Digital & Cyber Law in Bangladesh: The Definitive Professional Guide by Afzal Hosen Mandal | Afzal & Associates

Digital & Cyber Law in Bangladesh: The Definitive Professional Guide

Q: What is the exact procedure for serving a legal notice to a social media platform to remove defamatory content in Bangladesh?

First, legally preserve the evidence (screen recordings with hash values). A formal legal notice citing the specific offending content is sent to the platform's registered agent. Simultaneously, a complaint may be filed with the BTRC and a criminal complaint can be initiated.

Q: If my company uses an international cloud provider and data is stored in their Singapore data center, are we in violation of the upcoming Data Protection Act?

Not necessarily in violation per se, but you are in a state of unregularized risk. The most common legal mechanism will be Standard Contractual Clauses or Binding Corporate Rules.

By Afzal Hosen Mandal, Legal Advisor & Digital Law Specialist, Afzal & Associates

Published: May 1, 2025 | Updated: May 1, 2025 | Reading Time: 35 minutes

📑 Table of Contents

Introduction: The Digital Imperative and the Stakes in Bangladesh
The Complete Legal Framework: Annotated Acts, Official Links, and Penalty Regimes
Digital Law in Depth: The Rulebook for Internet Transactions and Identity
Cybersecurity Law: A Proactive Legal and Organizational Mandate
Data Protection: Operationalizing Privacy in a Pre-Regulation Landscape
Cybercrime Law: Navigating the Criminal Justice System for Digital Offences
The Afzal & Associates Service Methodology
Illustrative Client Scenarios
Frequently Asked Questions
Conclusion: Secure Your Digital Future
About the Author & Contact Information

1. Introduction: The Digital Imperative and the Stakes in Bangladesh | Afzal Hosen Mandal

Dhaka skyline transitioning into digital data streams with a protective translucent shield - The Digital Imperative by Afzal Hosen Mandal | Afzal & Associates

A panoramic view of Dhaka's skyline dissolving into digital data streams, symbolizing the convergence of the physical and digital legal realms. A protective shield overlays the digital side, encapsulating the mission of Afzal Hosen Mandal and Afzal & Associates in securing Bangladesh's digital future.

The transformation of Bangladesh into a digital economy is no longer a prediction—it is the operating environment. The nation's internet subscriber base exceeds 130 million, mobile financial services process transactions worth billions of takas daily, and both the government and private sector are migrating critical services to digital platforms. This rapid digitization has created a parallel universe of legal risk. A single successful phishing attack can expose the personal data of hundreds of thousands of customers. An ill-drafted online contract can render a business utterly unenforceable in court. An accusation of cybercrime, even if unfounded, can irreparably damage a professional career before any judicial determination is made.

The legal response has been robust and is still evolving. Bangladesh has enacted a suite of overlapping and interlocking statutes designed to criminalize malicious cyber activity, mandate operational security standards, and, very shortly, confer comprehensive personal data rights on its citizens. For any organization—corporation, startup, NGO, or public body—the challenge is no longer whether to address these laws, but how to build an integrated legal and technical compliance posture that is both effective and sustainable. At Afzal & Associates, under the leadership of Afzal Hosen Mandal, our practice is built on the principle that digital law is not merely a reactive shield against prosecution, but a proactive enabler of trust, investor confidence, and commercial advantage. This guide is our professional synthesis of the entire landscape, delivered with the depth and precision our clients rely upon.

The stakes could not be higher. Regulatory enforcement is intensifying. The Cyber Security Act 2023 has brought a new institutional architecture with dedicated tribunals and agencies. The impending Data Protection Act will introduce a GDPR-style compliance burden with significant financial penalties. In this environment, legal ignorance is not a defence; it is a direct path to operational disruption, financial loss, and reputational damage. This guide, authored by Afzal Hosen Mandal, is designed to equip business leaders, in-house counsel, compliance officers, and any digitally active individual with a thorough understanding of the law and a clear path to compliance.

2. The Complete Legal Framework: Annotated Acts, Official Links, and Penalty Regimes | Afzal Hosen Mandal

Seven official law scrolls glowing on a library table connected by digital circuits - Complete Legal Framework curated by Afzal Hosen Mandal | Afzal & Associates

The foundational legislative framework: seven core statutes arranged in an arc, connected by digital circuits and emanating holographic icons. This curated legal library forms the basis of all advisory and litigation work by Afzal Hosen Mandal at Afzal & Associates.

A proper legal practice is built on the statutes themselves. Below, we provide the authoritative list of primary legislation, linked directly to the official Legislative and Parliamentary Affairs Division database, along with essential commentary on their purpose and penalty structures. This framework is the bedrock of every consultation, compliance audit, and litigation strategy executed by Afzal Hosen Mandal and the team at Afzal & Associates.

2.1 Core Digital & Cyber Laws

Information and Communication Technology Act, 2006 – This is the genesis statute for the digital legal ecosystem. It established the legal recognition of electronic records, electronic signatures, and the Controller of Certifying Authorities (CCA). Critically, it defined foundational cyber offences, including hacking (Section 56), tampering with computer source code (Section 55), and publishing false digital signature certificates. Penalties include imprisonment of up to 10 years and substantial fines. It remains in force for non-conflicting provisions and electronic commerce facilitation.
Cyber Security Act, 2023 – The premier legislation governing cybersecurity and cybercrime today. It repealed and replaced the Digital Security Act 2018 with a more structured, institutionalized approach. It establishes the Digital Security Agency, defines and protects Critical Information Infrastructure (CII), and creates a comprehensive framework of offences. Section 17 penalizes illegal entry into a CII with up to 14 years of imprisonment. Section 26 criminalizes data poisoning, while Section 29 addresses transmission of offensive or false data. The Act mandates incident reporting and cooperation with forensic investigations.
Digital Security Act, 2018 – This Act remains directly relevant for all cases registered between 2018 and the enactment of its successor, and for the interpretation of transitional provisions. Its provisions on official secrecy, defamation, and the power to block content have generated significant jurisprudence that continues to inform the application of the 2023 Act.

2.2 Evidence & Criminal Procedure

Evidence Act, 1872 – The admissibility of digital materials in Bangladeshi courts hinges on amendments to this Act. Sections 45 and 45A permit the opinion of digital forensic examiners, while Section 65B provides the special procedure for proving the contents of electronic records. A certificate identifying the electronic record and describing the manner of its production is a statutory prerequisite; failure to produce a proper certificate can render the most incriminating server log inadmissible.
Code of Criminal Procedure, 1898 – All investigation, arrest, search, seizure, bail, and trial for cybercrimes proceed under this Code, subject to special provisions in the Cyber Security Act 2023. Section 165 search warrants, Section 167 remand procedures, and Section 498 bail provisions are applied daily in cyber tribunals.
Penal Code, 1860 – The general penal statute applies to fraud (Section 420), cheating by personation (Section 416), criminal defamation (Section 499), and criminal intimidation (Section 506) committed through digital means.

2.3 Data Protection & Privacy

Data Protection Act (Draft/Framework) – ICT Division Official Page – This link leads to the official repository of drafts, white papers, and stakeholder consultation materials for Bangladesh's comprehensive data protection law. The draft Act is modeled on global standards, especially the GDPR, and will create a Data Protection Authority. Penalties are expected to include fines of up to 5 percent of annual global turnover for specific violations.

2.4 E-Commerce & Consumer Protection

Consumer Rights Protection Act, 2009 – Empowers the Directorate of National Consumer Rights Protection to act against deceptive online marketing, failure to deliver digital goods, and oppressive terms in e-commerce.
Contract Act, 1872 – The irreducible framework for determining offer, acceptance, consideration, and capacity in the digital realm. All software subscription agreements, terms of use, and e-commerce contracts are tested against this statute.

2.5 Telecommunications & Regulation

Bangladesh Telecommunication Regulation Act, 2001 – The BTRC is empowered to issue binding directives relating to the interception of communications, ISP licensing, and quality of service, all deeply intertwined with cybersecurity and data retention obligations.

2.6 Financial & Cyber Fraud Laws

Money Laundering Prevention Act, 2012 – BFIU guidelines require banks and financial institutions to monitor digital transactions, report suspicious activities, and apply enhanced due diligence for online onboarding.
Bank Company Act, 1991 – Bangladesh Bank's ICT Security Guidelines detail specific security controls, mandatory IT audits, and business continuity planning requirements for all scheduled banks.

2.7 Intellectual Property Law

Copyright Act, 2000 – Software, websites, databases, and digital content are protected as literary and artistic works. The Act provides for civil remedies (injunctions, damages) and criminal penalties for unlicensed reproduction and distribution.

3. Digital Law in Depth: The Rulebook for Internet Transactions and Identity | Afzal Hosen Mandal

Physical paper contract transitioning into a glowing digital document with a digital signature badge - Digital Law Rulebook by Afzal Hosen Mandal | Afzal & Associates

From wet ink to digital signatures: a physical contract transitions into a digital document, symbolizing the shift from traditional contract law to the electronic transaction framework. This evolution is at the heart of the digital law practice led by Afzal Hosen Mandal.

Digital law in Bangladesh begins with the legal annihilation of the need for physical paper and wet-ink signatures. Before the ICT Act 2006, a contract or legal notice delivered by email, or a government form submitted electronically, existed in a legal void. The foundational legal achievement was establishing that an electronic record carries the same legal effect, validity, and enforceability as a paper document, provided it meets the criteria of retention, integrity, and accessibility. Simultaneously, digital signatures—cryptographically based identity credentials issued by a licensed Certifying Authority—were given full legal recognition as the functional equivalent of a handwritten signature.

The Information and Communication Technology Act, 2006 is divided into chapters dealing with electronic records, the CCA, and offences. Critically, Section 5 creates a legal safe harbor: no electronic record, contract, or signature can be denied legal effect solely because it is in electronic form. Section 10 allows a secure electronic signature to be used in government filings and commercial transactions. Part II sets up the CCA as the trust root; the Certifying Authorities license is required to issue digital signature certificates, which link an identity to a key pair. On the offence side, Section 54 identifies "computer source code" as proprietary intellectual property, making its unauthorized alteration or destruction a crime punishable by up to three years' imprisonment. Section 56 penalizes hacking, defined as unauthorized access done with the intent, or knowledge that loss or damage may be caused, with a comprehensive penalty structure addressing both intent and consequence.

The Cyber Security Act, 2023 reconfigures the relationship between the state, the digital service provider, and the end user. Its philosophy is proactive risk management. It creates a statutory Digital Security Agency with powers to issue binding directives, conduct audits, and demand information. The Act introduces the concept of a "Digital Security Coordinator" who serves as the point of contact for law enforcement. It also creates a specialized Cyber Tribunal and Cyber Appellate Tribunal, separate from conventional judicial hierarchy, with exclusive jurisdiction to try offences under the Act.

At Afzal & Associates, Afzal Hosen Mandal and the team translate this complex rulebook into actionable legal protection through transactional architecture (contract ecosystems for digital platforms, including SaaS terms and API license agreements), regulatory interface (proceedings before the CCA and the Digital Security Agency on notifications, compliance filings, and audit responses), and civil and criminal litigation before the cyber tribunals handling cases from data theft and digital defamation to constitutional challenges of administrative orders for content blocking.

4. Cybersecurity Law: A Proactive Legal and Organizational Mandate | Afzal Hosen Mandal

A digital server rack protected by a multi-layered transparent shield deflecting red attack vectors - Cybersecurity Law by Afzal Hosen Mandal | Afzal & Associates

Critical Information Infrastructure defense: a server rack encased in a multi-layered transparent shield deflects malicious attack vectors. This visual encapsulates the proactive cybersecurity mandate that Afzal Hosen Mandal operationalizes for clients.

Under the Cyber Security Act 2023, the government may designate any computer resource that directly or indirectly affects national security, the national economy, public health, or public safety as a Critical Information Infrastructure (CII). This designation triggers a distinct legal regime: the owner of a CII must appoint a Chief Information Security Officer, conduct regular vulnerability assessments, and report incidents to the National Computer Emergency Response Team. Unauthorized access to a CII is a severe crime carrying a mandatory minimum imprisonment term. The designation list itself may be classified, so entities in sensitive sectors must proactively seek legal advice from specialists like Afzal Hosen Mandal to anticipate whether they are likely to be covered.

The law no longer permits a purely reactive security posture. Even for non-CII organizations, the Act creates a statutory obligation to implement and maintain "reasonable security practices." This is a flexible, yet enforceable, standard. In a regulatory investigation or civil suit following a breach, the test will be whether the organization's security controls matched what a similarly situated prudent organization would have implemented. International standards such as ISO/IEC 27001 and the NIST Cybersecurity Framework are explicitly referenced as benchmarks. An organization with a documented, practiced information security management system will have a robust defence against allegations of negligence; one that cannot will struggle.

The Cyber Security Act 2023 imposes a duty to report certain cybersecurity incidents to the relevant government Computer Emergency Response Team. The exact scope of "notifiable incidents" includes successful intrusions into CII, large-scale data breaches, and denial-of-service attacks affecting public services. Failure to report may itself be an offence. A legally optimized incident response plan is therefore not just a technical document—it is a performance of a statutory duty. It must define internal escalation triggers, forensic evidence preservation procedures, and a pre-drafted communication template that balances transparency with legal privilege. The government's National Cybersecurity Strategy 2021–2025 emphasizes public-private partnership, threat intelligence sharing, and capacity building, forming the interpretive lens through which agencies exercise discretion.

Afzal Hosen Mandal leads Afzal & Associates' multi-layered cybersecurity law service suite, which includes: Legal-Driven Cyber Audits mapping technical controls to the specific language of the Cyber Security Act; Incident Response Plan (IRP) Drafting and Testing producing a legally compliant operational manual tested through confidential tabletop exercises with your C-suite; and Vendor Cybersecurity Contracting ensuring contracts with cloud providers and managed security service providers contain mandatory breach notification clauses, audit rights, and clear liability allocations that satisfy your own regulatory duties.

5. Data Protection: Operationalizing Privacy in a Pre-Regulation Landscape | Afzal Hosen Mandal

A human silhouette made of shimmering gold data particles cupped by a giant translucent hand woven from legal text - Data Protection by Afzal Hosen Mandal | Afzal & Associates

Personal data sovereignty: a human silhouette composed entirely of protected data points, safeguarded by a hand woven from legal clauses. This artistic representation captures the privacy revolution that Afzal Hosen Mandal prepares clients for under the forthcoming Data Protection Act.

The official page on the ICT Division's site, Data Protection Act (Draft/Framework), hosts the legislative blueprint for a fundamental shift in how personal data is governed. The draft Act applies to the processing of personal data by a data controller or processor in Bangladesh, and also to organizations outside the country that offer goods or services to data subjects in Bangladesh—an extra-territorial scope mirroring the GDPR. The Act will establish a Data Protection Authority with powers comparable to a civil court to investigate, issue compliance orders, and levy administrative fines.

Every compliance program must be organized around seven core principles, which are not abstract values but operational requirements:

Accountability: The data controller must be ready at all times to demonstrate compliance. This is the "prove it" principle.
Lawfulness, Fairness, and Transparency: There must be a valid legal basis for processing, and the data subject must be informed in a concise, easily accessible, plain-language privacy notice.
Purpose Limitation: Data collected for one purpose cannot simply be repurposed for another, such as using customer contact details for marketing analytics without separate informed consent.
Data Minimisation: The gathering of "nice to have" data is forbidden; only data that is adequate, relevant, and limited to what is necessary may be collected.
Accuracy: Reasonable steps must be taken to erase or rectify inaccurate personal data without delay.
Storage Limitation: Identifiable personal data must be deleted or anonymized as soon as the original purpose is served.
Integrity and Confidentiality: Appropriate technical and organizational security measures must be applied.

The consent standard is elevated: it must be "freely given, specific, informed, and unambiguous." Pre-ticked boxes, implied consent from browsing, or consent bundled as a non-negotiable term of service will fail this test. For sensitive personal data (health, biometrics, political opinions), the requirement is explicit consent. Afzal Hosen Mandal advises clients to build dynamic consent management platforms that log the precise text shown to a user, the timestamp of consent, and the purpose for which it was granted, creating a legally defensible audit trail.

Data subject rights include the right of access (obtain confirmation and a copy of data), rectification and erasure ("right to be forgotten"), restriction of processing, and data portability (receive data in a structured, commonly used, machine-readable format). Organizations must design internal workflows capable of responding to a data subject request within a strict statutory deadline, likely 30 days. Cross-border data transfers are generally prohibited unless the destination is approved by the Authority or governed by standard contractual clauses or binding corporate rules. This has immediate implications for organizations using global cloud infrastructure or third-party HR platforms hosted abroad.

Afzal & Associates, under Afzal Hosen Mandal, delivers end-to-end data protection compliance: Privacy Governance Framework (appointing a DPO, establishing a privacy committee, drafting a board-approved data protection policy); Records of Processing Activities (ROPA) (the legally mandated, detailed compliance artifact and risk management tool); Data Protection Impact Assessments (DPIAs) (leading and legally opining upon DPIAs for high-risk processing such as large-scale profiling or employee monitoring); and a Data Breach Response Playbook (a specific, separate playbook for personal data breaches aligned with the notification timeline the Data Protection Act will mandate).

6. Cybercrime Law: Navigating the Criminal Justice System for Digital Offences | Afzal Hosen Mandal

A chessboard with red digital threat pieces facing blue legal defence pieces under a glowing golden scale of justice - Cybercrime Law by Afzal Hosen Mandal | Afzal & Associates

The digital courtroom: a strategic chessboard where digital threats (phishing hooks, shadowy figures) face legal defenses (gavel, shield, chain-of-custody scrutiny) under a golden scale of justice. Afzal Hosen Mandal provides both victim representation and robust accused defense in this arena.

Cybercrime in Bangladesh is not a monolithic category but a collection of distinct offences, each with specific actus reus and mens rea requirements. These fall into three actionable categories: offences against confidentiality, integrity, and availability of data and systems (unauthorised access—hacking, data interference—deletion or corruption, system interference—denial-of-service attacks, and misuse of devices); content-related offences (publication of obscene materials, transmission of defamatory information, and circulation of false or misleading data that causes enmity or hatred); and economic cybercrimes (phishing, identity fraud, e-commerce deception, and payment system fraud, often prosecuted concurrently under the Penal Code and Money Laundering Prevention Act).

A cybercrime case typically begins with the filing of an Ejahar or First Information Report (FIR) at a local police station or with a specialized cybercrime unit. The investigating officer operates under the Code of Criminal Procedure, but also has specific powers under the Cyber Security Act, including the authority to order the preservation of traffic data and subscriber information from service providers. During investigation, the police may seize devices, conduct forensic imaging, and take statements. This phase is critical; any error in the handling of digital evidence—such as booting a hard drive without a write blocker—can form the basis for excluding the evidence entirely.

The cornerstone of any cyber prosecution or defence is the admissibility of electronic evidence under the Evidence Act. The statutory pre-condition for adducing an electronic record is a certificate that identifies the record, describes the process of its production, and details the device used. In litigation, Afzal Hosen Mandal and the team relentlessly scrutinize the chain of custody: a chronological log must show who had physical or remote access to the evidence, when, and under what protocol. A broken chain creates a presumption of tampering that can, and often does, lead to acquittal or dismissal.

Our deep knowledge of investigation techniques makes us formidable on both sides of the courtroom. Victim Representation: We initiate emergency legal measures, including filing a petition for preservation of digital evidence with the tribunal, engaging directly with platform counsels for data preservation requests, and filing the FIR with a legally sound evidence annex. We then manage the civil recovery for damages and the pursuit of injunctions. Defence Counsel: We mount a proactive defence from the moment of arrest or summons, challenging the legality of search and seizure, cross-examining forensic witnesses on their tool's error rates and validation, and filing for bail on grounds of the admissibility threshold not being met. We ensure the prosecution's burden of proving guilt beyond a reasonable doubt is rigorously enforced against the unique ambiguities of digital evidence.

7. The Afzal & Associates Service Methodology: From Uncertainty to Defensible Resilience | Afzal Hosen Mandal

A holographic four-part circular lifecycle projected over a lawyer's desk with icons for Diagnostic, Blueprint, Implementation, and Oversight - Service Methodology by Afzal Hosen Mandal | Afzal & Associates

The Afzal & Associates service methodology: a four-phase lifecycle—Diagnostic, Strategic Blueprint, Implementation, and Continuous Oversight—projected as a hologram. This structured approach, perfected by Afzal Hosen Mandal, moves clients from uncertainty to documented, defensible resilience.

Under the leadership of Afzal Hosen Mandal, Afzal & Associates delivers value through a structured, professional methodology refined over years of practice.

Phase 1: Diagnostic Deep Dive (Legal Health Check). We start with a confidential audit. Our team reviews your existing IT policies, privacy notices, employee handbooks, vendor contracts, and incident logs. We interview your IT, HR, legal, and compliance staff. The output is a Risk and Compliance Diagnostic Report that visually maps every operation to the relevant legal provisions and assigns a red/amber/green rating to each compliance area, accompanied by a plain-language explanation of the legal risk.

Phase 2: Strategic Remediation Blueprint. Based on the diagnostic, we develop a prioritised remediation roadmap. Tasks are sequenced by risk severity and regulatory deadline. For each required action—be it drafting a DPIA, implementing a new access control policy, or rewriting a website's cookie consent mechanism—we provide a scoping of the legal requirement, the proposed solution, an estimate of resource requirements, and a timeline. This blueprint is discussed and signed off with your leadership team, becoming the project charter for all subsequent work.

Phase 3: Implementation and Documentation. Our team drafts all necessary legal documentation: comprehensive internal data protection and information security policies, externally-facing privacy notices and terms of service, Data Processing Agreements for third-party vendors, and a statutory-grade Incident Response Plan. We do not merely hand over documents; we conduct customised training sessions for different stakeholder groups (board, management, IT staff, general employees). Each session is legally accurate and designed to modify behaviour.

Phase 4: Continuous Oversight and Horizon Scanning. Legal compliance is not a project with a finish line; it is a continuous state. Under our retainer model, we provide quarterly legislative update bulletins, an annual compliance mini-audit, and an always-available hotline for urgent legal queries. If a new regulation or a critical interpretative judgment is issued, we provide an actionable advisory within days, explaining the specific impact on your organisation and recommended response steps. We also serve as your dedicated external legal point of contact for data protection authorities and law enforcement.

8. Illustrative Client Scenarios: Law Applied to Real-World Situations | Afzal Hosen Mandal

Three round vignettes framed by magnifying glasses showing a fintech app, a protected factory, and a businessman breaking free from chains - Client Scenarios by Afzal Hosen Mandal | Afzal & Associates

Real-world application: a triptych of client scenarios—fintech compliance, industrial ransomware defense, and executive exoneration—each framed by the magnifying glass of legal scrutiny. These illustrate the breadth of cases handled by Afzal Hosen Mandal.

Scenario A: The Fintech Start-Up and Data Compliance. A mobile financial services start-up is preparing to launch a digital lending product. Afzal Hosen Mandal conducts a legal health check and identifies that the app is collecting geolocation and contact list data without granular consent. We redesign the consent flow, draft a layered privacy notice, and implement a Data Protection Impact Assessment that addresses credit profiling risks. We then draft the necessary data processing agreement with their cloud host, ensuring compliance with the cross-border data transfer rules that will be cemented by the Data Protection Act.

Scenario B: The Export-Oriented Manufacturer Experiencing a Ransomware Attack. A garment manufacturer's production server is encrypted by ransomware, and the attacker exfiltrates employee personal data. The CEO contacts Afzal Hosen Mandal within the first hour. We immediately assume privilege, direct the IT team to segment the network and preserve all volatile forensic evidence, and we take over the communication with the threat actor through a third-party forensic under our direct instruction. We simultaneously prepare the regulatory notification to the Digital Security Agency and the data protection authority, provide a legally compliant public statement for vendors and customers, and handle the criminal complaint. Our legally-driven crisis management limits regulatory exposure and positions the company for a robust recovery.

Scenario C: Defending a Senior Executive Against False Cybercrime Accusation. A bank's senior IT manager is accused of unauthorised access and data theft following an internal audit. The police seize his personal devices. Afzal Hosen Mandal immediately secures bail and mounts a technical defence. Our forensic expert's review shows that the access logs relied upon by the prosecution have a gap in their chain of custody while in the bank's internal control. We file a petition challenging admissibility under the Evidence Act. The prosecution case fails at the preliminary evidentiary stage, and the judicial forum accepts a discharge petition.

9. Frequently Asked Questions: In-Depth Answers | Afzal Hosen Mandal

A modern touchscreen surrounded by floating 3D question marks with golden answer streams flowing from a professional's touch - FAQs by Afzal Hosen Mandal | Afzal & Associates

Your questions answered: floating question marks meet a responsive touchscreen interface, from which golden answer streams cascade. This visual represents the accessible, client-centered approach of Afzal Hosen Mandal to even the most complex digital law queries.

Q: Does the Cyber Security Act 2023 apply to small and medium enterprises (SMEs) or just large corporations?

A: The Act applies to any person, including natural persons, companies, and firms, without a de minimis exception for size. While CII obligations target large infrastructure, the prohibitions on hacking, data theft, and non-cooperation with authorities apply universally. Moreover, the requirement to follow reasonable security practices is a standard that scales with the size and sophistication of the entity; a small e-commerce site handling customer card data is judged against the standard of a reasonable small e-commerce operator, not a bank. Ignorance of this is the single biggest legal risk for a growing SME. Afzal Hosen Mandal advises all SMEs to undertake a baseline cybersecurity legal audit as a matter of priority.

Q: What is the exact procedure for serving a legal notice to a social media platform to remove defamatory content in Bangladesh?

A: The procedure is multi-layered. First, you should legally preserve the evidence (screen recordings with hash values, not screenshots). A formal legal notice citing the specific offending content and the applicable law (typically the Cyber Security Act 2023, Penal Code 1860, or both) is sent to the platform's registered agent or through their legal portal. Simultaneously, a complaint may be filed with the Bangladesh Telecommunication Regulatory Commission (BTRC) under the relevant regulations, and a criminal complaint can be initiated. Many platforms have a well-documented but compliance-specific process; Afzal Hosen Mandal ensures the notice is drafted in a manner that maximizes the chances of swift removal without protracted litigation.

Q: If my company uses an international cloud provider (like AWS, Azure, Google Cloud) and data is stored in their Singapore data center, are we in violation of the upcoming Data Protection Act?

A: Not necessarily in violation per se, but you are in a state of unregularized risk. The draft framework will restrict cross-border transfers. Relying on a server location outside Bangladesh will become a legal issue requiring a specific justification. The most common legal mechanism will be Standard Contractual Clauses or Binding Corporate Rules. You will need to execute a legally binding instrument between your company and the cloud provider that provides adequate safeguards for the data. Afzal Hosen Mandal assists clients in precisely this process, structuring the contractual architecture to ensure a defensible compliance footing before the law is enforced.

Q: Our employee clicked a phishing link and customer data may have been leaked. Do we have to report to the police or can we handle it internally?

A: This is a critical judgment call that must be made with legal counsel. An internal investigation under attorney-client privilege is usually the first and best step to determine the facts. However, if the investigation confirms that a notifiable cybersecurity incident has occurred under the Cyber Security Act, or if it constitutes a personal data breach that will require notification to a future Data Protection Authority, it cannot legally be handled purely internally. A failure to notify the relevant authority is a separate offence. Afzal Hosen Mandal guides clients through this triage process to discharge legal obligations while maintaining control over the narrative and limiting business disruption.

10. Conclusion: Your Next Step Toward Secure Digital Legal Standing | Afzal Hosen Mandal

A businessperson silhouette at the start of a wide illuminated pathway paved with legal contracts and lined with shield-shaped arches leading to a sunrise - Secure Your Digital Future with Afzal Hosen Mandal | Afzal & Associates

Your legal future, secured: a lone businessperson at the threshold of a pathway paved with legal contracts, protected by shield-shaped arches, leading toward a brilliant sunrise horizon. This embodies the guided journey Afzal Hosen Mandal provides to every client.

The digital legal framework in Bangladesh is sophisticated, multifaceted, and now actively reshaping corporate governance. The era when these issues could be relegated to the IT department or a general counsel without specialist support is over. The laws create personal, corporate, and criminal liability. They also create a distinct competitive advantage for those who pre-emptively align their operations, convert compliance into customer trust, and build security into their legal DNA.

Afzal Hosen Mandal and Afzal & Associates exist to make this complex transition seamless and secure. Our service is not the delivery of a document but the establishment of a defensible, auditable standard of legal resilience. We invite you to move from passive worry to proactive control.

Secure your digital future today.
Contact Afzal Hosen Mandal at Afzal & Associates for a confidential, obligation-free assessment of your digital legal posture.
Our team is ready to conduct your diagnostic review and start you on the path to watertight compliance.

11. About the Author & Contact Information | Afzal Hosen Mandal

Afzal Hosen Mandal

Position: Lawyer at Afzal and Associates

Specializations: Civil Litigation, Criminal Defense, Property Law, Digital & Cyber Law

Location: Narsingdi Judge Court, Bangladesh

Contact Information:

Email: advafzalhosen@gmail.com, advafzalhosen@outlook.com
Phone: 01726634656

Follow Me:

Website & Blog: Afzal and Associates Official Website

GitHub: Afzal's GitHub Profile

About Afzal and Associates: Learn more about us

Contact Us: Contact Afzal and Associates

Digital & Cyber Law in Bangladesh: The Definitive Professional Guide by Afzal Hosen Mandal | Afzal & Associates

Digital & Cyber Law in Bangladesh: The Definitive Professional Guide

By Afzal Hosen Mandal, Legal Advisor & Digital Law Specialist, Afzal & Associates

Published: May 1, 2025 | Updated: May 1, 2025 | Reading Time: 35 minutes

1. Introduction: The Digital Imperative and the Stakes in Bangladesh | Afzal Hosen Mandal