‍

The Philippines has emerged as one of Southeast Asia’s fastest-growing digital economies, with its e-commerce, fintech, and outsourcing sectors driving unprecedented levels of data creation, connectivity, and cyber risk. In response, the government has deployed a two-pronged regulatory framework focused on data protection and cybercrime enforcement:

• Republic Act 10173 – Data Privacy Act of 2012 (DPA)
• Republic Act 10175 – Cybercrime Prevention Act of 2012

These laws define the boundaries of lawful data handling and online conduct, placing specific obligations on both private and public organisations to protect personal data and secure digital infrastructure.

Unlike countries with a singular cybersecurity law, the Philippines’ model is distributed yet integrated, where the National Privacy Commission (NPC) governs data protection, and the Department of Information and Communications Technology (DICT) and law enforcement agencies enforce cybercrime regulations. This intricate regulatory ecosystem holds organisations accountable not just for breach prevention, but also for incident response and responsible disclosure, underscoring the need for expert cybersecurity guidance.

‍

The Philippines’ Regulatory Frameworks in Action

RA 10173 – The Data Privacy Act (DPA)

The DPA is the cornerstone of privacy regulation in the Philippines. It mandates all organisations that collect or process personal data to implement appropriate security measures and act swiftly in the event of a breach.

Key requirements include:

• Breach Notification: Organisations must notify both the NPC and affected individuals within 72 hours of discovering a breach likely to harm data subjects.
• Data Protection Officers (DPOs): Mandatory appointment of a DPO to oversee compliance efforts.
• Privacy Impact Assessments (PIAs): Required for high-risk data processing activities.
• Security Measures: Implementation of technical, organisational, and physical controls to ensure data confidentiality, integrity, and availability.

Non-compliance can result in significant fines, criminal liability, and reputational damage — especially in sectors like finance, healthcare, and e-commerce where sensitive data is central. This underscores the urgency for organizations to ensure compliance with the cybersecurity laws in the Philippines.

Unsure of how to navigate these regulations? Schedule a complimentary consultation with Blackpanda DFIR experts.

RA 10175 – The Cybercrime Prevention Act

While the DPA governs lawful data use, the Cybercrime Prevention Act targets malicious digital activity. This law criminalises a range of cyber offences, including hacking, identity theft, data interference, cyber libel, and illegal access. It provides the legal foundation for digital forensics, evidence preservation, and law enforcement cooperation.

For businesses, RA 10175 raises the bar for:

• Logging and Audit Trails: Maintaining secure records to support cybercrime investigations.
• Cooperation with Authorities: Complying with lawful requests for evidence or forensic data.
• Readiness to Investigate and Report Incidents involving both internal compromise and third-party attacks.

Together, these two laws form a comprehensive legal perimeter around data and systems, meaning incident response is not just an IT issue, but a regulated obligation. This highlights the gravity of the legal obligations that organizations must meet in the Philippines.

‍

IR-1 Assurance: Even If You’ve Never Handled an Incident Before

In the Philippines’ dual compliance landscape, many local companies and multinationals alike struggle to respond to cyber incidents in a way that satisfies both legal obligations and business expectations.

Blackpanda’s IR-1 Assurance service is purpose-built for organisations without mature security programs. Whether you're a BPO startup or a financial platform under increasing NPC scrutiny, IR-1 gives you turnkey incident response, breach containment, and regulator-ready reporting with no need for prior security certifications.

IR-1 directly supports compliance with the DPA and RA 10175 through:

• Root Cause Identification: Whether phishing, malware, or insider abuse, we isolate the attack vector and build a defensible timeline of events.
• Data Classification & Breach Impact Analysis: Our forensic team maps exposed data against NPC-relevant categories (e.g., PII, financial data, health records) to assess breach gravity and notification thresholds.
• Regulatory Reporting Support: We prepare incident reports aligned to NPC guidelines, including the 72-hour notification window, and assist your DPO with formal disclosures.
• Third-Party Risk & Stakeholder Management: We guide you through communicating with affected customers, partners, and insurers, ensuring transparency without panic.

No matter your cyber maturity level, IR-1 helps you respond like a seasoned security team: fast, structured, and regulator-ready. From meeting NPC timelines to handling cybercrime fallout, Blackpanda ensures you’re not navigating the law alone when it matters most.

‍

Frequently Asked Questions

Q1: What are the main cybersecurity laws in the Philippines?
The two primary laws are the Data Privacy Act of 2012 (RA 10173) and the Cybercrime Prevention Act of 2012 (RA 10175).

Q2: Who enforces the Data Privacy Act in the Philippines?
The National Privacy Commission (NPC) enforces the Data Privacy Act, ensuring organisations comply with data protection requirements.

Q3: What is the breach notification rule under the Data Privacy Act?
Organisations must notify the NPC and affected individuals within 72 hours of discovering a breach likely to harm data subjects.

Q4: How can businesses comply with RA 10175?
Businesses can comply by maintaining audit logs, cooperating with lawful investigations, and preparing to investigate and report incidents promptly.

Q5: What is Blackpanda IR-1 Assurance?
It is a turnkey incident response service designed to help organisations meet regulatory obligations and contain breaches quickly.

‍

‍