On January 22, 2026, the memorandum for the National Cyber Defense Law, 5786-2026 (“Memorandum"), was published for public comment. The Memorandum aims to establish a national framework for regulating, supervising and enforcing cyber defense of all organizations in the Israeli economy, with an emphasis on protection for essential organizations and digital service and hosting providers, based on a differential risk management approach.

According to section ten of the Memorandum, any organization, including national authorities, local authorities, businesses, or anyone providing services to the public, is responsible for ensuring a proper level of cyber defense according to its type and the nature of its activity. The Memorandum divides the organizations subject to the law into different levels based on the level of risk relevant to their activity. It distinguishes between "Essential Organizations", "Digital Service and Hosting/Storage Providers", and the suppliers that provide services to these entities.

Essential Organizations are subject to a long list of obligations intended to ensure they implement a “basic level of defense”. Digital service and storage/hosting services are subject to certain obligations (that also apply to Essential Organizations) in the event of a security incident. A breach of the obligations set forth in the Memorandum may lead to financial sanctions in amounts of hundreds of thousands of shekels. Moreover, criminal liability may apply in some circumstances, as detailed in the Memorandum.

Essential Organization - Private and Government Sector

  • Who is considered an "Essential Organization"?

This category includes all government bodies, as well as entities designated as essential by the regulator. Regarding private entities and local authorities, the Memorandum sets forth criteria for their definition as Essential Organizations, which is directed to private organizations that provide essential services at a significant scale (the full criteria appear in the Third Schedule):

    • Communications – An authorized provider with at least 200,000 subscribers or 200,000 end users.
    • Energy – A distribution license holder or a natural gas license holder.
    • Health – Hospitals and health management funds (Kupat Holim).
    • Chemical, hazardous materials and toxin plants – Any organization declared an "essential factory".
    • Local authorities – A local authority with 90,000 or more registered residents.
    • Water and sewage sector – A water corporation with at least 250,000 "users" (ostensibly based on the number of persons).
    • Transportation – Large transportation companies as well as infrastructure companies recognized as an executive arm of the Ministry of Transportation.
    • Food production and marketing companies – A food retail organization that has market share of 4% or more of total food sales in Israel, as well as any organization engaged in food production or transportation at a significant scale.
    • Agriculture – An agricultural organization with a market share of 20% or more within a given branch of agriculture.

Regarding organizations operating in the digital services and the storage and hosting services sector in Israel, the Memorandum establishes aggregate criteria for being defined as an "Essential Organization":

    • A body that meets one of the following threshold conditions: (a) annual financial turnover of 40 million NIS or more; (b) employs 50 or more employees; or (c) provides services to the Government of Israel or to a verified defense establishment.
    • The entity provides at least one of the following services: provision of internet infrastructure (IXP, DNS, TLD, CDN); cloud computing services management and provision; cloud storage services (Data Centers); digital verification and online signature services; SMS distribution services, including mailing distribution platforms; identity management and access services (IAM), including systems for user identification and multi-factor authentication; traffic routing services (Reverse Proxy); software interface management services (API Management); managed cybersecurity services (MSP, MSSP); services for operational and industrial systems (OT/ICS/SCADA/IoT); core business services (SaaS/PaaS), including digital services allowing for organizational management and development, as well as their maintenance or accessibility; Marketplace services and search engines; social networks; or companies engaged in data trading (Data brokers).

It is evident, that with regard to the digital services sector, this refers to a broad range of services and companies that are expected to fall within the scope of the proposed law.

  • Core Obligations of an Essential Organization

An "Essential Organization" must comply with the "Basic Defense Requirements" detailed in Part A of the Fourth Schedule, including:

  1. Risk Analysis – Including asset and process mapping, proactive assessments and tests, implementation of procedures, and preparation of a work plan approved by senior management; this includes implementing defense controls on infrastructure and systems.
  2. Assessing and Handling Cyber Incidents – Including writing, implementing, and updating a plan for handling cyber incidents; appointing and training a dedicated team for cyber incident response; and conducting preliminary assessments for cyber incidents via predefined response teams, defined procedures, operating monitoring mechanisms, etc.
  3. Maintenance of Business Continuity – Ensuring the continued provision of essential services even during a cyberattack, including via BCP/DRP programs and backup plans, alongside necessary assessments and training.
  4. Supply Chain Cyber Defense – Including writing, implementing, and updating a plan for defense against cyber threats in the supply chain; mapping and evaluating risks in the supply chain and anchoring information security requirements in engagements with suppliers.
  5. System Development and Maintenance – Including implementing secure development principles and managing secure changes throughout the life cycle of systems and infrastructure.
  6. Policies and Procedures for Assessing Defense Effort Effectiveness – Including writing, implementing, and updating an organizational information security policy; appointing a cyber defense officer; and defining authorities concerning intraorganizational cyber defense.
  7. Employee Awareness – Including implementing an awareness program for employees combined with training and practical drills.
  8. Encryption – Including classification per sensitivity levels and risk and implementing encryption in transit at rest (with preference for end-to-end encryption).
  9. Access Controls – Including defining and enforcing access permissions according to the "Need to Know" principle; implementing authentication measures such as MFA; and defining and implementing logical or physical separation between systems.

The Memorandum clarified that an Essential Organization shall meet these requirements through compliance with the relevant instructions in one of the listed standards, specifically the ISO/IEC 27001 standard together with ISO/IEC 27002, without being required to comply with the other requirements of that standard, i.e., seemingly without the need to obtain full certification.

Obligation to Report a "Significant Cyber Attack"

Once an Essential Organization becomes aware of a significant cyber-attack, as defined by the criteria in Section 11 of the Memorandum, it must submit an immediate report. The report should include the organization’s details, when the attack commenced, and information about its characteristics. The report must be submitted to a senior official within the National Cyber Directorate and a senior official within the competent authority.

Implementing Instructions During a "Severe Cyber Attack"

If a senior official in the competent authority determines there is a real concern or concern that an ongoing severe cyber-attack against an Essential Organization may harm the availability, continuity, or integrity of its essential services, the organization may be given a reasonable window of time to identify, prevent, or contain the attack. If the organization does not act appropriately in this regard, it may be given instructions, including instructions to disclose information, subject to proportionality and privacy considerations. If the subject at hand is a government entity, the organization shall initially act according to instructions given by its authorized employee in coordination with the National Cyber Directorate, without the opportunity to first act independently.

Digital Service Providers and Hosting/Storage Services (That are not "Essential Organizations" in their own right)

    • Who is considered a "Digital Service and Hosting Provider"?

This refers to those whose business involves providing digital or hosting/storage services ("Service Providers"), where there is a connection or transfer of computer hardware (physical/logical, permanent/temporary) between the Service Provider’s computers and the service recipient’s computers, as well as those whose business involves providing maintenance, administrative, or control services for such systems.

    • Implementation of Instructions During a "Severe Cyber Attack":

Service Providers that are not Essential Organizations are not subject to the basic defense requirements under the Memorandum (this is without derogating from their obligations under other laws). However, they are subject to the same obligation regarding the aforesaid "Severe Cyber Attack".

Essential Organization – Defense Establishment

The Memorandum spells out a specific track for Essential Organizations within the defense establishment, with these organizations being subject to a regime akin to that of an Essential Organization, mutatis mutandis, and transferring enforcement powers to MALMAB. It is clarified that any organization listed as a supplier for the defense establishment or an organization that provides essential services to the defense establishment may be considered an Essential Organization subject to Memorandum’s obligations. Therefore, clients providing services to defense establishments must be aware of these obligations and review them in detail.

We recommend conducting an internal assessment at this stage: Map and analyze whether the organization may be considered an Essential Organization, a digital service provider or a storage/hosting service provider; identify gaps against the defense requirements in the Memorandum, and ensure there are designated roles and processes that will allow for a swift response, if necessary. As the Memorandum suggests some of the main obligations will take effect 12 months following the law’s publication, there is limited time to complete the required preparations.

The Ministry of Justice has made the Memorandum available for public comment until February 12, 2026. We invite you to share your insights and comments on the matter with us; we will be pleased to include them in our ongoing dialogue with the Ministry.

The Privacy, Regulation, and Technology department at Amit, Pollak, Matalon, has developed a structured methodology for accompanying organizations in their preparation for privacy and information security regulations. This includes implementing information security procedures, risk management processes, ongoing controls, and assistance in managing information security incidents.  We assist clients within a DPO-as-a-Service framework and provide practical tools for the continuous implementation of legal requirements. We also assist our clients in preparing for and obtaining of certifications, including ISO/IEC 27001 along with ISO/IEC 27002.

This update is intended to present the regulatory developments in the field and it does not constitute legal counsel with respect to any specific course of action. We remain at your disposal for any questions.

APM Privacy, Regulation and Technology Team.