Back to all articles
Legal Updates

Analyzing the 2026 Amendments to the Cybercrime Act

Juris AI Legal Desk
May 10, 2026
11 min read
Analyzing the 2026 Amendments to the Cybercrime Act

The landscape of digital rights and cybercrime in Pakistan has just undergone a massive overhaul with the recent 2026 amendments to the Prevention of Electronic Crimes Act (PECA), 2016. These changes dramatically alter the burden of proof, redefine digital terrorism, and introduce stringent new penalties for corporate entities.

The Evolution of PECA

When PECA was originally enacted in 2016, it was designed to combat traditional cyber-harassment, unauthorized access (hacking), and electronic fraud. However, the exponential rise of deepfakes, coordinated state-sponsored disinformation campaigns, and sophisticated cryptocurrency scams rendered the 2016 framework largely obsolete. The Federal Investigation Agency (FIA) frequently found themselves severely handicapped by outdated statutory definitions when dealing with modern digital crimes.

The 2026 amendments aim to close these loopholes, but in doing so, they have introduced broad language that is already raising constitutional alarms among civil rights advocates and defense lawyers.

Expanded Definitions of Cyber Terrorism (Section 10)

The most debated amendment is the expanded scope of Section 10 (Cyber Terrorism). Previously, cyber terrorism required a direct threat to critical infrastructure (like power grids or nuclear facilities) or an act that explicitly created "fear or panic" among the public with the intent to coerce the government.

The new language now includes "coordinated disinformation campaigns utilizing artificial intelligence, deepfakes, or bot networks aimed at destabilizing state institutions or manipulating financial markets." This broad definition requires advocates defending such cases to focus heavily on the element of "malicious intent" (mens rea) and actual "material damage." Proving that a retweet or a forwarded WhatsApp message constitutes a "coordinated campaign" will be the primary battleground in trial courts.

"The weaponization of information is the new frontier of warfare. However, statutory language must not cast a net so wide that it catches the dissenting citizen alongside the digital terrorist."

Strict Liability in Financial Fraud & Phishing

With the meteoric rise of banking scams—where citizens are tricked into providing OTPs (One Time Passwords)—Section 14 has been heavily amended. Previously, the burden was entirely on the victim to prove they were defrauded, and banks often washed their hands of the matter, citing consumer negligence.

The amendment introduces a revolutionary concept for Pakistan: Strict Corporate Liability. Banks and telecom operators are now held to a stricter liability standard. If a citizen's funds are stolen via digital fraud, the burden now shifts to the financial institution to prove, in a banking court, that they had maintained adequate, state-of-the-art cybersecurity protocols and had explicitly warned the specific consumer of the exact type of ongoing scam, before transferring the liability to the consumer.

New Offenses: Deepfakes and AI Impersonation

A brand new section, Section 21-A, specifically targets the malicious use of Artificial Intelligence. Creating or disseminating "deepfakes" (AI-generated synthetic media) of a private citizen without their consent, with the intent to harm their reputation, is now a non-bailable offense carrying a minimum sentence of 5 years.

For litigators, prosecuting under this section will require presenting expert forensic testimony. You can no longer rely solely on the FIA's initial report; bringing in independent digital forensics experts to testify on the algorithmic manipulation of the video or audio file will become standard practice.

Defending Cybercrime Cases: The Chain of Custody

When drafting bail petitions for offenses under the amended PECA, defense counsels must ruthlessly attack the forensic evidence collection process. The new amendments mandate that the FIA must follow strict chain-of-custody protocols for digital devices (laptops, phones). They must create a cryptographic hash value of the device's hard drive at the exact moment of seizure to prevent tampering.

If the FIA fails to produce this hash value in the trial court, the entire digital evidence can be deemed inadmissible under Article 164 of the Qanun-e-Shahadat Order, 1984. Always ask for the hashing report in your initial application under Section 265-C CrPC (supply of statements and documents to the accused).


Looking Forward

The 2026 PECA amendments have transformed cyber law in Pakistan into a highly technical, specialized field. General criminal practitioners can no longer handle these cases using traditional methodologies. Mastering digital forensics, understanding AI algorithms, and aggressively challenging electronic evidence collection will be the hallmark of the successful cybercrime advocate in this new era.

Thanks for reading.