Jordan's Cybercrime Law No. 17 of 2023 significantly expanded the scope of criminal liability for online offences, affecting businesses, employees, and individuals alike. From electronic fraud and unauthorized system access to online defamation and data theft, the law creates obligations and risks that every organization operating in Jordan must understand.
Jordan's Cybercrime Law: An Overview
The Cybercrime Law No. 17 of 2023 replaced the earlier Cybercrimes Law No. 27 of 2015, broadening definitions and increasing penalties for a wide range of digital offences. The law applies to any act committed using an information system, information network, website, or electronic platform, regardless of whether the perpetrator or victim is inside or outside Jordan, provided the act has effects within the Kingdom.
Key features of the law include criminal penalties for unauthorized access to information systems, electronic fraud and financial crimes committed online, defamation and slander through digital platforms, data theft and privacy violations, and the creation or dissemination of harmful digital content. Penalties range from fines to imprisonment, with aggravated sentences for offences targeting government systems, financial institutions, or critical infrastructure.
Electronic Fraud
The law criminalizes the use of information systems or networks to commit fraud, including phishing schemes, invoice manipulation, business email compromise, and online payment fraud. Businesses are both potential victims and, in some circumstances, potential defendants if their systems are used as conduits for fraudulent activity.
For businesses, the practical risk is significant. Social engineering attacks targeting finance departments, fraudulent supplier invoices sent via compromised email accounts, and payment diversion schemes have become increasingly common in Jordan. Companies that fail to implement reasonable security measures may also face regulatory scrutiny and civil liability to affected parties.
Unauthorized Access
Accessing an information system without authorization, or exceeding authorized access, is a criminal offence under the Cybercrime Law. This applies to external hackers but also to employees who access systems or data beyond the scope of their authorization. The penalties increase if the unauthorized access results in data destruction, modification, or theft, or if it targets government or financial systems.
Businesses should ensure that their access control policies are clearly documented and communicated to employees. An employee who accesses a colleague's email account, views confidential files without authorization, or copies proprietary data before leaving the company may be criminally liable under the law.
Online Defamation and Slander
One of the most frequently prosecuted provisions of the Cybercrime Law concerns defamation, slander, and contempt committed through electronic means. Publishing defamatory statements on social media, messaging applications, websites, or online forums can result in criminal prosecution and imprisonment, in addition to civil liability for damages.
The law sets out specific penalties for online defamation, which are generally more severe than those for traditional defamation under the Penal Code. Businesses face two-sided exposure: they may be victims of defamatory statements by competitors, disgruntled employees, or customers, but they may also face liability if their employees or official accounts publish content that defames another party.
Individuals should be particularly cautious with social media activity. Negative reviews, critical comments about public figures, and workplace grievances aired online have all been the subject of criminal complaints in Jordan. Truth is a defence in some defamation cases, but the procedural burden and cost of defending a criminal complaint can be substantial.
Data Theft and Privacy Violations
The Cybercrime Law criminalizes the unlawful obtaining, disclosure, or use of personal data and trade secrets through information systems. This covers both external data breaches and internal misappropriation by employees or former employees. Businesses that handle customer data, financial records, or proprietary information must implement technical and organizational measures to protect against unauthorized access and disclosure.
Jordan now has a comprehensive standalone data protection law: the Personal Data Protection Law No. 24 of 2023, which took effect on 17 March 2024, with a compliance transition that ended in March 2025. It is a GDPR-influenced statute covering lawful processing, consent, and data-subject rights. Data protection in Jordan now rests primarily on this law, alongside the Cybercrime Law No. 17 of 2023 and sector-specific regulations in banking and telecommunications, which together create meaningful obligations around data security. Businesses that suffer a data breach may face criminal investigations, regulatory action, and civil claims from affected individuals.
Reporting Process
Victims of cybercrime in Jordan should report offences to the Cybercrime Unit of the Public Security Directorate. The reporting process involves filing a formal complaint, providing available digital evidence (screenshots, emails, URLs, transaction records), and cooperating with the investigation. The Cybercrime Unit has the technical capability to trace digital activity, request data from internet service providers and platform operators, and coordinate with international agencies for cross-border offences.
Timeliness is critical. Digital evidence can be deleted or overwritten, and some platform operators have limited data retention periods. Businesses should preserve all available evidence immediately upon discovering a cybercrime incident, including server logs, email headers, and network traffic records.
Criminal vs Civil Remedies
Cybercrime victims in Jordan can pursue both criminal and civil remedies. The criminal track results in prosecution, potential imprisonment, and fines imposed on the offender. The civil track allows the victim to claim compensatory damages for financial losses, reputational harm, and emotional distress caused by the offence.
In practice, filing a criminal complaint often creates leverage that facilitates a civil settlement. Many cybercrime cases, particularly online defamation disputes, are resolved through negotiated settlements in which the offender agrees to remove the offending content, issue a public retraction, and pay compensation in exchange for withdrawal of the criminal complaint.
How Businesses Should Prepare
Proactive measures significantly reduce cybercrime exposure. Businesses operating in Jordan should consider the following steps:
- Cybersecurity policies: Implement written information security policies covering access controls, password management, data classification, and incident response procedures.
- Employee training: Regularly train employees on phishing recognition, social engineering risks, acceptable use of company systems, and the legal consequences of unauthorized access or data misuse.
- Contractual protections: Include confidentiality, non-disclosure, and data protection clauses in employment contracts and vendor agreements.
- Incident response plan: Develop and test a plan for responding to cybersecurity incidents, including evidence preservation, legal notification obligations, and communication protocols.
- Regular audits: Conduct periodic security assessments and penetration testing to identify vulnerabilities before they are exploited.
Employee Social Media Risks
Employees' social media activity can create legal exposure for both the individual and their employer. Posts that defame competitors, disclose confidential business information, or harass colleagues online can trigger criminal complaints and civil claims. Businesses should establish clear social media policies that define acceptable use, restrict the disclosure of confidential information, and clarify that employees are personally responsible for their online conduct.
Where an employee's social media activity is conducted on behalf of or in connection with the business, the employer may face vicarious liability. This is particularly relevant for marketing teams, public relations personnel, and executives whose online presence is closely associated with the company.
When to Speak With a Lawyer
Cybercrime matters in Jordan sit at the intersection of criminal law, technology regulation, and commercial litigation. A business that is the victim of electronic fraud, that is facing an online defamation complaint, or that needs to build a compliance framework benefits from early legal advice. A lawyer can guide a business through the reporting process, coordinate criminal and civil proceedings, preserve evidence, and negotiate settlements where appropriate.
How Abdullah & Partners Can Help
The firm's technology and cybersecurity practice advises businesses on compliance with Jordan's Cybercrime Law and acts in cybercrime investigations and proceedings. The firm also handles criminal defence and prosecution matters related to digital offences. For advice on a specific matter, you may contact the firm.

