Submitted by moiuser on 6 January 2025

Continued from 4 January

Chapter VI

Responsibilities and authority of the department

11. The department shall take responsibility for office works as the secretariat of the central committee and the steering committee.

12. The department shall allow expenses and allowances for members of the steering committee who are not in-service.

13. The department

(a) can contact, coordinate and cooperate with international and regional cybersecurity organizations in accord with the directive of the ministry in implementing the cybersecurity cooperation measures internationally and regionally.

(b) can issue recognition certificates by examining qualification of cybersecurity and skills or holding competitions in line with the international standards.

(c) shall initiate sector-wise cybersecurity cooperation in the country under the directive of the ministry.

(d) shall set disciplines for cybersecurity service and registration disciplines for digital platform service in accord with the approval of the ministry.

(e) shall levy licence fees, registration fees, fine or other charges in line with the restrictions under this law.

(f) shall take responsibilities for the implementation of cybersecurity policies, strategies, action plans and work guidelines adopted by the central committee.

Chapter VII

Protection of critical information infrastructure

14. The critical information infrastructures are as follows: -

(a) Electronic information infrastructures for defence and security of the State

(b) e-government service infrastructure

(c) e-financial information infrastructure

(d) e-transport information infrastructure

(e) e-communications information infrastructure

(f) e-health information infrastructure

(g) e-electric power and energy information infrastructure

(h) Electronic information infrastructures set by the Central Committee from time to time in accord with the approval of the Union government

15. The Central Committee shall instruct the relevant government departments and organizations to designate, revise and manage critical information structures to carry out the tasks of planning and maintaining critical information infrastructure.

16. Relevant governments and organizations shall conduct measures for critical information infrastructures as follows: -

(a) Scheming cybersecurity plans under relevant criteria

(b) Formation of an Emergency Cybersecurity Incident Monitoring and Response Team (c) Assigning an appropriate person as an official to manage the critical information infrastructure

(d) submission of a cybersecurity report to the Steering Committee at least once for every calendar year

17. The official who is responsible for managing the critical information infrastructure

(a) shall keep the data related to the critical information infrastructure in accordance with the standards depending on the standards of information.

(b) shall manage publishing, releasing, sending, accepting and storing the data related to critical information infrastructures in accordance with the standards.

(c) shall submit the report of critical information infrastructures to the ministry via relevant government departments and organizations at least once every calendar year.

18. The ministry shall oversee and inspect whether those responsible for managing critical information infrastructure have implemented cybersecurity readiness in accordance with the standards set by the steering committee.

Chapter VIII

Issuance of licence and registration

19. The department can determine the validity period of licences for cybersecurity services and the registration period for digital platform services for a minimum of three years and a maximum of ten years.

20. A cybersecurity service provider must be a company registered under the Myanmar Companies Law and must also apply for a business licence from the relevant department in accordance with the prescribed regulations.

21. The department shall verify applications under the criteria in accord with Section 20 and conduct them as follows: -

(a) if application is aligned with criteria, it needs to issue licence to applicant with paying licence fee

(b) if application is not aligned with criteria, it needs to amend application or refuse to issue licence.

22. The cybersecurity service provider must apply for a licence extension to the relevant authority at least six months before the expiration of the licence if they wish to continue their operations.

23. The department

(a) can allow the application for renewal of licence with verification in accord with the criteria or refuse it.

(b) refuses to extend the licence, it shall not affect the remaining licence term.

24. A digital platform service provider with over 100,000 users within the country must be a registered company under the Myanmar Companies Law, and in line with the registration criteria, an application must be submitted to the relevant department for approval.

25. The department must review the application in accordance with the criteria set forth in Section 24 and proceed as follows: -

(a) issuing the registration to an applicant with payment of registration fee if the application is aligned with relevant criteria

(b) otherwise, it must allow the applicant to amend the application or refuse to issue the registration

26. The digital platform service provider must apply for an extension of the registration before the expiration of the registration term, at least six months in advance, as per the specified conditions, if they wish to continue operating the business.

27. The department –

(a) can verify renewal of registration term in compliance with the relevant criteria and allow or refuse it.

(b) refuse renewal of registration term, it shall not affect the remaining registration term.

28. The cybersecurity team must obtain the approval of the steering committee in line with the criteria, to carry out cybersecurity activities within the country without making a profit.

To be Continued

#TheGlobalNewLightOfMyanmar