Cybersecurity in the era of IoT: Legal challenges and accountability gaps

Abstract 

In today’s world, the rise of the Internet of Things (IoT) brings both great opportunities and serious  cybersecurity challenges. This article focuses on how cyber risks are growing in the IoT field and  how Bangladesh’s laws and institutions are responding. It finds that when cyber incidents occur, weak data protection with vague regulations and overlapping functions of authorities make it hard  to take accountability. The article compares Bangladesh with countries in the EU, the US, and  India. The study shows the need for stronger and more coordinated cybersecurity laws. By using  legal analysis, interviews, and review of the Cyber Security Ordinance 2025, Bangladesh, the  article reveals gaps in the Bangladesh’s current system. In conclusion, the article recommends  creating a simple and flexible legal system that protects people’s rights, clearly defines  responsibilities, and encourages countries to work together. This approach would help balance  new technology with safety and build a more secure digital future. 

Introduction 

In February 2025, the Government of Bangladesh introduced the Cyber Security Ordinance 2025  to replace the earlier Cyber Security Act 2023. The government said that this change would make  the digital space safer and protect citizens from online threats. However, even with the new law,  many experts believe that Bangladesh is still not ready to face the complex challenges of the  Internet of Things (IoT) and modern cyber risks.1 

The Internet of Things is now part of our daily lives. From smart home devices to digital  healthcare tools, everything is connected to the internet. These technologies help save time,  improve services, and make life more efficient. But they also create new problems. When devices  collect personal data, there is always a chance of hacking, data leaks, or misuse of information.2 

In developing countries like Bangladesh, where cyber laws are still weak and enforcement is  slow, these problems can have serious consequences. 

Bangladesh is working to become a digital nation through projects like “Digital Bangladesh” and  “Smart Bangladesh.” But legal development has not kept pace with technological growth.3 The  country’s laws mostly deal with punishing cybercrimes instead of preventing them. The ICT Act  2006, Digital Security Act 2018, and Cyber Security Act 2023 were created to improve online  safety, but they were often criticized for being unclear and sometimes misused. Even with the  Cyber Security Ordinance 2025, there is still no special law to protect personal data or any  independent authority to supervise how people’s data is used.4 

In contrast, the European Union and India have stronger systems. The General Data Protection  Regulation (GDPR) in the EU and the Digital Personal Data Protection (DPDP) Act 2023 in  India protect people’s data and give them control over their personal information.5 These  frameworks show how well-written laws can balance technology and privacy. 

The absence of strong accountability, expert data protection bodies, and clear cooperation among  institutions leaves both individuals and organizations in Bangladesh exposed to cyber threats.6 The goal of this article is to explore the legal problems and gaps that exist in Bangladesh’s  cybersecurity system, especially related to IoT. It also aims to suggest ways to build a legal  system that ensures both security and freedom in the digital space. 

Research Methodology 

This article is based on both primary and secondary research. It follows a comparative and  analytical approach to understand how Bangladesh’s laws perform in practice and how they  compare with other countries. 

Primary data was collected through online surveys and interviews. The surveys involved legal  experts, cybersecurity professionals, and private sector representatives to find out what problems  they face in applying cybersecurity laws. Interviews were also conducted with academics and  government officials to identify weaknesses in enforcement and policy. 

Secondary data was collected from various sources, including laws such as the ICT Act 2006,  Digital Security Act 2018, and Cyber Security Ordinance 2025. Other references include the  GDPR (European Union), California Consumer Privacy Act (CCPA), and India’s DPDP Act  2023. Academic articles, government reports, and newspaper publications were also reviewed. 

This mixed method helped to identify the gaps in Bangladesh’s legal system and to compare it  with global best practices. It also provided a full picture of how laws, institutions, and policies  work together in managing cybersecurity and data protection. 

The Legal Situation in Bangladesh 

Bangladesh started its journey in digital law with the Information and Communication  Technology (ICT) Act 2006. This law was meant to promote online business and punish crimes  like hacking, fraud, and misuse of electronic data. But it did not include strong rules on personal  data protection. Later, the Digital Security Act 2018 was introduced to fight cybercrime and protect national interests. Unfortunately, it was often criticised for limiting free speech and being used unfairly against journalists and activists.7 

In 2023, the Cyber Security Act replaced the Digital Security Act. Although it removed some  controversial parts, it still did not focus on privacy or data protection. Then came the Cyber  Security Ordinance 2025, which was a further attempt to modernise the legal framework. While  the new ordinance includes some improvements, it still lacks a clear definition of personal data  and fails to create an independent data protection authority. 

Currently, several institutions are responsible for cybersecurity, including the Bangladesh  Telecommunication Regulatory Commission (BTRC), the National Cyber Security Agency, and  law enforcement departments like the CID Cyber Unit.8 These institutions often have  overlapping responsibilities and do not coordinate effectively. As a result, enforcement becomes  weak and confusing. The Constitution of Bangladesh guarantees freedom and privacy, but these  rights are often threatened when laws are vague. For example, the term “cyber threat to national  security” is not clearly defined, leaving room for misuse. A modern, rights-based approach is  therefore needed to make sure security does not come at the cost of freedom.9 

The Role of Courts and Judicial Response 

Bangladesh’s courts are still developing experience in handling cyber issues. Most cases related  to online crimes are tried under general criminal laws, not specific data protection rules. Judges  and lawyers often lack technical training in digital forensics or cybersecurity. 

In contrast, courts in other parts of the world have played a major role in shaping digital rights.  For example, the Court of Justice of the European Union (CJEU) in Google Spain v AEPD10 recognised the “right to be forgotten,” which allows people to request the removal of personal  data from search engines.11 This case was a landmark step in data privacy. 

Bangladesh does not yet have similar case law or legal precedents to protect personal data. When  people are victims of data leaks or cyberattacks, they have limited ways to get justice. The  judiciary can play a stronger role by interpreting existing laws to protect digital privacy and by  guiding the creation of better cyber regulations. 

Key Problems and Legal Gaps 

Although Bangladesh has made progress in updating its laws, many weaknesses remain. 

1. No Clear Definition of Personal Data 

Current laws do not define what “personal data” means.12 Without clear definitions, it is  difficult to decide who is responsible when someone’s data is misused. 

2. Weak Enforcement 

The institutions that deal with cyber issues often lack proper training, resources, and  coordination. Many cyber incidents go unreported because people do not know where to seek  help or do not trust the system. 

3. Overlapping Responsibilities 

Different agencies perform similar roles, which causes delays and confusion. No single  authority is clearly responsible for data protection or for responding to IoT-related incidents. 

4. Limited Awareness 

Public awareness about online safety is still very low. Many people use weak passwords or  share personal information without understanding the risks. Schools and universities rarely  teach digital safety or cyber law. 

5. Gaps Compared with International Standards 

The GDPR in Europe gives individuals strong rights, such as the right to access, correct, or  delete their data.13 It also requires organisations to report data breaches and imposes heavy  fines for violations. Similarly, India’s DPDP Act 2023 provides clear accountability for both  companies and the government.14 Bangladesh can learn from these systems but must adapt  them to its own needs and capacities. 

6. Lack of Skilled Professionals 

There is a shortage of experts in cyber law, data protection, and digital forensics. Many skilled  people work abroad, and those who remain in the country have limited opportunities for  training. 

7. Risks from Artificial Intelligence 

Artificial Intelligence is increasingly being used on social media and in surveillance systems.  Without strong rules, it can be misused to spread false information, invade privacy, or influence public opinion. Bangladesh does not yet have clear guidelines for the ethical use of AI. 

Recent Developments and Government Efforts 

The Cyber Security Ordinance 2025 is the latest reform in Bangladesh’s digital law framework.  It repealed several criticised sections from earlier laws and introduced new rules to deal with  modern threats, including online gambling and AI misuse. The ordinance also recognised access  to the internet as a civic right, which is a positive step forward. 

Public reaction to the new law has been mixed. Human rights groups welcomed the removal of  harsh penalties but warned that the law still lacks clear privacy protections. Experts also argue  that the focus remains on punishment instead of prevention and education. 

The government has started offering training programmes for law enforcement officers and  creating awareness campaigns about cyber safety. Bangladesh has also joined several  international initiatives on digital security and data sharing. However, without a national data  protection law and a strong regulatory body, these efforts may not bring long-term results. 

Recommendation 

In my opinion, to build a secure and trustworthy digital environment, Bangladesh should take  the following steps: 

• Create a Comprehensive Data Protection Law: A separate Data Protection Act should  be introduced. It must define personal data, outline user rights, and set penalties for  misuse. 
• Form an Independent Data Protection Authority: A new body should be established  to oversee how data is collected, used, and stored. This authority must be independent to  avoid political pressure. 
• Clarify Institutional Roles: There should be a clear division of responsibilities between  the BTRC, the Cyber Security Agency, and law enforcement agencies. 
• Set Security Standards for IoT Devices: Manufacturers and service providers should  follow safety standards, such as using encryption and providing software updates. 
• Increase Training and Education: Judges, lawyers, and police officers need proper  training on handling cyber cases. Schools and universities should include cyber safety in  their curriculum. 
• Raise Public Awareness: Public campaigns should teach people how to protect their  data, avoid scams, and report cyber incidents. 
• Work with Other Countries: Bangladesh should cooperate with nations that have  strong data protection systems to share knowledge and technology. 
• Protect People’s Rights: Cyber laws must respect privacy and freedom of expression. 

Any restrictions should be narrowly defined and reviewed by independent courts. 

Conclusion 

The Internet of Things is changing the world, offering new opportunities for innovation and  growth. But it also brings major risks. In Bangladesh, the existing legal framework is still too  weak to deal with these challenges. The Cyber Security Ordinance 2025 is an improvement, but  it does not go far enough to ensure privacy or accountability. 

To achieve a truly secure digital future, Bangladesh must move beyond punishing cybercrime  and start focusing on prevention, privacy, and public trust. Learning from international models  like the GDPR and India’s DPDP Act can help create a fair and modern system. With stronger  laws, better institutions, and more awareness, Bangladesh can build a digital space that is both  safe and open for all. 

Bibliography 

1. Mamun Abdullah, Bangladesh’s New Cyber Law Drops Controversial Provisions,  Focuses on Cybercrime, Dhaka Tribune (Dec. 3, 2024). 
2. Abu Sayed Sikder & Md. Rashedul Islam, Enhancing Cyber-Resilience within  Bangladesh’s Legal Framework: Evaluating Preparedness and Mitigation Strategies  Against Technologically-Driven Threats, 1(1) Int’l J. Imminent Sci. & Tech. 38 (2023). 
3. Mohammad Nur Nabi & Muhammad Tanjimul Islam, Cyber Security in the Globalized  World: Challenges for Bangladesh, Paper presented at the 7th Int’l Sci. Conf. on Econ. &  Soc. Dev. (New York City, Oct. 2014). 
4. Shamsad Binte Ehsan & Md. Najmus Saquib, Balancing Cybersecurity and Individual  Rights: A Critical Analysis of Bangladesh’s Cyber Security Act 2023, 8(1) J. Creative  Writing 81 (2024). 
5. General Data Protection Regulation, Regulation (EU) 2016/679 (Apr. 27, 2016). 6. Digital Personal Data Protection Act, No. 22 of 2023, Acts of Parliament, Republic of  India (2023). 
6. Moses Blessing, Comparative Analysis of Data Protection Laws: Learning from Global  Best Practices (2024), ResearchGate, https://www.researchgate.net/publication/385139126. 
7. Nat’l Inst. of Standards & Tech., Framework for Improving Critical Infrastructure  Cybersecurity, Version 1.1 (Apr. 16, 2018). 
8. Julfikar Ali Manik & Ellen Barry, North Korea Linked to Theft at Bangladesh Bank,  N.Y. Times (Mar. 7, 2017). 
9. Google Spain SL v. Agencia Espa√±ola de Protecci√≥n de Datos (AEPD), Case C 131/12, [2014] ECLI:EU:C:2014:317. 
10. Council of Europe, Convention on Cybercrime, ETS No. 185 (Nov. 23, 2001). 12. Cyber Security Ordinance, No. 3 of 2025 (Bangladesh). 
11. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data  and on the Free Movement of Such Data (General Data Protection Regulation), 2016 O.J.  (L 119) 1 (EU). 
12. Digital Personal Data Protection Act, No. 22 of 2023 (India), https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf  (last visited Oct. 9, 2025).

1 Mamun Abdullah, Bangladesh’s New Cyber Law Drops Controversial Provisions, Focuses on Cybercrime, Dhaka  Tribune (Dec. 3, 2024). 

2 Abu Sayed Sikder & Md. Rashedul Islam, Enhancing Cyber-Resilience within Bangladesh’s Legal Framework:  Evaluating Preparedness and Mitigation Strategies Against Technologically-Driven Threats, 1(1) Int’l J. Imminent  Sci. & Tech. 38 (2023). 

3 Mohammad Nur Nabi & Muhammad Tanjimul Islam, Cyber Security in the Globalized World: Challenges for  Bangladesh, Paper presented at the 7th Int’l Sci. Conf. on Econ. & Soc. Dev. (New York City, Oct. 2014).

4 Shamsad Binte Ehsan & Md. Najmus Saquib, Balancing Cybersecurity and Individual Rights: A Critical Analysis  of Bangladesh’s Cyber Security Act 2023, 8(1) J. Creative Writing 81 (2024).

5 General Data Protection Regulation, Regulation (EU) 2016/679 (Apr. 27, 2016). 

6 Digital Personal Data Protection Act, No. 22 of 2023, Acts of Parliament, Republic of India (2023).

7 Moses Blessing, Comparative Analysis of Data Protection Laws: Learning from Global Best Practices (2024),  ResearchGate, https://www.researchgate.net/publication/385139126.

8 Nat’l Inst. of Standards & Tech., Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 (Apr.  16, 2018). 

9 Julfikar Ali Manik & Ellen Barry, North Korea Linked to Theft at Bangladesh Bank, N.Y. Times (Mar. 7, 2017). 10 Google Spain SL v. Agencia Española de Protección de Datos (AEPD), Case C-131/12, [2014]  ECLI:EU:C:2014:317. 

11 Council of Europe, Convention on Cybercrime, ETS No. 185 (Nov. 23, 2001).

12 Cyber Security Ordinance, No. 3 of 2025 (Bangladesh).

13 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of  Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General  Data Protection Regulation), 2016 O.J. (L 119) 1 (EU).

14 Digital Personal Data Protection Act, No. 22 of 2023 (India), https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf (last visited Oct. 9, 2025).