Table of Contents
Key Takeaway
- 🛡️ What Is the NCC: The National Cybersecurity Council (NCC) is a proposed centralized inter-agency body that would serve as the Philippines’ primary authority for cybersecurity policy, coordination, and strategic direction — replacing the current fragmented system.
- 📜 Legislative Status: Being legislated through multiple bills in the 20th Congress — Senate Bills 1492, 1891, 1946, 2085 and House Bills 7927, 8071, 8096, 8482, and others. The “Cybersecurity Act” (HB 8071) is the primary vehicle.
- 🎯 Core Mandate: Policy-making, coordination, regulatory oversight, and strategic direction for all matters relating to cybersecurity, cyber-terrorism, and protection of Critical Information Infrastructure (CII).
- 🏛️ Composition: Chaired by the Secretary of the Department of Information and Communications Technology (DICT), with members from DND, NBI, PNP, DOJ, DFA, BSP, and other key agencies.
- 🌍 Why It Matters for OFWs: A stronger cybersecurity framework protects the digital infrastructure that OFWs and their families rely on — from banking and remittances to government services and communications.
What Is the National Cybersecurity Council?
The National Cybersecurity Council (NCC) is a proposed Philippine government body that would serve as the country’s centralized inter-agency coordinating, policy-making, regulatory, compliance-monitoring, and strategic direction-setting authority for all matters relating to cybersecurity, cyber-terrorism, and the protection of Critical Information Infrastructure (CII). The National Cybersecurity Council is envisioned as the Philippines’ answer to the growing sophistication of cyber threats — a “whole-of-government” approach that replaces the current fragmented system where multiple agencies have overlapping but uncoordinated cybersecurity responsibilities. For OFWs who rely on digital infrastructure for remittances and communication, the National Cybersecurity Council’s mission directly protects the services they depend on daily.
The NCC is being legislated through multiple concurrent measures in the 20th Congress (2025-2026), including Senate Bills 1492, 1891, 1946, and 2085, as well as House Bills 7927, 8071, 8096, 8482, and 12 other similar House Bills. The primary legislative vehicle is House Bill 8071, also known as the “Cybersecurity Act,” which seeks to institutionalize the NCC as the primary authority responsible for cybersecurity matters in the Philippines. The bill was filed in the House of Representatives and has been referred to the appropriate committees for deliberation. For the latest legislative status, see the official Congress website.
The National Cybersecurity Council’s creation represents a fundamental shift in how the Philippines approaches cybersecurity. Currently, cybersecurity responsibilities are spread across multiple agencies — the Department of Information and Communications Technology (DICT) handles ICT security, the National Bureau of Investigation (NBI) handles cybercrime enforcement, the Armed Forces of the Philippines (AFP) handles military cyber defense, and various sector-specific regulators handle critical infrastructure protection. The National Cybersecurity Council would consolidate these responsibilities under a single coordinating body, ensuring a unified national cybersecurity strategy. OFWs can learn more about cybersecurity threats in our OFW Cybersecurity Guide.
The National Cybersecurity Council proposal draws from international best practices. Countries like the United States (Cybersecurity and Infrastructure Security Agency), the United Kingdom (National Cyber Security Centre), Singapore (Cyber Security Agency), and Australia (Australian Cyber Security Centre) have all established centralized cybersecurity bodies. The Philippines’ National Cybersecurity Council follows this global model, adapting it to the country’s specific institutional landscape and threat environment. The Cyfirma 2025-2026 report documents the escalating threat landscape that the NCC is designed to address.
Why the NCC Is Needed
The Philippine cyber threat landscape has intensified significantly over the past year. According to cybersecurity firm Cyfirma’s “Philippines Evolving Cyber Threat Landscape 2025-2026” report, rapid digital adoption continues to outpace security maturity across government, businesses, and critical services. The country has become a target for state-sponsored cyber actors, particularly from China-based groups exploiting geopolitical tensions in the South China Sea. The National Cybersecurity Council would be the body responsible for coordinating the national response to these threats.
The Armed Forces of the Philippines (AFP) warned in early 2026 that cyber threats from China-based actors are intensifying due to geopolitical tensions. These threats include espionage against government networks, targeting of critical infrastructure, and digital disruption campaigns. The AFP’s warning underscores the urgency of establishing a centralized body like the National Cybersecurity Council to coordinate national cyber defense. The ABS-CBN report on national cybersecurity efforts highlights the whole-of-nation approach being advocated by government leaders.
The current fragmented approach to cybersecurity has created several critical gaps. First, there is no single agency with the authority to set binding cybersecurity standards across all government agencies and critical infrastructure sectors. Second, information sharing between agencies is limited, preventing a comprehensive understanding of the threat landscape. Third, the lack of a unified incident response framework means that cyber incidents are handled inconsistently, with some agencies well-prepared and others vulnerable. Fourth, the absence of a central policy-making body has resulted in ad hoc cybersecurity policies rather than a coherent national strategy.
The COVID-19 pandemic accelerated the Philippines’ digital transformation, with government services, education, and commerce moving online at unprecedented speed. While this digitalization brought economic and social benefits, it also expanded the attack surface for cyber threats. Government agencies, hospitals, utilities, and businesses all became more dependent on digital infrastructure — making them more vulnerable to cyberattacks. The National Cybersecurity Council would provide the centralized leadership needed to protect this digital ecosystem.
Composition and Structure
Under the proposed legislation, the NCC would be chaired by the Secretary of the Department of Information and Communications Technology (DICT), reflecting the department’s role as the primary ICT policy body in the Philippines. The National Cybersecurity Council would include representatives from key government agencies:
- Department of National Defense (DND): Representing military cyber defense and national security dimensions of cybersecurity
- Department of Justice (DOJ): Representing the legal and law enforcement aspects of cybercrime prosecution
- National Bureau of Investigation (NBI): Representing cybercrime investigation capabilities
- Philippine National Police (PNP): Representing frontline cybercrime enforcement at the local level
- Department of Foreign Affairs (DFA): Representing international cybersecurity cooperation and diplomatic dimensions
- Bangko Sentral ng Pilipinas (BSP): Representing financial sector cybersecurity and the protection of banking infrastructure
- Department of Energy (DOE): Representing the protection of energy infrastructure including power grids and fuel systems
- Department of Transportation (DOTr): Representing the protection of transportation systems including airports, seaports, and railways
- Department of Health (DOH): Representing the protection of healthcare systems and medical data
- Intelligence agencies: Providing threat intelligence to inform national cybersecurity policy
The NCC would operate through a secretariat that handles day-to-day operations, supported by technical experts from the DICT and other agencies. The National Cybersecurity Council would have the authority to set binding cybersecurity standards, conduct national cyber risk assessments, coordinate incident response, and represent the Philippines in international cybersecurity forums. It would also have the power to audit government agencies’ cybersecurity posture and require compliance with national standards.
The proposed structure includes sector-specific sub-councils for critical infrastructure sectors (energy, finance, telecommunications, transportation, health, water, and government services). Each sub-council would be responsible for developing sector-specific cybersecurity guidelines, conducting sector-wide risk assessments, and coordinating incident response within their sector. This sectoral approach recognizes that different industries face different cyber threats and require different security measures.
Critical Information Infrastructure Protection
A central pillar of the NCC’s mandate is the protection of Critical Information Infrastructure (CII) — the digital systems and networks that are essential to the functioning of the Philippine economy and government. CII includes the power grid, telecommunications networks, banking systems, government databases, transportation control systems, water treatment facilities, and hospital information systems.
The Philippines’ CII faces escalating threats. In 2025-2026, multiple incidents highlighted the vulnerability of the country’s critical infrastructure. State-sponsored actors have targeted government networks for espionage, attempting to steal classified information related to national security and foreign policy. Criminal organizations have targeted financial institutions for fraud and ransomware attacks. Hacktivist groups have targeted government websites and services for political protest.
The National Cybersecurity Council would establish a CII protection framework that includes: mandatory cybersecurity standards for all CII operators; regular vulnerability assessments and penetration testing; incident reporting requirements; and cross-sector information sharing about threats and vulnerabilities. The National Cybersecurity Council would also have the authority to declare national cyber emergencies and coordinate the national response to major cyber incidents.
Under the proposed legislation, CII operators would be required to implement specific security measures, report significant cyber incidents to the NCC within defined timeframes, and participate in national cyber exercises. Non-compliance would result in penalties, creating incentives for operators to invest in cybersecurity. The NCC would also facilitate public-private partnerships for CII protection, recognizing that much of the Philippines’ critical infrastructure is owned and operated by the private sector.
Countering Cyber-Terrorism
The NCC’s mandate explicitly includes countering cyber-terrorism — a growing concern as terrorist organizations increasingly use digital tools for recruitment, fundraising, communication, and planning. Cyber-terrorism encompasses both terrorist use of cyberspace (e.g., online recruitment, propaganda dissemination) and terrorist attacks against cyber infrastructure (e.g., attacks against government systems, critical infrastructure).
The Philippines has experienced the intersection of terrorism and technology. Local terrorist groups have used social media platforms for recruitment and radicalization, targeting vulnerable populations including out-of-school youth and overseas Filipino workers. The NCC would coordinate with law enforcement and intelligence agencies to monitor and counter these activities, balancing security needs with civil liberties and privacy rights.
More concerning is the potential for cyber attacks against critical infrastructure by terrorist organizations or state-sponsored actors using terrorist proxies. An attack against the power grid, telecommunications network, or financial system could cause widespread disruption and economic damage. The National Cybersecurity Council would develop contingency plans for such scenarios, ensuring that the government can respond quickly and effectively to restore services and attribute responsibility.
The NCC would also coordinate with international partners — including the United States, Japan, Australia, and ASEAN neighbors — to share threat intelligence about cyber-terrorist activities. The Philippines’ participation in regional cybersecurity cooperation frameworks would be coordinated through the NCC, ensuring a unified national position in international discussions about cyber-terrorism.
Legislative Journey and Timeline
The NCC’s legislative journey began in earnest in 2025, with multiple bills filed in both the Senate and the House of Representatives. The bills share a common framework: establish the NCC as the national cybersecurity coordinating body, define its composition and powers, create a secretariat, and provide for sector-specific cybersecurity standards.
House Bill 8071 (the “Cybersecurity Act”) is the primary vehicle in the House of Representatives. It was filed by representatives from multiple districts and has been referred to the House Committee on Information and Communications Technology and the House Committee on National Defense and Security. The bill has garnered bipartisan support, reflecting the recognition that cybersecurity is a national priority that transcends political divisions.
In the Senate, multiple bills address different aspects of the NCC. Senate Bill 1492 focuses on the NCC’s institutional framework, Senate Bill 1891 addresses critical infrastructure protection, Senate Bill 1946 covers cybercrime enforcement, and Senate Bill 2085 addresses international cooperation. These bills may eventually be consolidated into a single Senate bill or harmonized with the House version through a bicameral conference committee.
The timeline for passage depends on the legislative calendar and the priority given to cybersecurity in the 20th Congress. Given the urgency highlighted by the AFP’s warnings about Chinese cyber threats and the Cyfirma report on the evolving threat landscape, there is strong momentum to pass the legislation in 2026. The Marcos administration has expressed support for strengthening cybersecurity, and the bill aligns with the National Security Policy 2023-2028 and the National Cybersecurity Plan 2023-2028.
Once passed, the NCC would be established within 90 days of the law’s effectivity. The DICT Secretary would convene the first council meeting, draft the implementing rules and regulations, and begin the process of establishing the secretariat and sector-specific sub-councils. The transition from the current fragmented system to the NCC-led framework would take approximately one year, during which existing agencies would continue their cybersecurity functions while the NCC assumes coordination responsibilities.
OFW Relevance: Why the NCC Matters
For overseas Filipino workers and their families, the NCC’s establishment has direct implications for the digital services they rely on daily. OFWs depend on digital infrastructure for remittances, communication with family, government services, and financial transactions. A robust cybersecurity framework protects these critical services from disruption.
Remittance platforms — the digital channels through which OFWs send money home — are prime targets for cybercriminals. A major cyber attack against a major remittance platform could prevent millions of OFWs from sending money to their families, causing immediate financial hardship. The NCC’s protection of financial sector CII would help prevent such scenarios.
Government services that OFWs use — including the Overseas Workers Welfare Administration (OWWA), PhilHealth, SSS, Pag-IBIG, and the Department of Migrant Workers — all rely on digital infrastructure. A cyber attack against these agencies could delay benefits, compromise personal data, and disrupt services that OFWs depend on. The NCC’s mandate to protect government CII would strengthen the security of these services.
Communication platforms — messaging apps, video calling services, and social media — are how OFWs stay connected with their families. While these platforms are operated by private companies, the NCC’s cybersecurity standards and incident response framework would provide an additional layer of protection. The NCC would also coordinate with international partners to address cross-border cyber threats affecting these platforms.
The NCC’s protection of telecommunications infrastructure is particularly important for OFWs. The Philippines’ telecom networks — operated by PLDT/Smart and Globe — carry the vast majority of OFW-to-family communications. A successful cyber attack against these networks could sever the primary communication link between OFWs and their loved ones. The NCC’s CII protection mandate would ensure that telecom operators maintain robust cybersecurity defenses.
Beyond immediate protection, the NCC’s establishment signals to international partners and investors that the Philippines takes cybersecurity seriously. This can enhance the country’s reputation as a reliable destination for digital investment and outsourcing, which in turn creates employment opportunities for OFWs both at home and abroad. A strong cybersecurity framework also supports the Philippines’ digital economy ambitions, which can generate higher-skilled jobs for returning OFWs.
Challenges and Concerns
While the NCC’s establishment is widely supported, several challenges and concerns must be addressed. First, the NCC’s effectiveness will depend on its actual authority and resources. If the council lacks binding authority over other agencies or sufficient budget, it may become a paper tiger rather than an effective coordinating body. The legislation must ensure that the NCC has real power to set standards, enforce compliance, and direct resources.
Second, the NCC must balance security with privacy and civil liberties. Cybersecurity measures can potentially infringe on citizens’ privacy rights, particularly regarding surveillance and data collection. The legislation must include robust safeguards against abuse, including independent oversight, transparency requirements, and clear limitations on the NCC’s surveillance powers. The Philippine Data Privacy Act of 2012 (Republic Act No. 10173) must remain the governing framework for personal data protection.
Third, the NCC will face significant technical challenges. The Philippines has a shortage of cybersecurity professionals, and the NCC will need to attract and retain skilled technical staff. The council will also need to invest in advanced cybersecurity tools and systems, which require significant funding. The legislation must provide for capacity-building programs, partnerships with universities and the private sector, and adequate budget for technical infrastructure.
Fourth, the NCC must navigate the complex landscape of public-private ownership of critical infrastructure. Much of the Philippines’ CII is owned and operated by private companies (telecoms, banks, power utilities, etc.). The NCC’s authority over private operators must be clearly defined, with appropriate checks and balances to avoid overreach while ensuring adequate security standards.
Fifth, the NCC must coordinate effectively with existing agencies to avoid duplication and turf wars. The DICT, NBI, PNP, AFP, and other agencies all have existing cybersecurity functions. The NCC must add value by coordinating these efforts rather than duplicating them. Clear delineation of responsibilities and effective governance mechanisms will be critical to success.
International Context and Best Practices
The Philippines’ NCC proposal aligns with global trends in cybersecurity governance. As mentioned earlier, countries worldwide have established centralized cybersecurity bodies in response to growing cyber threats. The Philippines can learn from these international examples while adapting the model to its specific institutional context.
The United States’ Cybersecurity and Infrastructure Security Agency (CISA) provides a model for critical infrastructure protection. CISA works with both government and private sector operators to identify and mitigate cyber threats to critical infrastructure. The Philippines’ NCC could adopt similar public-private partnership models for CII protection.
Singapore’s Cyber Security Agency (CSA) provides a model for a small country with limited resources. Singapore’s CSA coordinates national cybersecurity policy, operates a national incident response center, and facilitates public-private partnerships. The Philippines, with its larger population and more complex institutional landscape, could adapt Singapore’s model while scaling it appropriately.
The United Kingdom’s National Cyber Security Centre (NCSC) provides a model for technical expertise and incident response. The NCSC operates a national cyber security operations center that monitors threats, coordinates incident response, and provides technical advice to government and critical infrastructure operators. The Philippines could establish a similar technical center within the NCC’s secretariat.
Australia’s Australian Cyber Security Centre (ACSC) provides a model for threat intelligence sharing. The ACSC operates the Australian Cyber Security Centre’s threat intelligence sharing platform, which enables government and private sector organizations to share information about cyber threats in real-time. The Philippines could establish a similar platform through the NCC.
The Philippines’ participation in ASEAN cybersecurity cooperation frameworks — including the ASEAN Cybersecurity Cooperation Strategy and the ASEAN-Japan Cybersecurity Policy Center — would be coordinated through the NCC. This regional cooperation is important because cyber threats are transnational, and effective defense requires cross-border information sharing and coordination.
FAQ
Q: What is the National Cybersecurity Council (NCC)?
A: The NCC is a proposed centralized inter-agency body that would serve as the Philippines’ primary authority for cybersecurity policy, coordination, and strategic direction. It would be chaired by the DICT Secretary and include representatives from DND, NBI, PNP, DOJ, DFA, BSP, and other key agencies. The NCC is being legislated through multiple bills in the 20th Congress, with House Bill 8071 (the “Cybersecurity Act”) as the primary vehicle.
Q: Why does the Philippines need the NCC?
A: The Philippines faces escalating cyber threats from state-sponsored actors (particularly China-based groups), criminal organizations, and hacktivists. The current fragmented system — where multiple agencies have overlapping but uncoordinated cybersecurity responsibilities — leaves gaps in national cyber defense. The NCC would provide centralized leadership, unified policy, and coordinated incident response.
Q: When will the NCC be established?
A: The timeline depends on the legislative process. Multiple bills are pending in the 20th Congress, and there is strong momentum to pass the legislation in 2026 given the urgency of cyber threats. Once the law is passed, the NCC would be established within 90 days, with full operational capability within approximately one year.
Q: How does the NCC affect OFWs?
A: The NCC would protect the digital infrastructure that OFWs rely on — remittance platforms, government services (OWWA, PhilHealth, SSS, Pag-IBIG), telecommunications, and banking systems. By strengthening cybersecurity, the NCC helps ensure that OFWs can send money home, access government services, and communicate with family without disruption from cyber attacks.
Q: Will the NCC have surveillance powers that could affect privacy?
A: The proposed legislation includes provisions for cybersecurity monitoring and incident response, which could involve some degree of surveillance. However, the Philippine Data Privacy Act of 2012 remains the governing framework for personal data protection. The legislation must include robust safeguards against abuse, including independent oversight, transparency requirements, and clear limitations on surveillance powers.
Q: How does the NCC differ from existing agencies like DICT or NBI?
A: Existing agencies have sector-specific cybersecurity responsibilities — DICT handles ICT security, NBI handles cybercrime investigation, AFP handles military cyber defense. The NCC does not replace these agencies but coordinates their efforts under a unified national strategy. Think of the NCC as the conductor of an orchestra — it doesn’t play the instruments but ensures everyone plays in harmony.
Q: What critical infrastructure will the NCC protect?
A: The NCC would protect all Critical Information Infrastructure (CII) — the digital systems essential to the functioning of the Philippine economy and government. This includes power grids, telecommunications networks, banking systems, government databases, transportation control systems, water treatment facilities, hospital information systems, and other critical digital infrastructure.
Disclaimer: This article is for informational and educational purposes only and does not constitute legal, investment, or policy advice. All information is sourced from publicly available government documents, legislative filings, news reports, and cybersecurity research as of June 2026. Legislative proposals may change as bills move through the congressional process. Always verify current legislative status through official congressional records. Neither the author nor worldngayon.com recommends specific investment decisions based on the information presented here.
