THE enactment of the Cyber Security Act, 2023 in Bangladesh, promoted by officials as a contemporary framework to address digital crime, in fact, signifies neither substantial reform nor authentic modernisation, but instead a superficial rebranding of existing repressive laws with merely trivial alterations. Essentially, this act retains the fundamental structure of its predecessor, the Digital Security Act, 2018, which supplanted sections of the Information and Communication Technology Act, 2006. It perpetuates vague, cultivated and subjective provisions that facilitate arbitrary state control over digital speech and expression, while inadequately addressing the genuine cybersecurity threats confronting Bangladesh. Consequently, it institutionalises surveillance and censorship under the pretext of ‘security,’ rather than establishing a targeted, rights-respecting, and technically sound legal framework to effectively combat cybercrime. The apparent aim of this act to ‘identify, prevent, suppress and prosecute offenses committed via digital devices’ seemingly aligns with international benchmarks for cybercrime legislation.

The architecture of the statute reveals a contrasting reality: of the 62 primary provisions in DSA 2018, 58 persist in CSA 2023, with 28 preserved verbatim and 25 modified just slightly; the others remain with little procedural changes. This continuity highlights that the administration did not abolish coercive tools but only replaced the nomenclature of the existing legislative framework, a strategy appropriately characterised by critics as ‘remove the D from DSA and insert C.’ The core issue lies in the vague and expansive wording of essential offenses. Provisions that criminalise ‘false or offensive information,’ ‘defamatory content,’ ‘propaganda against the spirit of liberation war,’ ‘hurting religious sentiments,’ or ‘disrupting law and order/communal harmony’ are retained under the CSA. The ambiguous nature of these terms grants excessive discretion to enforcement authorities, violating essential principles of legality, predictability and proportionality that are fundamental to constitutional protections (such as freedom of expression and privacy) and international human rights standards. Legal research critiques the CSA for its noncompliance with the necessity and proportionality requirements mandated when restricting basic rights.

The CSA establishes entities such as the National Cyber Security Agency and the National Cyber Security Council (sections 4 and 5), grants extensive powers to obstruct, eliminate, or mandate the removal of online content (section 8), and provides expansive police authority for investigations, including search, seizure and arrest without a warrant or prior judicial approval. The legislation establishes a centralised digital monitoring framework, which poses a significant risk of arbitrary or politically driven enforcement, especially targeting journalists, activists, dissenters and ordinary citizens voicing critical perspectives. Simultaneously, the actual environment of cyber risks in Bangladesh has undergone a significant transformation; nevertheless, CSA does not respond with accuracy, technological precision, or victim-centred safeguards. Recent empirical studies indicate that social media and online account hacking have become the predominant cybercrimes, comprising 21.65 per cent of recorded cases in 2024. Cyberbullying, encompassing harassment, abusive texting, non-consensual pornography and defamation, continues to be widespread, accounting for more than fifty per cent of recorded online crimes in recent years.

Financial fraud, notably through mobile financial services, identity theft, phishing, counterfeit account schemes and online deception, has escalated; women and young adults, especially those aged 18 to 30, have become disproportionately affected victims. Prominent events, including data breaches impacting millions, DDoS assaults on governmental services, compromises of payment gateways, ransomware attacks and defacements of institutional websites, have become commonplace. However, CSA 2023, which focuses on content regulation, offers limited clarity and insufficient measures for these widespread dangers. It lacks distinct and precise definitions for offenses, including hacking, unauthorised access, data theft, phishing, ransomware, mobile financial services fraud, identity theft, non-consensual data sharing and privacy violations.

Legal scholarship and empirical evaluations contend that the structure of the CSA is inadequate for effective cybercrime prevention due to ambiguous offenses, insufficient technical forensic protocols, the absence of data breach notification requirements, the lack of enforceable victim remedy mechanisms and the absence of institutional incentives or resources for cyber investigations or the enhancement of digital security capabilities. Consequently, although individuals endure tangible detriments, including financial loss, identity theft, psychological distress, cyberbullying and privacy violations, the legal framework predominantly focuses on regulating speech, stifling opposition and bestowing the state with exceptional authority to monitor digital expression. This imbalance indicates both a legal and normative failure: a reversal of priorities that favours regime security over the digital rights and personal security of citizens. Public sentiment and civil society demands illustrate this disparity.

Domestic and international human rights organisations, journalists, media entities and ordinary citizens have consistently advocated for the abolition or thorough reform of the CSA. The prevailing demand is not for more stringent laws or extensive censorship, but for a transparent, rights-respecting, technically precise, victim-centred legal framework: one that differentiates between authentic cyber threats and protected speech; that guarantees privacy, data protection and prompt data breach notification; that offers substantial procedural safeguards, independent oversight, due process and judicial review; that invests in enhancing capabilities for cyber investigation and forensic infrastructure; and that conforms to international standards and obligations under instruments such as the International Covenant on Civil and Political Rights and recognised cybersecurity frameworks.

In acknowledgment of these shortcomings and increasing public criticism, along with heightened foreign monitoring, the government officially rescinded CSA 2023 on 21 May 2025, substituting it with the Cyber Security Ordinance, 2025. The repeal also involved the elimination of nine of the most contentious parts, which were commonly utilised for speech-related prosecutions.  This legislative reversal indicates a tacit recognition by officials that the CSA was ineffective as both a cybersecurity legislation and a safeguard for people’s rights. Critics, comprising civil society organizations, media practitioners, and human rights advocates, caution that CPO 2025, despite apparent enhancements, preserves significant elements of its repressive framework: expansive criminal liability provisions, centralized removal authority, ambiguously defined offenses and insufficient guarantees of due process or privacy safeguards.

Consequently, the transition from CSA to CPO does not constitute a validation of digital rights; instead, it seems to be a partial retraction under duress, a superficial remedy for an inherently defective design. Absent a paradigmatic shift in legislative thought, digital governance in Bangladesh is likely to sustain governmental overreach, institutional opacity and public vulnerability. What is urgently required is not additional superficial alterations, but a thorough re-conceptualisation of cyber law in Bangladesh grounded in:

—

Exact, specific, and technically informed definitions of cyber threats (eg, hacking, unauthorised access, identity theft, phishing, ransomware, data breach, non-consensual data disclosure, mobile financial services fraud);

—

Distinct delineation between content regulation (speech, expression) and cybersecurity/data protection;

—

Obligatory data breach notification and victim restitution;

—

Autonomous oversight mechanism (judicial review, independent digital rights commission), transparent procedures for content removal or takedown;

—

Enhancement of law enforcement capabilities in digital forensic investigation;

—

Public education and digital literacy initiatives;

—

Conformity with international human rights law and globally acknowledged cybersecurity frameworks.

Without substantial structural transformation, any new regulation will merely serve as a rebranded mechanism of repression rather than an authentic means of safeguarding civilians from cyber risks. The requisite ‘new thinking’ necessitates a transition from state-centric control to citizen-centric protection; from vague, all-encompassing speech criminalisation to precise, targeted, rights-respecting definitions; from centralised censorship authority to accountable oversight; and from legal opacity to transparency, due process and public trust. The Cyber Security Act, 2023, represented not reform but rather rebranding. Bangladesh needs a fundamental paradigm shift in cyber-legislation to genuinely protect privacy, data and digital rights, rather than suppress dissent and regulate expression.

Samanta Azrin Prapty is a legal researcher with specialisation in international commercial law.