Across the Middle East, governments are reframing surveillance and information control as cybersecurity, data protection, and digital resilience. This rebranding is driving a wave of new laws, institutions, and cross-border technology transfers that concentrate authority over data and networks, de facto representing a relevant threat for the civic dimension. The overlying transition represents the strategic mirror of Middle Eastern complexity where, amid Gulf’s cybercrime provisions, control of civilian cyberspace from security agencies and Iran’s state-aligned operators, a tightened authoritarian region-wide model might be a valuable solution.
Introduction
According to Freedom on the Net 2024, MENA governments leveraged wartime narratives to suppress online dissent and expand policing of speech, most visibly through Jordan’s 2023 Cybercrimes Law. In parallel Gulf states advanced GDPR-like data privacy statutes and national cyber strategies that centralize authority over platforms, cloud services, and content moderation in the name of resilience. These measures, that entail an outstanding mapping infrastructure (raging from legal and institutional trends to vendor and alliance networks that are enriched with context-aware geopolitical insights), acan generateself-reinforcing cycle of securitization. Let’s unpack them.
The Dual Function of Privacy and Cybercrime Laws
In the region, recent legislative reforms have employed words privacy and digital safety to shield surveillance from scrutiny. But in passing these laws the state also acquires more power to control online expression and regulate data. Privacy safeguards have been codified. But just how wide the admissible exceptions may extend is largely left up to law and security organs. This enables selective implementation and reinforces requirements for data platform transfer to local storage. Let’s unpack this cluster on new statutes across the region:
United Arab Emirates: Federal Decree-Law No. 34 of 2021 on “Countering Rumors and Cybercrimes” criminalizes broad categories of online content, enables equipment seizure, and provides sweeping penalties, including for “unauthorized” publication deemed harmful to state interests. The law entered into force on 2 January 2022 and remains a cornerstone of online policing.
Jordan: the 2023 Cybercrimes Law imposes harsh penalties for vaguely defined offenses such as “fake news” and “immorality,” and has been used repeatedly since 2023–24 to suppress protest-related speech.
Egypt: Law 175/2018 (“Anti-Cyber and IT Crimes”) legalizes website blocking, mandates data retention, and empowers real-time monitoring, tools repeatedly used to constrain media and civil society.
Gulf privacy frameworks with security override: Bahrain’s PDPL (in force since 2019) and Saudi Arabia’s PDPL (2023–24) replicate GDPR terminology but are embedded within highly centralized security governance, where national cybersecurity authorities and sectoral regulators retain decisive powers over cross-border transfers and “public interest” access.
Institutional centralization: civilian cyberspace under security command
Throughout the Middle East, authorities are increasingly centralizing cyber policy throughout the national security institutions, enhancing coordination, incident response, and safeguarding against external threats. However, this narrowing also stretches over into civilian, commerce and media areas, gnawing away at the traditional separation between defense and governance. Consequently, faculties that were only to be used under strictly defined exceptional circumstances are being made regulations of day-to-day administration, making digital governance a mainstay of national strategy. Some case studies:
Israel’s National Cyber Directorate (INCD) coordinates policy and operational defense across the civilian sector, issuing alerts and mandatory guidance; publicly reported alerts nearly doubled from 2023 to 2024 (from 367 to 736), reflecting heightened regional threat tempo during the Gaza war.
UAE integrates cybercrime enforcement with content governance and data policies through federal legislation and cabinet-level bodies, supporting a sophisticated “cyber troops” capability that orchestrates influence operations.
The vendor–sovereign nexus: exporting surveillance as security
A burgeoning commercial marketplace of surveillance and exploit merchants has emerged as a key element in Middle East cyber governance. The 2021 Pegasus disclosures were revelatory in showing how export-licensed spyware sales to governments, in the United Arab Emirates as well as in Morocco and Bahrain, facilitated persistent targeting of journalists, lawyers and dissidents. While NSO Group and similar companies assert they adhere to export controls, the broader industry of mobile interception protocols, lawful intercept technologies, social media monitoring or data fusion has evolved through legal or extra-legal markets. These systems are typically advertised as counterterrorism, homeland security and cybercrime-fighting tools but also facilitate the domestic operations of internal security services.
Indeed, the Abraham Accords have accelerated this diffusion, converting diplomatic normalization into technological alignment. Israeli firms have emerged as leading providers of intrusion and analytics tools to Gulf monarchs, buttressing doctrines of pre-emptive threat identification while deepening mutual codependence in cyber space. Simultaneously, Western consultancies and global cloud providers, wanting to preserve access to lucrative regional markets that are governed by tight data localization and compliance regulations, now operate locally in line with host-state security frameworks. Together, these dynamics have resulted in a layered ecosystem in which surveillance technology companies, commercial service manufactures and geopolitical partnerships reinforce each other to concentrate state power under the name of cybersecurity.
Iran as durable adversary and an alibi for securitization
State-sponsored Iranian cyber operators persist in applying pressure on Israeli, Gulf and Western networks through a variety of operational campaigns including but not limited to ICS-adjacent attacks and hack-and-leak. From 2024 to 2025, several threat analyses highlighted an uptick in malicious activity by Islamic Revolutionary Guard Corps (IRGC)–affiliated entities, including CyberAv3ngers, who aimed their attacks at water and energy infrastructure as well as manufacturing facilities abroad which were supported by Israeli-made programmable logic controllers. These have intensified since October 2023, and have been widely seen as part of Tehran’s asymmetric response to the Gaza conflict.
Research syntheses produced in 2024 reveled an expanded Iranian toolkit that now included bastardized Destructive wipers used to corrupt or delete data, password spraying, credential stuffing and supply chain implants In mid 2025 adversaries including the hijacking of surveillance camera equipment and attempted disruptions of Israeli infrastructure systems.
Though the operational capabilities of these groups are uneven, their sustained activity gives regional governments a continued pretext for unusual security practices. The fake Iranian cyber threat supports emergency powers, justifies content removals, and secures constraints on encryption and anonymity. In practice, many of the same legal and technical structures built to prevent foreign encroachment are also used for local control, obfuscating the line between national defense and internal spying.
War, platforms, and the shrinking space for speech
The war with Hamas has dramatically reshaped Israel’s approach to controlling information and managing cyberspace, pitting national security imperatives against democratic norms. Since October 2024, Israel has folded digital operations into the theater of conflict more broadly incorporating offensive cyber, coordinated information campaigns, and increased domestic regulation over online content. INCD and Ministry of Communications have collaborated to monitor online discourse, limit access to specified content considered as hostile material and work with the world’s leading platforms on removal requests for Hamas-linked propaganda and disinformation.
According to Freedom House's 2024 report, the war period witnessed widened state-led action to limit speech deemed critical of morale or “supporting terrorism” with arrests, account suspensions and content removals occurring in temporary formulations against Palestinian and dissenting Israeli voices. The government’s decision to invoke emergency powers, based on the 1945 Defense Regulations, in turn reached into the digital realm, offering legal cover when it sought to block websites and monitor encrypted communication.
Meanwhile, Israel’s stance in cyberspace has grown more offensive and pre-emptive. The country’s security bureaucracy treats the information space online as an extension of the battlefield, a place where influence operations and infrastructure defense and surveillance all converge. The confluence of warfighting and digital regulation has, in fact, all but obscured the distinction between an external security strategy and domestic information governance, establishing new norms for the post-conflict environment.
Conclusions
The Middle East’s cyber turn is not just a rush to reach global norms; it is a political project, touting authoritarian rebranding of digital power. Privacy laws and cybersecurity tactics give you the structure; security-borne organizations, ecosystem partners and big vendors provide the muscle. It is the immolation of information that enables the narrative. Iran’s persistent offensive posture and wartime information battles furnish the narrative fuel.
For external partners, three implications follow:
Engaged conditionality: cloud, telecom, and surveillance exports should be linked to verifiable safeguard, independent auditability, human-rights due diligence, and publicly disclosed transparency metrics, rather than abstract privacy language.
Defending cross-border rights: journalists, dissidents and NGO workers in the region and diaspora continue to be targeted both by spyware and platform takedowns. Corporate trust-and-safety functions and export-control regimes must account for the extraterritorial repression risks that have been uncovered since Pegasus.
Safeguards for infrastructure resilience: regional cyber defense against Iranian and other threats is essential, but with accountability: statutory boundaries, reporting mandates, judicial scrutiny of data access, blocking orders, and surveillance.
Absent such counterweights, the region’s digital future will be one where security language legitimizes political control, a future already visible in the convergence of cyber law, national security institutions, and a thriving market for surveillance technology.
