For organisations operating in or processing the data of residents of the Lao People's Democratic Republic (Lao PDR), the country's electronic data protection framework establishes the baseline obligations. This article presents only verified facts, and is appropriately measured where authoritative detail is limited.
The Foundation: Law No. 25/NA
Laos' primary data protection law is the Law on Electronic Data Protection (No. 25/NA). According to multiple sources, it was enacted on 12 May 2017 and came into effect on 23 June 2017. It regulates the collection, processing, storage, and transfer of personal data in electronic form, and aims to safeguard individuals' privacy rights, establish security standards, and outline business responsibilities in handling electronic data.
An important scoping note: the framework focuses specifically on electronic data — data in digital form — rather than data protection in all formats.
Scope and Application
The law applies to individuals, organisations, and legal entities, both domestic and international, that handle electronic data within Lao PDR. It also extends to foreign entities without a physical presence in Laos that engage in activities subject to its provisions, under certain circumstances.
The law classifies electronic data into categories, distinguishing general data from more sensitive specific data (which includes information such as financial, health, and similar records).
The Regulator
The Ministry of Technology and Communications (MTC) — formerly the Ministry of Post and Telecommunications — is the primary authority overseeing electronic data protection in Lao PDR. The MTC operates through provincial departments and is supported by the Lao Computer Emergency Response Team (LaoCERT), which handles cybersecurity incidents.
Penalties
According to reported information, penalties under the framework range from approximately 5 million to 50 million Lao Kip depending on the severity of violations, with certain unauthorised disclosures of confidential personal information also addressed under the Penal Code.
An Evolving Landscape
It is important to be candid: the Lao data protection and cybersecurity legal landscape is still evolving, and authoritative English-language detail is more limited than for many other markets. Organisations operating in Laos should monitor developments and confirm current requirements with qualified local counsel rather than relying on secondary summaries alone.
How Simuna Infosec Helps
Regardless of the specific regulatory detail, the underlying need is constant: organisations handling electronic personal data must ensure the systems processing that data are genuinely secure. Our human-led security testing identifies the vulnerabilities that could lead to unauthorised access or disclosure of personal data, providing the technical security foundation that any data protection regime ultimately depends on.
*This article reflects publicly available information as of mid-2026. English-language coverage of Lao law is limited; consult qualified Lao legal counsel for compliance decisions.*