Data protection and cybersecurity laws in Oman

The Personal Data Protection Law (“PDPL”), issued pursuant to Royal Decree No. 6/2022, is Oman’s primary data protection legislation. The PDPL came into force on 13 February 2023. It establishes a comprehensive framework for the protection of personal data, setting out the rights of data subjects, the obligations of controllers and processors, and the rules governing the processing, storage and transfer of personal data.

The PDPL applies to the processing of personal data by any natural or legal person using any means within the Sultanate of Oman. It also has extraterritorial scope, applying to the processing of personal data of individuals located in Oman by controllers or processors established outside of Oman, where the processing activities relate to the offering of goods or services to data subjects in Oman, or the monitoring of their behaviour within Oman.

The Electronic Transactions Law, issued pursuant to Royal Decree No. 39/2025, establishes the legal framework for electronic transactions, electronic signatures, electronic records, and trust services. It includes provisions relevant to data protection in the context of electronic transactions and communications, including obligations on trust service providers regarding the confidentiality of information obtained in the course of providing their services.

The Cyber Crime Law, issued pursuant to Royal Decree No. 61/2026, creates criminal offences for the misuse of personal data obtained through information technology systems, including unauthorised access to and disclosure of personal data.

The Ministry of Transport, Communications and Information Technology (“MTCIT”) is the supervisory authority responsible for the implementation and enforcement of the PDPL. The MTCIT has the power to receive and investigate complaints, conduct inspections, issue guidance, and impose administrative sanctions for non-compliance with the PDPL.

The PDPL provides for the issuance of executive regulations (implementing regulations) to supplement the law and provide further detail on its application. As at 2026, the executive regulations are expected to address, among other matters, the detailed requirements for cross-border data transfers, data protection impact assessments, the appointment and role of data protection officers, and the specific technical and organisational security measures required of controllers and processors.

The MTCIT may also issue sector-specific guidance and codes of practice to assist organisations in complying with their obligations under the PDPL. The evolving regulatory landscape means that organisations operating in Oman should monitor developments closely.

Fines: The PDPL provides for fines for violations of the law. The maximum fine under the PDPL is OMR 500,000 (approximately USD 1.3 million) for unlawful cross-border transfers of personal data (Article 29). Other fines range from OMR 500 to OMR 20,000 depending on the nature of the violation (Articles 25–28). Legal persons may be fined between OMR 5,000 and OMR 100,000 where the offence is committed in their name or for their account (Article 30). The MTCIT may also impose administrative fines not exceeding OMR 2,000 for violations of the PDPL., its regulations, or decisions issued in its implementation (Article 32).

Criminal sanctions: The PDPL itself does not provide for imprisonment. All penalties under the PDPL are monetary fines. However, the Cyber Crime Law (Royal Decree No. 61/2026) imposes criminal penalties, including imprisonment, for offences relating to the misuse of personal data through information technology systems. Separate criminal liability may also arise under the Penal Law where applicable (Article 24 of the PDPL preserves the application of more severe punishments under other laws).

In addition, the Cyber Crime Law (Royal Decree No. 61/2026) imposes criminal penalties, including imprisonment and fines, for offences relating to the unauthorised access to, interception of, or disclosure of personal data through information technology systems.

Others: The MTCIT may also issue orders requiring the controller or processor to take corrective action, including ceasing or restricting certain processing activities, rectifying or erasing personal data, and/or notifying data subjects of breaches. The MTCIT may also refer matters to the Public Prosecution where criminal liability is suspected.

The PDPL does not currently impose a general registration or notification requirement on controllers or processors. However, controllers are required to maintain records of their processing activities and to make these available to the MTCIT upon request. The executive regulations, once issued, may introduce additional registration, notification or authorisation requirements.

The PDPL sets out a number of core data protection principles that controllers must comply with when processing personal data. These include:

Lawfulness, transparency and consent: The PDPL requires that personal data must not be processed except within the framework of transparency, honesty, and respect for human dignity, and after the explicit consent of the data subject (Article 10). The controller must prove the written consent of the data subject. The PDPL does not enumerate a list of alternative lawful bases for processing in the manner of the EU GDPR. However, Article 3 provides that the PDPL does not apply to processing carried out for certain purposes, including protection of national security or public interest, implementation of state administrative functions, compliance with a legal obligation, protection of the economic and financial interests of the state, protection of a vital interest of the data subject, detection or prevention of crime, execution of a contract to which the data subject is a party, processing within the personal or family sphere, and authorised research purposes.

Purpose limitation: Personal data must be collected for specified, explicit and legitimate purposes, and must not be further processed in a manner incompatible with those purposes.

Data minimisation: Only personal data that is adequate, relevant and limited to what is necessary for the purposes of processing may be collected and processed.

Accuracy: Personal data must be accurate and, where necessary, kept up to date. Reasonable steps must be taken to ensure that inaccurate personal data is erased or rectified without delay.

Storage limitation: Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data is processed.

Integrity and confidentiality (security): Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures.

Consent and sensitive personal data: As noted above, the PDPL requires the explicit written consent of the data subject for any processing of personal data (Article 10). For the processing of sensitive personal data (including genetic data, biometric data, health data, racial origin, sex life, political or religious opinions, philosophical beliefs, criminal convictions, or data relating to security measures), the PDPL goes further and requires a permit from the MTCIT before such processing may take place, in accordance with the controls and procedures determined by the executive regulations (Article 5). Processing of a child’s personal data requires the approval of the child’s guardian, unless such processing is in the best interest of the child (Article 6).

Privacy notices: Controllers must provide data subjects with clear and accessible information about the processing of their personal data, including the identity of the controller, the purposes of processing, the categories of personal data processed, the recipients of the data, any cross-border transfers, retention periods, and the rights available to the data subject.

The PDPL grants data subjects a number of rights in relation to their personal data (Article 11). These include:

Right to revoke consent: Data subjects have the right to revoke their consent to the processing of their personal data, without prejudice to the processing that took place prior to the revocation (Article 11(a)).

Right to amendment, update, or blocking: Data subjects have the right to request to have their personal data amended, updated, or blocked (Article 11(b)).

Right to obtain a copy: Data subjects have the right to obtain a copy of their processed personal data (Article 11(c)).

Right to data portbiliaty: Data subjects have the right to transfer their personal data to another controller (Article 11(d)).

Right to erasure: Data subjects have the right to request the erasure of their personal data, unless such processing is necessary for the purposes of national archiving and documentation (Article 11(e)).

Right to be notified of breaches: Data subjects have the right to be notified of any breach or infringement of their personal data, and of the actions taken in that regard (Article 11(f)).

Complaints: Data subjects have the right to submit a complaint to the MTCIT if they consider that the processing of their personal data is not in compliance with the provisions of the PDPL (Article 12).

Due diligence: Controllers must select processors that provide sufficient guarantees to implement appropriate technical and organisational measures so as to ensure that the processing meets the requirements of the PDPL and protects the rights of data subjects.

Mandatory contract terms (processor agreement): The PDPL requires that the relationship between the controller and the processor be governed by a written contract. The contract must set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects, and the obligations and rights of the controller. The processor must only process personal data on documented instructions from the controller and must implement appropriate technical and organisational security measures.

Sub-processors: The processor must not engage another processor (sub-processor) without the prior written authorisation of the controller. Where a sub-processor is engaged, the same data protection obligations as set out in the contract between the controller and the processor must be imposed on the sub-processor.

The PDPL restricts the transfer of personal data outside the Sultanate of Oman. Under Article 23, the controller may transport personal data and permit its transfer outside the borders of the Sultanate of Oman in accordance with the controls and procedures to be determined by the executive regulations. However, the controller is prohibited from transporting personal data if it has been processed in violation of the provisions of the PDPL, or if it would cause harm to the data subject. The MTCIT also has the power to suspend the transfer of personal data to another state or an international organisation under Article 8(d).

The PDPL does not itself establish a formal adequacy determination mechanism or list approved safeguards (such as standard contractual clauses or binding corporate rules. These details are expected to be addressed in the executive regulations once issued. Pending the issuance of the executive regulations, organisations should exercise caution and ensure that any cross-border transfers do not cause harm to the data subject and are conducted in compliance with the PDPL.

The executive regulations are expected to provide further detail on the criteria for adequacy assessments, the approved safeguards for cross-border transfers, and any sector-specific requirements.

The PDPL requires the controller to identify a personal data protection officer (“DPO”) (Article 20). This appears to be a general obligation applicable to all controllers. The executive regulations are to determine the controls for selecting the DPO and their duties. The PDPL does not limit the DPO requirement to controllers engaged in large-scale monitoring or processing of sensitive data.

The specific duties, qualifications, and role of the DPO are to be determined by the executive regulations. Article 14(b) of the PDPL requires the controller to notify data subjects of the contact details of the personal data protection officer as part of the pre-processing notification.

As the executive regulations have not yet been issued, the full scope of the DPO’s duties and any exemptions from the obligation remain to be clarified.

The PDPL requires controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects.

Measures may include, as appropriate, pseudonymisation and encryption of personal data, ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services, the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, and a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Controllers must also be able to demonstrate compliance with the security requirements of the PDPL, including through the maintenance of appropriate documentation and records.

The PDPL requires the controller, in the event of a personal data breach that leads to its destruction, alteration, disclosure, access, or processing in an illegal manner, to notify the MTCIT and the data subject of the breach, in accordance with the controls and procedures to be determined by the executive regulations (Article 19). The PDPL does not specify a 72-hour notification deadline; the timeframe and procedure for notification are to be set out in the executive regulations.

The PDPL requires notification to both the MTCIT and the subject. The specific content, format, and timing requirements for breach notifications are to be determined by the executive regulations. The PDPL does not prescribe the minimum content of the notification or distinguish between notifications to the authority and notifications to data subjects in the manner of the EU GDPR.

The PDPL does not distinguish between breaches posing ‘high risk’ and other breaches for the purposes of data subject notification. All breaches falling within Article 19 require notification to both the MTCIT and the affected data subject. The executive regulations may introduce further distinctions or exceptions.

The PDPL does not contain a separate obligation on processors to notify controllers of breaches. The obligation in Article 19 is placed on the controller. However, the executive regulations may introduce further obligations on processors in this regard. Controllers must retain the documents of data processing operations in accordance with the periods and procedures determined by the executive regulations (Article 17).

The PDPL provides that personal data must not be processed for direct marketing purposes unless the data subject has given prior consent. Data subjects have the right to object at any time to the processing of their personal data for direct marketing purposes, and where such objection is made, the personal data must no longer be processed for such purposes.

The Telecommunications Regulatory Authority (“TRA”) also regulates certain aspects of direct marketing in the context of electronic communications. Unsolicited commercial electronic communications, including bulk SMS marketing and promotional emails, are subject to restrictions under the Telecommunications Act and associated regulations.

In practice, organisations conducting direct marketing activities in Oman should ensure that they have obtained the necessary consent from individuals and that they provide a clear and accessible mechanism for individuals to opt out of receiving further marketing communications.

The PDPL does not contain specific provisions dedicated exclusively to cookies and adtech. However, the general principles of the PDPL apply to any processing of personal data through cookies, tracking technologies, and advertising technology. Where cookies or similar technologies collect or process personal data, the controller must comply with the PDPL’s requirements regarding lawful basis, transparency, purpose limitation, and data subject consent.

Organisations should ensure that users are provided with clear and comprehensive information about the use of cookies and similar technologies, and that appropriate consent is obtained where personal data is collected or processed through such technologies. The executive regulations may introduce more specific requirements regarding the use of cookies and tracking technologies in due course.

Moderate

• Ministry of Transport, Communications and Information Technology (MTCIT): https://www.mtcit.gov.om
• Personal Data Protection Law (Royal Decree No. 6/2022): Available via the Official Gazette of the Sultanate of Oman
• Telecommunications Regulatory Authority (TRA): https://www.tra.gov.om
• Information Technology Authority (ITA): https://www.ita.gov.om

The key cybersecurity laws and regulations that apply in Oman include the following:

Cyber Crime Law, issued pursuant to Royal Decree No. 61/2026 (the “Cyber Crime Law”): This is Oman’s primary cybercrime legislation. It criminalises a range of cyber offences, including unauthorised access to information technology systems, interception of data, interference with systems and data, misuse of electronic content, and cyber fraud.

Electronic Transactions Law, issued pursuant to Royal Decree No. 39/2025 (the “ETL”): The ETL establishes the legal framework for electronic transactions, electronic signatures, electronic records, and trust services. It includes provisions relevant to the security and integrity of electronic communications and transactions, intermediary liability, and the regulation and licensing of trust service providers.

Personal Data Protection Law, issued pursuant to Royal Decree No. 6/2022 (the “PDPL”): The PDPL contains obligations relating to the security of personal data processing, including requirements for controllers and processors to implement appropriate technical and organisational measures. See the “Data Protection” section above for full details.

Telecommunications Act, issued pursuant to Royal Decree No. 30/2002 (the “Telecommunications Act”): The Telecommunications Act establishes the regulatory framework for the telecommunications sector and includes provisions relevant to the security of telecommunications networks and services.

Sector-specific regulations: Certain sectors, including banking and financial services (regulated by the Central Bank of Oman), are subject to additional cybersecurity requirements and guidelines issued by their respective regulators.

The Omani government has indicated its intention to continue developing and strengthening its cybersecurity legal and regulatory framework. This includes the potential introduction of a dedicated national cybersecurity law and the issuance of further executive regulations under the PDPL relating to the security of personal data processing.

The Information Technology Authority (ITA) and the MTCIT have been working on national cybersecurity strategies and frameworks, and further regulatory guidance is expected to be issued in areas such as critical infrastructure protection, incident reporting requirements, and minimum cybersecurity standards for public and private sector organisations.

Oman is also monitoring international developments, including the EU NIS 2 Directive and other international cybersecurity standards, to inform the development of its own regulatory approach.

Cyber Crime Law: The Cyber Crime Law applies broadly to all persons (natural and legal) who commit cyber offences using information technology systems within Oman, or where the effects of such offences are felt within Oman. The law has extraterritorial application in respect of certain offences committed outside Oman that target or affect Omani systems, data, or individuals.

PDPL: The cybersecurity obligations under the PDPL apply to all controllers and processors that process personal data within or in connection with Oman, including those established outside Oman where they process the personal data of individuals located in Oman.

Telecommunications Act: The Telecommunications Act applies to providers of public telecommunications networks and services in Oman, which are subject to the regulatory oversight of the Telecommunications Regulatory Authority (TRA).

Sector-specific regulations: Organisations operating in regulated sectors (such as banking, finance and telecommunications) are subject to additional cybersecurity requirements imposed by their respective sectoral regulators, including the Central Bank of Oman and the TRA.

A number of different authorities have competent jurisdiction over cybersecurity matters in Oman, depending on the relevant laws and regulations that apply:

Ministry of Transport, Communications and Information Technology (MTCIT): The MTCIT is the primary government ministry responsible for ICT policy, including cybersecurity policy, and is the supervisory authority under the PDPL.

Information Technology Authority (ITA): The ITA, which operates under the MTCIT, has historically played a key role in implementing national cybersecurity initiatives, including the operation of Oman’s national CERT (Oman CERT). The ITA oversees the development and implementation of cybersecurity policies and standards.

Telecommunications Regulatory Authority (TRA): The TRA regulates the telecommunications sector and has oversight of the security obligations of telecommunications operators and service providers.

Central Bank of Oman (CBO): The CBO regulates the banking and financial services sector and imposes cybersecurity requirements on banks and financial institutions operating in Oman.

Royal Oman Police (ROP): The ROP is responsible for the investigation and prosecution of cybercrimes under the Cyber Crime Law.

Cyber Crime Law: The Cyber Crime Law does not impose affirmative cybersecurity obligations on organisations in the manner of the UK NIS Regulations. Rather, it criminalises specific cyber offences and thereby incentivises organisations to maintain adequate cybersecurity measures to prevent and detect such offences.

PDPL: As set out in the “Data Protection” section above, controllers and processors must implement appropriate technical and organisational measures to ensure the security of personal data. This includes measures to protect against unauthorised access, disclosure, alteration, destruction or loss of personal data. Controllers must also notify the MTCIT and, in certain cases, data subjects of personal data breaches.

Telecommunications Act: Telecommunications operators and service providers are required to take appropriate measures to ensure the security and integrity of their networks and services. This includes measures to manage the risks posed to the security of networks and information systems, and to prevent and minimise the impact of security incidents.

Central Bank of Oman: Banks and financial institutions are subject to cybersecurity requirements issued by the CBO, including requirements to implement cybersecurity frameworks, conduct regular vulnerability assessments and penetration testing, report cybersecurity incidents to the CBO, and maintain business continuity and disaster recovery plans.

Cyber Crime Law: The Cyber Crime Law provides for criminal penalties, including imprisonment and fines, for cyber offences. Penalties vary depending on the nature and severity of the offence:

Unauthorised access to information technology systems is punishable by imprisonment for a period of not less than one month and not more than three years, and/or a fine of not less than OMR 100 and not more than OMR 3,000.

More serious offences, such as interference with critical infrastructure, data destruction, or cyber fraud, carry enhanced penalties, including imprisonment of up to ten years and fines of up to OMR 50,000.

PDPL: Violations of the security and breach notification obligations under the PDPL are subject to the administrative fines and criminal penalties set out in the “Data Protection” section above.

Telecommunications Act: The TRA has the power to impose administrative sanctions on telecommunications operators for non-compliance with security obligations, including fines, suspension or revocation of licences, and orders to take corrective action.

Yes. Oman has established the Oman National Computer Emergency Readiness Team (Oman CERT), which operates under the Information Technology Authority (ITA) / MTCIT. Oman CERT is responsible for monitoring, detecting, analysing and responding to cybersecurity threats and incidents affecting Oman’s information technology infrastructure.

Oman CERT’s responsibilities include: monitoring cybersecurity threats and vulnerabilities; issuing early warnings, alerts, and advisories; responding to cybersecurity incidents; coordinating incident response with public and private sector organisations; promoting cybersecurity awareness and best practices; and participating in international CERT/CSIRT cooperation and information-sharing networks.

Oman has a national cybersecurity incident management structure coordinated by Oman CERT and the MTCIT. Oman CERT serves as the central point of contact for the reporting and coordination of cybersecurity incidents at the national level. It works in cooperation with government agencies, critical infrastructure operators, telecommunications providers, and private sector organisations to manage and respond to significant cybersecurity incidents.

Sector-specific incident response mechanisms also exist. For example, the Central Bank of Oman requires financial institutions to report cybersecurity incidents to the CBO and to maintain their own incident response capabilities.

National Cybersecurity Strategy: Oman has adopted a national cybersecurity strategy aimed at enhancing the country’s cybersecurity posture across government, critical infrastructure and the private sector. The strategy focuses on building national cyber resilience, developing cybersecurity capabilities and human resources, strengthening international cooperation, and fostering a culture of cybersecurity awareness.

Cybersecurity awareness and capacity building: The ITA and MTCIT have implemented various cybersecurity awareness programmes and capacity-building initiatives targeting government entities, the private sector, and the general public. These include training programmes, workshops, and public awareness campaigns.

International cooperation: Oman participates in regional and international cybersecurity cooperation initiatives, including through membership in the International Telecommunication Union (ITU), the Organisation of Islamic Cooperation Computer Emergency Response Teams (OIC-CERT), and the Gulf Cooperation Council (GCC) cybersecurity working groups.

Critical infrastructure protection: The Omani government has identified critical infrastructure protection as a key priority, and has been developing frameworks and standards for the cybersecurity of critical national infrastructure, including the energy, water, transport, and telecommunications sectors.

• Oman National CERT: https://www.cert.gov.om
• Telecommunications Regulatory Authority (TRA): https://www.tra.gov.om
• Central Bank of Oman (CBO): https://cbo.gov.om
• Ministry of Transport, Communications and Information Technology (MTCIT): https://www.mtcit.gov.om
• Information Technology Authority (ITA): https://www.ita.gov.om