Israel’s cyber and privacy regulatory landscape changed fundamentally in 2025. With Amendment 13 to the Protection of Privacy Law now in force, stronger enforcement powers, and the central role of the Israel National Cyber Directorate (INCD), every organization holding personal data — even just employee records — now carries real, enforceable obligations. This guide maps the framework Israeli businesses must navigate.
The Protection of Privacy Law and Amendment 13
The Protection of Privacy Law (PPL), originally from 1981, is the backbone of Israeli data protection. Amendment 13, which took effect on 14 August 2025, is the most significant reform in decades. It broadens the definition of highly sensitive data, mandates the appointment of Data Protection Officers in defined cases, tightens consent and transparency rules, and dramatically expands the Privacy Protection Authority’s (PPA) power to investigate and impose financial sanctions — with individuals able to sue without proving harm.
The Data Security Regulations
The 2017 Data Security Regulations remain a core enforcement focus. They classify databases into basic, medium, and high security tiers, each with escalating requirements covering access control, log retention, risk surveys, and incident handling. Many organizations are surprised to learn their HR or customer databases fall into a higher tier than assumed.
The INCD and sector regulators
The INCD sets national cyber defense guidance, issues threat alerts, and increasingly expects timely incident reporting. Sector regulators — in banking, healthcare, and critical infrastructure — layer additional requirements on top. For organizations handling EEA-origin data, the 2023 EU data-transfer regulations add further duties, supported by Israel’s GDPR adequacy status.
Who is affected, and what to do
- Any organization holding personal data is in scope, even if it is only employee data.
- Map your data, classify your databases by security tier, and close gaps against the Data Security Regulations.
- Appoint a DPO where required and brief your board, which now carries documented accountability.
Persist Security helps Israeli organizations meet these obligations through GRC and compliance consulting and a vCISO service that provides the security leadership the regulations increasingly assume, backed by a managed SOC for monitoring and reporting. Contact us for a regulatory gap assessment.
