On July 30, 2025, Myanmar’s Cybersecurity Law No. 1/2025 came into effect with the State Administration Council’s issuance of Notification 113/2025. The law, which was enacted on January 1, 2025, aims to regulate various aspects of digital security and online activities. Below are some key provisions, implications, and penalties under the Cybersecurity Law. Extraterritorial penalties. The law contains an important provision that authorizes penalties against Myanmar citizens who are found guilty of violations, even if these occur outside the country’s borders. VPN definition and regulation. Virtual private networks (VPNs) are defined by this law as specific systems that function as backup networks by using technological means in order to ensure the safety of linking networks to each other. This definition sets the framework for subsequent regulations and penalties associated with VPN usage. The law does not restrict individuals or entities from using VPNs; it regulates VPN service providers. Penalties for unapproved VPN services. Establishing a VPN or providing VPN services without approval from the designated ministry (to be appointed later by the government) can result in significant penalties. For individuals, the punishment may be imprisonment for 1–6 months, a fine of MMK 1–10 million (approx. USD 476–4,760), or both, with the proceeds of the violation being confiscated. If the violator is a company or organization, the minimum fine will be MMK 10 million, and the proceeds will be confiscated. Government oversight. The ministry designated by the government is authorized to investigate and take control of cybersecurity services and digital platform services for national defense and security purposes, or upon request from a government department or organization in accordance with respective laws. Licensing requirements. The Cybersecurity Law introduces two types of licenses, valid for a period of 3–10 years, for (1) cybersecurity services and (2) digital platform providers. Digital platforms with