Understanding the INCD Guidelines: Cybersecurity for Critical Infrastructure in Israel

The Israel National Cyber Directorate publishes detailed security guidance for regulated sectors. Here's what it means for your organization in practice.

The Israel National Cyber Directorate (INCD) — the government body responsible for national-level cyber defense — publishes security guidance frameworks, alerts, and sector-specific directives that apply to a broad range of Israeli organizations. If your company operates in energy, water, finance, health, transportation, communications, or government-adjacent services, you’re likely inside the regulatory perimeter whether you know it or not.

This post explains what the INCD is, what its guidelines require in practice, and what “critical infrastructure” actually means in the Israeli context.

What the INCD Is and What Authority It Has

The INCD was established in 2017 to consolidate Israel’s national cyber defense functions. It operates under the Prime Minister’s Office and has both an advisory and an enforcement role.

For most Israeli businesses, INCD interaction comes through:

  • Security directives — mandatory requirements published for operators of critical infrastructure (OCIs)
  • Sector frameworks — detailed cybersecurity baseline requirements for specific industries (finance, health, energy, etc.)
  • Threat intelligence alerts — advisories distributed to registered organizations about active campaigns and vulnerabilities
  • Audit and assessment — the INCD conducts or commissions security assessments of regulated entities

The INCD’s authority to mandate security controls derives from Israel’s Critical Infrastructure Protection Law and the National Cybersecurity Law 5786-2026. Organizations that fail to meet requirements face regulatory enforcement actions and potential operational restrictions.

What Counts as Critical Infrastructure

The INCD defines critical infrastructure across 19 sectors. The most directly relevant to the Israeli startup and SMB ecosystem:

  • Finance — banks, payment processors, insurance companies, investment firms
  • Health — hospitals, health data processors, medical device manufacturers
  • Communications — ISPs, cloud providers, data centers operating in Israel
  • Energy — electricity, gas, oil infrastructure
  • Water — water utilities and treatment systems
  • Defense industry — companies in the defense supply chain (even as subcontractors)
  • Government services — companies providing technology to government agencies

The boundary is not always sharp. A SaaS company that processes health data for Israeli HMOs may fall under health sector requirements. A cloud infrastructure provider with Israeli enterprise customers may fall under the communications sector framework. When in doubt, consult with legal counsel familiar with Israeli regulatory classification.

What the INCD Security Baseline Requires

The INCD’s sector-specific frameworks vary in detail, but the baseline requirements common across most sectors include:

Asset and risk management

  • Maintain an inventory of information assets, including cloud environments and SaaS systems
  • Conduct a formal risk assessment at least annually
  • Classify assets by criticality and apply controls proportional to classification

Access control and identity

  • Enforce multi-factor authentication for all administrative access to critical systems
  • Implement least-privilege access policies
  • Monitor and log privileged access activity
  • Maintain formal procedures for granting, reviewing, and revoking access

Network security

  • Segment critical systems from general corporate networks
  • Monitor ingress and egress traffic for anomalies
  • Restrict remote access to specific authorized users and devices

Security monitoring and incident response

  • Maintain continuous security monitoring for critical systems
  • Detect and respond to incidents within defined timeframes
  • Report significant cyber incidents to the INCD within 12 hours of detection
  • Maintain and test an incident response plan at least annually

The 12-hour incident reporting requirement is one of the most operationally significant obligations. It means you need detection capabilities that can identify and assess a significant incident quickly — passive logging with no alerting won’t satisfy this requirement.

Supply chain security

  • Assess cybersecurity practices of critical suppliers and service providers
  • Include security requirements in contracts with vendors who access critical systems
  • Monitor for security incidents involving key suppliers

Business continuity

  • Maintain and test a business continuity plan that covers cyber incidents
  • Ensure critical systems can be restored within defined recovery time objectives
  • Maintain offline or immutable backups of critical data

The Gap Between Compliance and Security

INCD compliance is a floor, not a ceiling. The frameworks describe minimum controls, and a company can technically satisfy the requirements while still having significant security gaps.

The most common gap Israeli companies have when assessed against the INCD baseline is security monitoring. Many organizations have basic controls in place — MFA is enforced, access is reviewed periodically, backups exist — but they lack the ability to detect an active intrusion or meet the 12-hour reporting window.

Effective monitoring means:

  • Logs from all critical systems flowing to a centralized system
  • Real-time alerting on high-severity events (unauthorized access attempts, privilege escalation, data exfiltration indicators)
  • A defined process for triaging and escalating alerts

This is exactly where a Security Information and Event Management (SIEM) platform earns its place in a regulated organization’s architecture.

Practical Steps for Getting Compliant

If you’re not sure where your organization stands relative to INCD requirements:

  1. Identify your classification — determine whether your organization is an operator of critical infrastructure, and under which sector framework
  2. Get the relevant framework document — INCD publishes sector frameworks (some are publicly available; others require registration)
  3. Run a gap assessment — map your current controls against the framework requirements; prioritize the gaps
  4. Focus on monitoring first — the incident detection and reporting obligations are often the hardest to meet and have the most direct regulatory risk if not satisfied
  5. Establish your incident reporting process — know who contacts the INCD, how, and with what information if a significant incident occurs

If you want to discuss how Xpernix can help your organization meet INCD monitoring and detection requirements, contact us.