Decision No. 150 of 2024 on Regulating the Activity of Practicing Cybersecurity Services

Decision No. 150 of 2024, enacted by the Minister of Economy and Trade, establishes a regulatory framework for practicing cybersecurity services within Libya. This decision, grounded in various legal precedents and the formation of the Government of National Unity, sets forth definitions, requirements for practicing permits, and operational standards for service providers in the cybersecurity domain. It underscores the importance of regularizing cybersecurity services by mandating valid practicing permits for service provision and renewal of commercial licenses, thereby ensuring the alignment of cybersecurity operations with national standards and legal requirements.

Minister of Economy and Trade

• After reviewing the Constitutional Declaration issued on 03-08-2011 and its amendments.
• The Libyan Political Agreement was signed on 17-12-2015.
• The outcomes of the Libyan Political Dialogue Forum held on 09-11-2020.
• The decision made by the Libyan House of Representatives in its session held on 10-03-2021 in the city of Sirte regarding granting confidence to the Government of National Unity.
• And Law No. 12 of 2010 on issuing the Labor Relations Law and its Executive Regulations.
• And Law No. 23 of 2010 on Commercial Activity.
• And the decision of the Council of Ministers No. 187 of 2012 issuing the Executive Regulations of the Commercial Registry.
• The Council of Ministers' decision No. 188 of 2012 issued the Executive Regulations for the eighth book of the Commercial Activity Law No. 23 of 2010 regarding the provisions regulating export and import.
• The decision of the Council of Ministers No. 28 of 2013 establishing the National Authority for Information Security and Safety.
• The Council of Ministers of the Government of National Unity No. 235 of 2021 decided to adopt the organizational structure, competencies, and regulation of the Ministry of Economy and Trade administrative apparatus.
• And the decision of the Minister of Economy and Trade No. 14 of 2022 on issuing the internal regulation of the Ministry of Economy and Trade.
• And the letter of the Director-General of the National Authority for Information Security and Safety No. 180/1 dated 29-08-2023.

Decided

Article 1

Definitions

With due regard to the meanings of terms related to the relevant laws, the following words and expressions shall have the meanings assigned to each of them unless the context indicates otherwise:

Authority: The National Authority for Information Security and Safety.

A Practicing Permit is an official document issued by the National Authority for Information Security and Safety. It is granted to companies or individuals with competence in cybersecurity and informatics and authorizes them to provide the services specified in this decision to those in need within Libya.

Service Provider: is the entity, whether a natural person or a legal entity “company”, that has obtained a practicing permit to provide cybersecurity services issued by the Authority.

Validity of the Practicing Permit: is the specified duration of the practicing permit's validity during which cybersecurity services may be provided. Cybersecurity Information Security is the implementation of all necessary measures to ensure the confidentiality, availability, and integrity of any physical or intangible asset present on the informational infrastructure and communication structure, passing through it, or affected by any risks and threats it may entail.

Penetration Testing: a security exercise to assess the security of information technology systems by discovering and exploiting security vulnerabilities in these systems through attempted breaches using the same tools and techniques that attackers might use to identify any system defense weaknesses that attackers could exploit. It is a method to evaluate and manage vulnerabilities in organizations to enhance defenses and strengthen protection.

Cyber Security Operations Center (CSOC): is a specialized unit responsible for monitoring and analyzing an organization's security posture to help monitor, detect, prevent, investigate, and respond to electronic threats around the clock, seven days a week, using a set of defined operations and technological solutions.

Article 2

For issuing commercial licenses to companies or individuals wishing to practice any or some of the services listed below, it is required to obtain a valid practicing permit issued by the Authority:-

• Management of the organization's electronic security operations service (CSOC).
• Penetration testing service.
• Cybersecurity incident response service.
• Digital forensic analysis services and reverse engineering of malicious software.
• Service configuration to obtain standards, licenses, policies, and local and international memberships in cybersecurity.
• Import, sell, and develop systems, applications, and software used in cybersecurity operations.
• Consultancy services related to cybersecurity.

Article 3

Commercial registers or licenses for companies and individuals wishing to provide cybersecurity services shall only be renewed if they have obtained a valid practicing permit issued by the Authority.

Article 4

Companies and individuals working in this field must regularize their status with the Authority within a maximum period of six months from this decision's issuance date.

Article 5

This decision shall be effective from the date of its issuance. Any provision that contradicts it shall be repealed, and those addressed by it shall implement it.

• Mohamed Ali Al-Hwej
• Minister of Economy and Trade
• Issued on: 21 Ramadan 1445 AH
• Corresponding to: 31/3/2024