A new Cybercrime Law was issued early last month replacing the Cybercrime Law of 2011. With so many laws coming out lately, it can be difficult to understand why these laws are being re-issued in full and what the exact changes these laws are making. This post tries to make sense of the new Cybercrime Law.
If we go back to the very beginning, Oman criminalised cybercrimes for the first time in the year 2001 when a new chapter on computer crimes was added to the Penal Law of 1974. This chapter was titled “Computer Crimes” and generally covered technical offences relating to illegal access, interception, and interference with computer systems as well as misuse of payment cards. The legal concepts that this chapter governed were what an ordinary person on the street would consider to be a cybercrime, i.e. a crime of a technological nature that affects the accessibility or safety of the technology we use.
Ten years after the introduction of the computer crimes chapter to the Penal Law, Oman decided in 2011 to create a standalone Cybercrime Law. This law took the technical crimes that were originally introduced in 2001 and expanded them into four chapters on infringing data and systems, misuse of technology, digital forgery and fraud, and infringement of payment cards. In addition to these technical chapters, a chapter titled “Content Crimes” was added to the law that governed matters beyond technical crimes committed by hackers and cybercriminals. This chapter criminalised misconduct that was already mostly criminalised by the Penal Law and other Omani law (such as defamation, intellectual property infringement, and pornography) when this same act was committed using technological means. Generally speaking, a content crime under the Cybercrime Law carried a heavier punishment in comparison to the same act under the original law.
The extent to which the Cybercrime Law of 2011 had to re-criminalise offences that were already captured by the Penal Law is at best questionable. The Penal Law and other Omani laws have always been worded using expansive terminology that was not tied to a specific technology and which was already used to capture criminal conduct irrespective of the medium. Furthermore, if the objective was to provide legal certainty, the Cybercrime Law could have had a single provision to confirm the application of the Penal Law to crimes committed using technological means without having to repeat the crimes one by one.
As a result of the Cybercrime Law of 2011, we ended up with a legal framework where multiple laws criminalise the same exact conduct. For example, if you insult someone using a text message, that would be a crime under the Penal Law, the Cybercrime Law, and the Telecommunications Law; if you infringe copyright on the internet, that would be a crime under the Cybercrime Law and the Copyright and Neighbouring Rights Law; if you launder money on the internet, that would be a crime under the Cybercrime Law and the Law of Combating Money Laundering and Terrorism Financing, etc.
Having the same conduct be governed by multiple laws makes predicting the application of the law difficult, especially since the Cybercrime Law does not always copy the terminology found in the original law that governs the content in question. However, my biggest problem with overloading the Cybercrime Law with content crimes that are already governed by other laws is that this distracted us from focusing on what the law is actually intended to govern. While the Cybercrime Law of 2011 had five substantive chapters with four covering technical crimes and one covering this strange category of content crimes, if you look at the number of articles in each of these chapters, the chapter on content crimes on its own is bigger (14 articles) than the four other chapters combined (12 articles).
The new Cybercrime Law of 2026 that came out last month retained the same general structure of having technical crimes and content crimes, but the technical crimes are now covered by 14 substantive articles while the content crimes are now covered by 33 substantive articles. In other words, the content crimes have more than doubled in comparison to the previous law and now take up almost two thirds of the substantive provisions of the law.
It is clear that the Omani government sees the Cybercrime Law more as a law to control illegal content on the internet than a law for controlling the misuse of technology. The new law does not introduce any transformative changes to the regulation of technical crimes and pays only lip service to contemporary issues such as artificial intelligence. Instead of focusing on technological developments, the new law introduces a new lengthy section on crimes against the state—not in regard to cyberattacks made against state networks—but in regard to content published against the state, publishing news that harms state prestige, insults against heads of other states, etc. The law also doubles down on increasing the penalties for many existing content crimes.
The disparity between the punishments for technical crimes and the content crimes provides further evidence that the Cybercrime Law has lost its purpose. The Cybercrime Law should help protect us, as individuals and as a state, against cyberattacks, so you would assume that the biggest fines under this law would be designated for those technical crimes that the law is intended to control. Under the new law, if a cybercriminal wipes the data and disables the systems of a private hospital, he would be punished under article 5 of the law with a maximum punishment of a single year, but if an individual posts a tweet with misleading information during a pandemic he would be punished under article 30 of the law with a maximum punishment of 15 years, 15 times the punishment of an actual cyberattack. In fact, the highest fine for a technical crime under the new law is only 20,000 Rial Omani under article 18 (which bizarrely was actually reduced from 50,000 Rial Omani under the previous law), whereas the highest fine for a non-technical crime is 500,000 Rial Omani under article 55.
Content crimes should not go unpunished, but the Cybercrime Law is not the place for determining what ordinary people should be allowed to post on the internet. This matter is already governed by the Penal Law, the Telecommunications Law, and many other laws. The Cybercrime Law should focus on combating cyberattacks, digital fraud, and misuse of technology that affects the safety and integrity of our digital systems. The new Cybercrime Law of 2026 makes it clear that we have forgotten the purpose of this law.
The new Cybercrime Law has already entered into force. You can read it in full in English on the link below:
