By Abdullah & Partners Editorial Team • Disputes & Risk • Published April 2026

Jordan's Cybercrime Law No. 17 of 2023 significantly expanded the scope of criminal liability for online offences, affecting businesses, employees, and individuals alike. From electronic fraud and unauthorized system access to online defamation and data theft, the law creates obligations and risks that every organization operating in Jordan must understand.

Jordan's Cybercrime Law: An Overview

The Cybercrime Law No. 17 of 2023 replaced the earlier Cybercrimes Law No. 27 of 2015, broadening definitions and increasing penalties for a wide range of digital offences. The law applies to any act committed using an information system, information network, website, or electronic platform, regardless of whether the perpetrator or victim is inside or outside Jordan, provided the act has effects within the Kingdom.

Key features of the law include criminal penalties for unauthorized access to information systems, electronic fraud and financial crimes committed online, defamation and slander through digital platforms, data theft and privacy violations, and the creation or dissemination of harmful digital content. Penalties range from fines to imprisonment, with aggravated sentences for offences targeting government systems, financial institutions, or critical infrastructure.

Electronic Fraud

The law criminalizes the use of information systems or networks to commit fraud, including phishing schemes, invoice manipulation, business email compromise, and online payment fraud. Businesses are both potential victims and, in some circumstances, potential defendants if their systems are used as conduits for fraudulent activity.

For businesses, the practical risk is significant. Social engineering attacks targeting finance departments, fraudulent supplier invoices sent via compromised email accounts, and payment diversion schemes have become increasingly common in Jordan. Companies that fail to implement reasonable security measures may also face regulatory scrutiny and civil liability to affected parties.

Unauthorized Access

Accessing an information system without authorization, or exceeding authorized access, is a criminal offence under the Cybercrime Law. This applies to external hackers but also to employees who access systems or data beyond the scope of their authorization. The penalties increase if the unauthorized access results in data destruction, modification, or theft, or if it targets government or financial systems.

Businesses should ensure that their access control policies are clearly documented and communicated to employees. An employee who accesses a colleague's email account, views confidential files without authorization, or copies proprietary data before leaving the company may be criminally liable under the law.

Online Defamation and Slander

One of the most frequently prosecuted provisions of the Cybercrime Law concerns defamation, slander, and contempt committed through electronic means. Publishing defamatory statements on social media, messaging applications, websites, or online forums can result in criminal prosecution and imprisonment, in addition to civil liability for damages.

The law sets out specific penalties for online defamation, which are generally more severe than those for traditional defamation under the Penal Code. Businesses face two-sided exposure: they may be victims of defamatory statements by competitors, disgruntled employees, or customers, but they may also face liability if their employees or official accounts publish content that defames another party.

Individuals should be particularly cautious with social media activity. Negative reviews, critical comments about public figures, and workplace grievances aired online have all been the subject of criminal complaints in Jordan. Truth is a defence in some defamation cases, but the procedural burden and cost of defending a criminal complaint can be substantial.

Data Theft and Privacy Violations

The Cybercrime Law criminalizes the unlawful obtaining, disclosure, or use of personal data and trade secrets through information systems. This covers both external data breaches and internal misappropriation by employees or former employees. Businesses that handle customer data, financial records, or proprietary information must implement technical and organizational measures to protect against unauthorized access and disclosure.

Jordan now has a comprehensive standalone data protection law: the Personal Data Protection Law No. 24 of 2023, which took effect on 17 March 2024, with a compliance transition that ended in March 2025. It is a GDPR-influenced statute covering lawful processing, consent, and data-subject rights. Data protection in Jordan now rests primarily on this law, alongside the Cybercrime Law No. 17 of 2023 and sector-specific regulations in banking and telecommunications, which together create meaningful obligations around data security. Businesses that suffer a data breach may face criminal investigations, regulatory action, and civil claims from affected individuals.

Reporting Process

Victims of cybercrime in Jordan should report offences to the Cybercrime Unit of the Public Security Directorate. The reporting process involves filing a formal complaint, providing available digital evidence (screenshots, emails, URLs, transaction records), and cooperating with the investigation. The Cybercrime Unit has the technical capability to trace digital activity, request data from internet service providers and platform operators, and coordinate with international agencies for cross-border offences.

Timeliness is critical. Digital evidence can be deleted or overwritten, and some platform operators have limited data retention periods. Businesses should preserve all available evidence immediately upon discovering a cybercrime incident, including server logs, email headers, and network traffic records.

Criminal vs Civil Remedies

Cybercrime victims in Jordan can pursue both criminal and civil remedies. The criminal track results in prosecution, potential imprisonment, and fines imposed on the offender. The civil track allows the victim to claim compensatory damages for financial losses, reputational harm, and emotional distress caused by the offence.

In practice, filing a criminal complaint often creates leverage that facilitates a civil settlement. Many cybercrime cases, particularly online defamation disputes, are resolved through negotiated settlements in which the offender agrees to remove the offending content, issue a public retraction, and pay compensation in exchange for withdrawal of the criminal complaint.

How Businesses Should Prepare

Proactive measures significantly reduce cybercrime exposure. Businesses operating in Jordan should consider the following steps:

  • Cybersecurity policies: Implement written information security policies covering access controls, password management, data classification, and incident response procedures.
  • Employee training: Regularly train employees on phishing recognition, social engineering risks, acceptable use of company systems, and the legal consequences of unauthorized access or data misuse.
  • Contractual protections: Include confidentiality, non-disclosure, and data protection clauses in employment contracts and vendor agreements.
  • Incident response plan: Develop and test a plan for responding to cybersecurity incidents, including evidence preservation, legal notification obligations, and communication protocols.
  • Regular audits: Conduct periodic security assessments and penetration testing to identify vulnerabilities before they are exploited.

Employee Social Media Risks

Employees' social media activity can create legal exposure for both the individual and their employer. Posts that defame competitors, disclose confidential business information, or harass colleagues online can trigger criminal complaints and civil claims. Businesses should establish clear social media policies that define acceptable use, restrict the disclosure of confidential information, and clarify that employees are personally responsible for their online conduct.

Where an employee's social media activity is conducted on behalf of or in connection with the business, the employer may face vicarious liability. This is particularly relevant for marketing teams, public relations personnel, and executives whose online presence is closely associated with the company.

When to Speak With a Lawyer

Cybercrime matters in Jordan sit at the intersection of criminal law, technology regulation, and commercial litigation. A business that is the victim of electronic fraud, that is facing an online defamation complaint, or that needs to build a compliance framework benefits from early legal advice. A lawyer can guide a business through the reporting process, coordinate criminal and civil proceedings, preserve evidence, and negotiate settlements where appropriate.

How Abdullah & Partners Can Help

The firm's technology and cybersecurity practice advises businesses on compliance with Jordan's Cybercrime Law and acts in cybercrime investigations and proceedings. The firm also handles criminal defence and prosecution matters related to digital offences. For advice on a specific matter, you may contact the firm.

Related Insights

Questions

Frequently Asked Questions

What is Jordan's cybercrime law?

Jordan's cybercrime law is the Cybercrime Law No. 17 of 2023, in force since September 2023. It replaced the Cybercrimes Law No. 27 of 2015, contains 41 articles, and broadened the definitions and penalties for online offences. It covers unauthorized access, electronic fraud, online defamation, data theft, and harmful digital content, and it can apply where an act committed online has effects inside Jordan.

Does Jordan have a data protection law?

Yes. Jordan's Personal Data Protection Law No. 24 of 2023 took effect on 17 March 2024, with a compliance transition that ended in March 2025. It is a comprehensive, standalone data protection law influenced by the GDPR, covering lawful processing, consent, and data-subject rights. It applies alongside the Cybercrime Law No. 17 of 2023 and sector-specific rules in areas such as banking and telecommunications.

Is online defamation a crime in Jordan?

Yes. Defamation, slander, and contempt committed through electronic means are offences under the Cybercrime Law No. 17 of 2023, and the penalties are generally heavier than for traditional defamation under the Penal Code. Both businesses and individuals can be exposed, whether through official accounts, employees, or personal social-media activity, and a criminal complaint can run alongside a civil claim for damages.

Can an employee be criminally liable for accessing company data without permission?

Yes. Under the Cybercrime Law No. 17 of 2023, accessing an information system without authorization, or exceeding authorized access, is a criminal offence. This reaches employees who open a colleague's email, view confidential files outside their remit, or copy proprietary data before leaving. Penalties increase where the access leads to data being destroyed, altered, or stolen.

How do you report a cybercrime in Jordan?

Cybercrime should be reported to the Cybercrime Unit of the Public Security Directorate. The victim files a formal complaint, provides digital evidence such as screenshots, emails, URLs, and transaction records, and cooperates with the investigation. Acting quickly matters, because logs and platform data can be deleted, so businesses should preserve server logs, email headers, and related records immediately.

Can a business be both a victim and a defendant under the Cybercrime Law?

Yes. A business can be the victim of fraud, defamation, or a data breach, and it can also face exposure if its systems are used as a conduit for an offence or if its employees or official accounts publish unlawful content. This two-sided risk is why documented access controls, security measures, and a clear incident-response process matter under the Cybercrime Law No. 17 of 2023.

Abdullah & Partners

Abdullah & Partners is a law firm in Jordan, based in Amman, providing legal services in accordance with the laws of Jordan, the Jordanian Bar Association Law, and international conventions in force.

Established in Amman · Member of the Jordanian Bar Association

Contact Us