of cases were filed under Section 57 between 2013 and 2018 — these are still progressing through the courts and are governed entirely by the old law. Accused persons in those cases cannot benefit from the more lenient provisions of the CSA 2023 unless specifically provided for by statute or court order.

The Cyber Tribunal is a specialised court established under the Cyber Security Act 2023 (Section 50) with exclusive jurisdiction to try all offences under the Act. Understanding how it operates is essential for victims pursuing justice and accused persons facing prosecution.

Establishment and Jurisdiction: The government establishes Cyber Tribunals by official notification. Currently, Bangladesh has a Cyber Tribunal in Dhaka with jurisdiction over the entire country, though additional tribunals may be established in divisional cities. Each Cyber Tribunal is presided over by a Sessions Judge-level officer appointed by the government.

Key Procedural Features:

• Charge Sheet Deadline: After arrest, investigators must file a charge sheet (challan) within 60 days. The Tribunal may extend this by 30 days for complex investigations requiring digital forensics.
• Trial Timeline: The CSA 2023 mandates that trials be completed within 180 working days from charge sheet filing wherever possible, though in practice timelines are longer.
• Digital Evidence: The Tribunal accepts digital evidence including screenshots, electronic records, IP logs, server data, and forensic reports from certified labs. The evidentiary standards are governed by the Evidence Act 1872 as read with the CSA 2023.
• Victim Participation: Unlike some criminal courts, cyber crime victims may engage a private advocate to assist the public prosecutor at the Cyber Tribunal, giving victims an additional voice in proceedings.
• Appeals: Convictions or acquittals from the Cyber Tribunal are appealable to the High Court Division of the Bangladesh Supreme Court within 60 days of judgment.
• Bail Applications: Bail applications for non-bailable cyber crime offences are heard by the Cyber Tribunal itself. If the Tribunal refuses bail, the accused may appeal to the High Court Division under Section 498 of the Code of Criminal Procedure 1898.

Bangladesh law recognises a range of rights for victims of cyber crime. Being aware of these rights empowers victims to demand proper investigation, protection, and justice:

• Right to File a Complaint: Every person has the right to file a cyber crime complaint directly with the police or the Cyber Tribunal under Section 31 of the Cyber Security Act 2023, regardless of where in Bangladesh they reside.
• Right to Information: Victims are entitled to receive a written acknowledgement of their complaint and to be informed of the progress of investigation at reasonable intervals.
• Right to Content Removal: Victims of defamatory or privacy-violating content may apply to the Bangladesh Telecommunication Regulatory Commission (BTRC) or CID under Section 43 of the CSA 2023 for emergency blocking of the offending digital content while the case is pending.
• Right to Privacy Protection: Victim identity and personal details are protected under police confidentiality rules and are not disclosed to the accused or the public without the victim's consent, particularly in cases involving sexual crimes or domestic abuse.
• Right to Legal Representation: Victims may hire their own private lawyer to assist the state prosecutor throughout investigation and trial proceedings. This right is particularly valuable in complex financial fraud or corporate espionage cases.
• Right to Compensation: While the CSA 2023 does not contain a specific victim compensation scheme, courts may order restitution as part of a conviction sentence. Civil suits for damages are also available in parallel with criminal proceedings under the Code of Civil Procedure 1908.
• Right Against False Counter-Complaints: Under Section 53 of the CSA 2023, any person who files a malicious or false cyber crime complaint — including false counter-complaints filed by accused persons — is subject to criminal liability.

False cyber crime accusations are a serious and growing problem in Bangladesh, as the legal process is complex and the reputational damage from mere accusation can be devastating. If you have been falsely accused under the Cyber Security Act 2023 or the Digital Security Act 2018, take the following immediate steps:

1. Do Not Ignore or Delay: Even if you know the accusation is false, do not ignore a police summons or CCIC notice. Failure to respond can result in an arrest warrant. Respond promptly through your lawyer.
2. Hire a Cyber Crime Lawyer Immediately: This is the single most important step. An experienced advocate can review the complaint, identify its weaknesses, preserve exculpatory evidence, and begin building your defence before you are formally arrested.
3. Secure Your Digital Devices: Preserve all your devices (phone, laptop, computer) in their current state. Do not delete any data — your devices may need to undergo forensic examination to prove your innocence.
4. Gather Alibi and Exculpatory Evidence: Collect evidence that disproves the allegations — for example, evidence that you were in a different location, that your account was hacked by a third party, that you had no knowledge of the content, or that the complainant has a documented history of harassment against you.
5. Apply for Anticipatory Bail: If you believe you may be arrested, your lawyer can apply for anticipatory bail before the Cyber Tribunal or the High Court Division under Section 498A of the CrPC (as applicable). This prevents arbitrary arrest while the merits of the accusation are assessed.
6. File a Counter-Complaint if Appropriate: If the false accusation is part of a deliberate harassment campaign, your lawyer can file a complaint under Section 53 of the CSA 2023 (false complaint) and potentially under Sections 499–500 of the Penal Code 1860 (defamation).
7. Engage a Digital Forensics Expert: For technical accusations (e.g., you are accused of hacking but did not do so), a certified digital forensics expert can independently analyse your devices and provide a technical exculpatory report for use at the Cyber Tribunal.

Bail in cyber crime cases is one of the most practically significant aspects of the Cyber Security Act 2023, particularly because many cyber offences are cognizable and non-bailable. Here is what the law provides:

• Non-Bailable Offences (No Right to Bail at Police Station): Offences under Sections 17 (aggravated hacking), 20 (malware), 21 (obscene content), 27 (cyber terrorism), 28 (communal content), 31 (public disorder), 32 (espionage), and 33 (financial system hacking) are non-bailable. This means the police cannot grant bail — only a court (the Cyber Tribunal or High Court) can.
• Bailable Offences: Offences under Sections 19 (interception), 24 (identity theft), 25 (offensive messages), 26 (data theft), and 29 (defamation) are bailable under the CSA 2023, representing a significant reform compared to the DSA 2018.
• Bail Application at Cyber Tribunal: For non-bailable offences, the accused or their lawyer must file a formal bail application before the Cyber Tribunal, accompanied by sureties and an affidavit. The Tribunal considers: nature of the offence, risk of flight, risk of evidence tampering, and the accused's criminal history.
• High Court Bail: If the Cyber Tribunal refuses bail, the accused can apply to the High Court Division of the Bangladesh Supreme Court under Section 498 of the CrPC. High Court bail applications in cyber crime matters are heard by designated benches.
• Bail Conditions: The court may impose conditions such as: surrendering passport, reporting to the police station weekly, not contacting the victim or witnesses, and not accessing the internet (in cases involving ongoing digital harm).

Given the complexity of cyber crime bail proceedings, anyone arrested under the Cyber Security Act 2023 should immediately instruct an advocate experienced in both cyber law and criminal procedure.

Whether you are a victim seeking justice or an accused person defending your rights, navigating Bangladesh's cyber crime legal landscape requires specialist legal knowledge. The Cyber Security Act 2023, the Cyber Tribunal's procedural rules, digital evidence law, and the interface between criminal and civil remedies form a complex web that demands expert guidance.

Specific situations requiring immediate legal consultation include:

• You or your business has suffered a cyber attack, financial fraud, or data breach.
• Your social media account has been hacked and is being used for defamation or fraud in your name.
• You have received a police notice or been named as an accused in a cyber crime FIR.
• You need a court order to compel removal of defamatory content or to freeze a fraudulent account.
• You are a journalist or activist facing a cyber crime accusation in connection with your published work.
• Your company needs a legal review of its data protection and cyber security compliance obligations under Bangladesh law.

Advocate Md. Shah Alam, practising from his Uttara chamber in Dhaka, has extensive experience in cyber crime cases under both the Digital Security Act 2018 and the Cyber Security Act 2023. He represents clients at the CCIC complaint stage, before the Cyber Tribunal, and in bail and appeal matters at the High Court Division of the Bangladesh Supreme Court. His practice also covers related matters including financial fraud recovery, defamation law, and corporate data breach response.

To discuss your cyber law matter — whether you are a victim or an accused — contact our office today or visit our Criminal Law services page for more information. Early legal intervention is always more effective than waiting until a crisis becomes unmanageable.

The Digital Security Act 2018 (DSA 2018) was replaced by the Cyber Security Act 2023 (CSA 2023), which came into force in Bangladesh in late 2023. The CSA 2023 narrowed several overbroad provisions of the DSA 2018, reclassified some non-bailable offences as bailable, and introduced stricter safeguards against misuse. However, cases already filed under the DSA 2018 continue to be tried under that Act.

Under Section 17 of the Cyber Security Act 2023, the punishment for hacking (illegal access to computer systems) is up to 7 years imprisonment for a first offence. For aggravated or repeated hacking — particularly targeting critical national infrastructure — the penalty rises to up to 14 years imprisonment and a fine of up to BDT 1 crore. Aggravated hacking is a non-bailable offence.

Yes. Section 29 of the Cyber Security Act 2023 makes online defamation a criminal offence punishable by up to 3 years imprisonment and a fine of up to BDT 5 lakh. Importantly, the CSA 2023 made online defamation a bailable offence — a reform from the DSA 2018 where it was non-bailable. Defamation must be shown to have been published online with intent to harm the victim's reputation.

The Cyber Tribunal is a specialised court established under Section 50 of the Cyber Security Act 2023 with exclusive jurisdiction to try all offences under the Act. It is presided over by a Sessions Judge-level officer. Cyber Tribunal decisions can be appealed to the High Court Division of the Bangladesh Supreme Court within 60 days. The Tribunal also hears bail applications for non-bailable cyber crime offences.

Yes. Under Section 43 of the Cyber Security Act 2023, CID or the investigating authority can recommend emergency content blocking to the Bangladesh Telecommunication Regulatory Commission (BTRC). The BTRC has the power to direct internet service providers to block specific URLs, social media content, or entire platforms. Victims can also directly approach BTRC with a legal notice. A lawyer can file an urgent application to expedite this process while the criminal case is pending.

If you are falsely accused under the Cyber Security Act 2023, take these immediate steps: (1) hire an experienced cyber crime lawyer without delay, (2) preserve all your digital devices and do not delete any data, (3) apply for anticipatory bail if arrest seems imminent, (4) collect all alibi and exculpatory evidence, (5) instruct a digital forensics expert if the accusation involves technical claims (hacking, etc.), and (6) consider filing a counter-complaint under Section 53 of the CSA 2023 if the accusation is clearly malicious.