OMAN DRAWS A HARD LINE IN THE DIGITAL SAND

 Royal Decree No. 61/2026 gives the Sultanate one of the region's most comprehensive cybercrime frameworks — criminalising everything from password theft to organised digital cartels.

Policy Analysis · 8 min read · Cybercrime Law · June 2026

In a region where governments are racing to harden their digital borders, Oman has made a decisive move. The Law on Combating Cybercrimes, enacted under Royal Decree No. 61/2026, represents the Sultanate's most sweeping legislative response yet to the expanding threat landscape of the digital age — codifying offences, establishing deterrents and drawing clear legal boundaries around a wide spectrum of online conduct.

The law, announced by the Ministry of Transport, Communications and Information Technology, covers nine chapters addressing everything from unauthorised system access and digital impersonation to organised cybercrime and the protection of electronic evidence. It arrives at a moment when cyberattacks across the Gulf are rising sharply in both frequency and sophistication, and when governments no longer have the luxury of treating digital security as a secondary concern.

Royal Decree No. 61/2026 — Law on Combating Cybercrimes Promulgated by His Majesty the Sultan of Oman. Enforced by the Ministry of Transport, Communications and Information Technology. Establishes criminal liability for a broad range of digital offences and introduces tougher penalties across nine legislative chapters.

WHAT THE LAW COVERS

The legislation is structured across nine chapters, each targeting a distinct category of digital offence. Together they form a layered framework that moves from individual acts of intrusion through to content-based crimes and, at the most serious end, coordinated criminal enterprise.

• Chapter II — Unlawful access: passwords, access codes, system intrusion
• Chapter III — Possession or distribution of tools designed to facilitate cybercrimes
• Chapter IV — Refusing to disclose credentials to judicial authorities during investigations
• Chapter V — Online impersonation of natural or legal persons for unlawful gain
• Chapter VI — Content offences: state security, hate speech, gambling, pornography, defamation
• Chapter VII — Forgery of electronic payment instruments and unlawful acquisition of payment data
• Chapter VIII — Organised cybercrime: establishing or cooperating with criminal groups online
• Chapter IX — Final provisions: corporate liability, incitement, conspiracy and complaints

Chapter Two addresses the entry point of most cybercrime: unauthorised access. The deliberate and unlawful acquisition of passwords and access credentials is explicitly criminalised, closing a loophole that has historically been difficult to prosecute without clear statutory language. Chapter Three goes further, targeting not just intrusion but the entire supply chain that enables it — the acquisition, possession or distribution of software and devices intended for criminal use.

COMPELLING COOPERATION

One of the law's more notable provisions sits in Chapter Four, which criminalises the concealment of, or refusal to disclose, encryption credentials and access codes when requested by judicial authorities in the course of a lawful investigation. This provision addresses a practical obstacle that has long hampered digital prosecutions: the ability of suspects to withhold the keys to encrypted evidence.

The provision reflects a global trend. Jurisdictions from the United Kingdom to Australia have grappled with the same tension between individual privacy rights and the investigative needs of the state. Oman's approach is direct: non-compliance is itself an offence.

"The law does not merely punish criminal acts. It also punishes the concealment of the means to investigate them — a significant step in making digital evidence practically accessible to prosecutors."

CONTENT, IDENTITY AND PUBLIC ORDER

Chapter Five's criminalisation of online impersonation is particularly significant in an era of AI-generated content and deepfake technology. The law makes it an offence to impersonate any natural or legal person — a company as much as an individual — through information systems for the purpose of obtaining unlawful benefits. The framing is deliberately broad, capturing both classic identity fraud and newer forms of synthetic deception.

Chapter Six, the most expansive section of the law, addresses content-related offences in five sub-categories. These span crimes against the state — including the spread of rumours and material promoting terrorism or racial hatred — through to online gambling, pornographic websites and violations of intellectual property. Defamation and slander online are also explicitly covered, providing individuals with a legal recourse against reputational harm carried out through digital channels.

TAKING ON ORGANISED CYBERCRIME

Perhaps the most forward-looking element of the legislation is Chapter Eight's targeting of organised cybercrime. The provision makes it an offence not only to participate in a criminal group using digital tools, but to support or cooperate with one — extending liability beyond direct perpetrators to those who provide infrastructure, funding or operational assistance.

This matters because the threat landscape has matured. Cybercrime is no longer predominantly the domain of lone actors or opportunistic hackers. Ransomware-as-a-service operations, darknet marketplaces and transnational fraud networks now operate with the structural sophistication of legitimate businesses — complete with customer support, affiliate programmes and internal hierarchies. Laws that only punish the person who clicks the final button are inadequate against this kind of infrastructure. Oman's law reaches further up the chain.

CORPORATE ACCOUNTABILITY

Chapter Nine's provisions on legal entity liability are equally significant for the private sector. Organisations — not just individuals — can now be held criminally responsible for offences committed using their platforms, systems or infrastructure. For companies operating in Oman's growing technology and financial services sectors, this creates a strong compliance incentive: robust internal governance over digital systems is no longer optional goodwill, but a legal obligation.

The same chapter establishes specific offences for incitement, assistance and conspiracy — meaning that those who facilitate cybercrime without directly committing it cannot claim the protection of distance. This principle, familiar from conventional criminal law, is now applied explicitly to the digital environment.

READING THE REGIONAL MOMENT

Oman's new law does not emerge in isolation. Across the Gulf, governments are upgrading digital legal frameworks at pace. The UAE strengthened its own cybercrime legislation in 2021 and has since layered in regulations on AI, data protection and critical infrastructure. Saudi Arabia has expanded its National Cybersecurity Authority's mandate significantly. Bahrain, Qatar and Kuwait are each at varying stages of digital law modernisation.

What Royal Decree No. 61/2026 signals is that Oman intends to be a full participant in this regional hardening — not a jurisdiction that lags behind its neighbours and thereby becomes a softer target. A comprehensive domestic framework also strengthens Oman's ability to cooperate on cross-border investigations, where the absence of equivalent legislation in a partner country can block mutual legal assistance requests entirely.

The Sultanate's broader Vision 2040 plan has placed digital transformation at the centre of its economic diversification strategy. Roads, power grids and ports are being joined by data infrastructure, cloud services and digital government platforms as the foundations of national development. A legal framework that credibly protects that infrastructure is not a bureaucratic formality — it is a prerequisite for the investment and trust that digital transformation requires.

The law is, in this sense, as much an economic signal as a legal one. It tells investors, trading partners and technology companies that Oman takes digital rule of law seriously — that conducting business through its digital infrastructure comes with the protection of a modern legal framework, and that those who seek to abuse that infrastructure face meaningful consequences.

In a digital environment where trust is both the scarcest and most valuable resource, that is a statement worth making clearly.