A six-dimension analysis of the legal framework, enforcement practice, regulatory gaps, and investment-enabling recommendations — structured for graph-based entity mapping.
Iraq's mobile sector is governed by a layered, historically fragmented regulatory architecture. The foundational instrument is CPA Order No. 65 (2004), which created the Communications and Media Commission (CMC) as an independent authority with licensing and spectrum management powers. The Telecommunications and Postal Law (Draft, 2006+) was intended to replace Order 65 with a modern framework; despite years of revision and a GSMA-hosted workshop in 2020, it remains un-enacted, leaving Iraq's entire mobile regulatory regime resting on occupation-era legislation.
Three operators hold 15-year national GSM/3G licenses issued between 2007 and 2008: Zain Iraq (~53% market share, 16M subscriptions), Asiacell (Qatar Telecom subsidiary, ~31%, 12.5M subscriptions), and Korek Telecom (~15.7%, 7M subscriptions). These licenses were reaching expiry around 2022–2023, triggering serious disputes. In late 2023, the CMC temporarily severed Korek's interconnection over an outstanding government debt exceeding $1.3 billion, restoring access only after Korek agreed to an $800 million tax settlement.
The CMC holds frequency management authority under Order 65 Section 5. In practice, 4G rollout was severely delayed: spectrum was not formally allocated for LTE outside the Kurdistan Region until recent years, and Asiacell and Zain only achieved substantial LTE deployment from approximately 2022–2024, with Asiacell now operating 8,201 LTE sites. There is GAP: No published national spectrum roadmap and no publicly transparent spectrum auction framework — allocations have been negotiated administratively rather than through competitive processes.
The three operators collectively own over 90% of Iraq's mobile tower infrastructure. In 2024, Zain Iraq and Ooredoo combined their Iraqi towers under a new tower company structure. However, GAP: No binding infrastructure-sharing regulation exists; sharing arrangements are bilateral and voluntary. The absence of mandatory passive-sharing obligations inflates network deployment costs, particularly in rural and conflict-affected areas.
There is GAP: No small cell regulatory framework. No streamlined permitting process exists for small cell, distributed antenna system, or in-building deployment. Municipal rights-of-way access is unregulated at the federal level. Given Iraq's dense urban environments (Baghdad is 8M+ population), this gap materially constrains indoor coverage and 5G densification.
In October 2023, the CMC announced a plan for a new state-backed 5G operator. By March 2025, the Iraqi Cabinet formally decreed the establishment of a National Mobile Company, with the Ministry of Communications (MoC) leading technical preparations. In December 2024, Vodafone International was approved as the operating partner. This fourth operator will compete alongside the three existing MNOs. Critical questions remain: the competitive framework for spectrum allocation between the incumbent trio and the state-backed newcomer is undefined, raising GAP: Competitive neutrality risk in 5G licensing.
Mobile money and electronic payment services fall under the Central Bank of Iraq (CBI), not the CMC. The Electronic Payment Services Regulation No. 2 (2024) replaced the 2014 framework and requires a minimum capital of 10 billion IQD for electronic payment service providers. The regulation authorizes digital wallets, mobile payments, and electronic fund transfers. Iraq's de-dollarization push under Digital Payment Regulation No. 2 (2024) mandates electronic payment for government services, with fuel stations in Baghdad already refusing cash as of mid-2025. However, GAP: No integrated MNO-led mobile money license — MNOs cannot offer mobile financial services under their telecom license and must obtain separate CBI authorization, creating friction for mobile-money-first strategies that have succeeded elsewhere in emerging markets.
| Gap | Severity | Impact on Investment |
|---|---|---|
| Draft Telecom Law un-enacted since 2006 | High | Entire regulatory regime rests on CPA-era order; no statutory enforcement teeth, no appeals mechanism, no universal service obligation framework |
| No spectrum roadmap or auction framework | High | Administrative allocation lacks transparency; deters infrastructure investors; creates uncertainty for 5G planning |
| No mandatory infrastructure sharing | High | Duplicative tower builds in urban areas; coverage gaps in rural/conflict areas; inflated capex |
| No small cell framework | Medium | Blocks 5G densification; constrains indoor coverage improvement |
| Competitive neutrality risk — state 5G operator | High | Incumbents face potential sovereign-backed competitor with preferential spectrum; chilling effect on private investment |
| No integrated mobile money license | Medium | Prevents MNO-led financial inclusion strategies; fragments regulatory oversight |
Priority 1: Support enactment of a modern Telecommunications Law with clear licensing categories (technology-neutral), mandatory infrastructure sharing obligations, competitive spectrum auction rules, and an independent dispute resolution mechanism. Priority 2: Condition any EBRD financing to Iraqi mobile operators on publication of transparent infrastructure sharing agreements. Priority 3: Advocate for competitive neutrality safeguards in the National Mobile Company's license conditions, including equal spectrum allocation terms and accounting separation. Priority 4: Recommend a unified digital financial services licensing framework jointly overseen by CBI and CMC to enable MNO-led mobile money.
Fixed broadband in Iraq operates under a structurally concentrated model. The Iraqi Telephone and Postal Company (ITPC), a state-owned enterprise under the Ministry of Communications, holds the exclusive right to own and operate fiber-optic backbone infrastructure. No private entity can deploy fiber-optic cable without ITPC approval. The State Company for Internet Services (SCIS), also MoC-operated, manages internet subscribers and provides DSL and IP services to government agencies.
Wholesale access works as follows: the MoC rents fiber-optic capacity from the ITPC backbone to private ISPs, which then distribute last-mile service. As of early 2026, Iraq has approximately 8,000 registered resellers operating over 20,000 Wi-Fi towers — many unregistered — creating severe interference problems. FTTH connections have grown dramatically: from 276,000 in 2021 to 1.5 million in 2022, 2.9 million in 2023, and 3.5 million by late 2024, with fiber subscriptions reaching approximately 1.1 million by early 2025 (a 414% year-over-year increase). In January 2025, iQ Networks partnered with Gulf Bridge International (GBI) to launch Iraq's first dark fibre IRU (Indefeasible Right of Use) framework in Baghdad.
GAP: No local loop unbundling regulation. There is no framework for access to ITPC's passive infrastructure (ducts, poles, manholes) by third-party operators. The ITPC monopoly on backbone ownership means that private ISPs are entirely dependent on a single state-owned wholesaler for capacity, with GAP: No transparent wholesale pricing regulation. Freedom House has documented that the MoC sells bandwidth to ISPs at approximately $24/MB, while black-market alternatives cost under $4/MB, indicating severe price distortion. A new 20% service fee on FTTH and Wi-Fi services was imposed by cabinet resolution in December 2025, adding further cost pressure.
GAP: No duct/pole access regime — private operators have no regulatory right to access ITPC physical infrastructure for fiber deployment. In-building wiring standards are absent. GAP: No dig-once policy exists to coordinate fiber trenching with road construction or utility installation, despite the GSMA-CMC National ICT Development Whitepaper (2025) explicitly recommending one.
The Kurdistan Region operates a semi-autonomous market. O3 Telecom (linked to the KDP/Barzani family) is the sole entity permitted to import fiber-optic services through Turkey, distributing to carriers like Newroz Telecom and FastLink. This creates a parallel bottleneck: the Kurdistan fiber backbone is politically controlled, facilitating government-ordered shutdowns and constraining competitive entry.
Iraq's geographic position — between Turkey and the Gulf — makes it a strategic transit corridor. The Silk Route Transit terrestrial fiber project is progressing. Iraq has signed agreements for six submarine cable connections. Demand is growing for data center capacity, with government support for AI-focused data centers announced in 2025. However, GAP: No open-access or carrier-neutral data center regulation exists to ensure competitive hosting markets.
| Gap | Severity | Impact on Investment |
|---|---|---|
| ITPC fiber monopoly — no structural separation | High | Single-point dependency for all ISPs; political control over backbone enables shutdowns; deters private fiber investment |
| No wholesale pricing regulation | High | Massive price distortion ($24/MB vs $4/MB black market); drives ISPs to illegal bandwidth sourcing |
| No local loop unbundling | High | Prevents facilities-based competition; locks ISPs into reseller model |
| No duct/pole access rights | Medium | Duplicative civil works; higher FTTH deployment costs |
| No dig-once policy | Medium | Missed coordination opportunities increase fiber deployment cost |
| Kurdistan parallel backbone monopoly | High | Political capture of regional connectivity; facilitates internet shutdowns |
| No data center regulation | Medium | No carrier-neutral facility requirements; constrains cloud/IXP ecosystem |
Priority 1: Advocate for structural or functional separation of ITPC into a wholesale-only infrastructure entity with regulated, transparent access pricing — modeled on the EU's Significant Market Power framework. Priority 2: Introduce passive infrastructure access regulation (ducts, poles, in-building) with cost-oriented pricing. Priority 3: Establish a dig-once mandate for all publicly funded road/utility projects. Priority 4: Condition EBRD fiber-related financing on open-access terms for any funded infrastructure. Priority 5: Support development of a National Broadband Plan with universal service obligations and rural deployment subsidies funded by spectrum auction proceeds.
Satellite communications are licensed by the CMC under the general authority of CPA Order No. 65. In July 2024, the CMC issued Decision No. 2024/Q78, a regulation on the licensing of ground stations for space services, covering both geostationary (GSO) and non-geostationary (NGSO) satellite operations. This regulation establishes license categories including VSAT (currently restricted primarily to oil and gas companies), Earth Station in Motion (ESIM), and comprehensive satellite licenses. The license framework references ITU Radio Regulations and WRC-15 allocations.
Critically, VSAT licenses are currently granted for one-year terms (renewable) and have historically been limited to entities with contracts under the Ministry of Oil. This restriction severely limits enterprise and consumer satellite broadband access.
Iraq has been in active negotiations with SpaceX/Starlink since May 2025. Prime Minister Al-Sudani met SpaceX delegations in both May and December 2025, with the latter meeting described as addressing "final procedures" for granting satellite internet licenses. The US Chargé d'Affaires joined the December talks, underscoring the geopolitical dimension. Starlink has expressed readiness to commence operations "within a short period" of license issuance. However, GAP: No LEO-specific licensing framework — the 2024 ground station regulation was drafted primarily with traditional GSO VSAT in mind; NGSO constellations operating thousands of satellites with dynamic beam management require distinct spectrum coordination, interference management, and landing rights provisions.
The government has indicated that Starlink licensing may include requirements for cooperation with local operators and provisions to protect "digital sovereignty." This suggests potential mandates for local ground stations, traffic monitoring/lawful intercept capabilities, and possibly local data routing requirements. GAP: No transparent satellite licensing conditions — the terms being negotiated with Starlink are not publicly available, creating uncertainty for other potential LEO operators (OneWeb, Amazon Kuiper) considering Iraqi market entry.
| Gap | Severity | Impact on Investment |
|---|---|---|
| No LEO/NGSO-specific licensing framework | High | Starlink negotiations proceeding without predictable regulatory framework; other LEO operators cannot assess market entry |
| VSAT restricted to oil & gas sector | Medium | Enterprise satellite broadband unavailable outside extractives; constrains rural/emergency connectivity |
| Non-transparent Starlink negotiations | Medium | First-mover advantage without competitive process; precedent-setting terms invisible to market |
| One-year VSAT license terms | Low | Short license duration discourages VSAT investment |
Priority 1: Support CMC in developing a technology-neutral satellite licensing framework that accommodates LEO constellations, with clear spectrum coordination procedures, landing rights, and interference management protocols aligned with ITU WRC-23 outcomes. Priority 2: Recommend liberalization of VSAT licensing beyond oil and gas to enable enterprise, education, and rural broadband use cases. Priority 3: Advocate for transparent, non-discriminatory satellite licensing conditions — any terms offered to Starlink should be available on equivalent basis to other qualified operators. Priority 4: Ensure any satellite licensing framework includes provisions for emergency/disaster connectivity, leveraging LEO capabilities for humanitarian response.
Iraq has GAP: No dedicated cybersecurity law. There is no cybercrime-specific legislation, no critical infrastructure protection framework, and no mandatory incident reporting regime. Existing provisions are scattered across several instruments: the Iraqi Penal Code (1969) addresses some computer-related offenses under general fraud and damage provisions; the Iraqi Constitution (2005) provides privacy protections in Article 17; the Electronic Signature and Electronic Transactions Law (2012) addresses authentication but not broader cybersecurity. A draft cybercrime law has been circulated multiple times but remains unadopted, partly due to civil society concerns about overly broad speech restrictions.
The Second Iraqi Digital Space Forum (December 2025) convened international experts to discuss legislative frameworks for cybersecurity, AI, e-commerce, and electronic payments, with participation from Iraq's Deputy National Security Advisor — signaling government recognition of the gap but not yet producing binding legislation.
Iraq is classified in Tier 4 ("Evolving") under the ITU GCI 2024, alongside countries like Lebanon, Palestine, and Somalia within the Arab States. This tier indicates expanded digital services but inadequate cybersecurity integration across all five ITU pillars: legal measures, technical measures, organizational measures, capacity development, and cooperation. Iraq lacks a national CERT/CSIRT with clear mandate, a national cybersecurity strategy, and formal cybersecurity training programs at scale.
The EU 5G Toolbox (January 2020) and its 2023 update establish strategic and technical measures for securing telecommunications infrastructure. Applied across all telecom infrastructure (not limited to 5G), Iraq's position is as follows:
| Toolbox Measure | Iraq Status | Assessment |
|---|---|---|
| SM01 — Strengthen regulatory powers for securing networks | CMC has no explicit cybersecurity mandate. No power to impose security requirements on operators or audit compliance. | |
| SM02 — Perform risk assessment of supplier profiles | No high-risk vendor assessment process exists. No framework for evaluating supply chain risk. Huawei, Nokia, and Ericsson all supply Iraqi operators without differentiated security scrutiny. | |
| SM03 — Apply restrictions on high-risk suppliers in critical assets | No restrictions on any vendor. No definition of "critical" or "sensitive" network functions. No exclusion or limitation mechanism. | |
| SM04 — Multi-vendor strategies for operators | Operators use mixed vendors (Nokia/Zain partnership, Huawei/Ericsson presence) but not pursuant to any regulatory diversification requirement. | |
| SM05 — Maintain resilient supply chains | No supply chain security policy. No contingency planning for vendor disruption. | |
| SM06 — Screening of FDI in telecom sector | No FDI screening mechanism for telecom sector. National Investment Law No. 13 (2006) provides general investment framework but no sector-specific security review. | |
| TM01 — Baseline security requirements for operators | No baseline security requirements exist for any class of operator. | |
| TM02 — Security audits and testing | No mandatory security auditing regime. No penetration testing requirements. | |
| TM03 — Access control and monitoring | No regulatory requirements for network access controls beyond what operators implement voluntarily. |
Iraq has GAP: No high-risk vendor assessment framework. All major equipment vendors — including Huawei, Nokia, and Ericsson — operate in Iraq without differentiated security evaluation. Nokia has a three-year strategic modernization partnership with Zain Iraq (signed September 2024) involving 3,000 microwave hops and E-band links. Huawei maintains significant equipment presence. With no framework to distinguish "critical" versus "non-critical" network functions, and no legal basis for imposing vendor restrictions, Iraq cannot implement any version of the EU's high-risk vendor approach. Given Iraq's geopolitical positioning and the EBRD's alignment with EU policy principles, this gap is particularly significant for any EBRD-financed infrastructure.
Priority 1: Make EBRD telecom infrastructure financing conditional on borrower compliance with minimum cybersecurity baselines aligned with the EU 5G Toolbox's technical measures (TM01–TM03), regardless of the technology generation deployed. Priority 2: Provide technical assistance to develop a National Cybersecurity Strategy, national CERT, and critical infrastructure protection legislation. Priority 3: Support the CMC in developing mandatory operator security requirements including annual audits, incident reporting, and vulnerability management. Priority 4: Introduce high-risk vendor assessment as a condition of EBRD-financed projects, requiring supply chain risk evaluation for core network components. Priority 5: Fund capacity building for cybersecurity professionals through partnerships with ITU and ENISA (European Union Agency for Cybersecurity).
Iraq has GAP: No comprehensive data protection law. As of Q1 2026, Iraq remains among the most populous countries worldwide without a dedicated privacy statute — alongside the United States, Pakistan, Bangladesh, and Iran. A draft Personal Data Protection Law was approved by the Iraqi cabinet in 2019 but was never enacted by parliament. Existing privacy-relevant provisions are scattered across: Constitution of Iraq (2005), Article 17 (right to personal privacy); Penal Code (1969), Articles 437–438 (privacy of correspondence); Banking Law No. 94 (2004) (banking secrecy); and sector-specific CMC licensing conditions requiring subscriber data protection.
The CMC's Framework Regulations for Digital Platforms and Services (2025) introduces registration requirements for digital platforms operating in Iraq and empowers the CMC to monitor, regulate, and revoke platform authorizations. It includes compliance obligations but does not constitute a GDPR-style data protection framework — it is oriented toward platform governance and content moderation rather than individual data rights.
There is GAP: No explicit data localization law, but de facto localization pressure exists. The CBI's electronic payment regulation requires transaction records to be maintained in Iraq. The government's "digital sovereignty" rhetoric, particularly around the Starlink negotiations, suggests emerging preferences for in-country data routing and local ground station requirements. The ITPC's backbone monopoly means that all internet traffic transiting Iraq's fiber network is subject to state-owned infrastructure, creating implicit localization for domestic traffic.
Iraq opened its first National Data Center under MoC management. The government has voiced support for AI-capable data centers. However, GAP: No data center regulatory framework — there are no standards for power resilience, physical security, connectivity redundancy, or environmental efficiency. No Tier certification requirements exist. No framework distinguishes between sovereign (government data only) and commercial data center operations. Iraq's chronic power grid instability (12–16 hours/day in many areas, worse in summer) represents a fundamental infrastructure constraint for data center development.
Iraq's position as a transit corridor between Europe, the Gulf, and South/Central Asia is a major asset. Six submarine cable agreements are in place. The Silk Route Transit fiber project is progressing. Iraq established its first neutral Internet Exchange Point (IRAQ-IXP), which has become the region's third-largest IXP by connected networks. However, cross-border data flows lack a governing framework: no adequacy decisions, no standard contractual clauses, no binding corporate rules mechanism. This creates GAP: No cross-border data transfer mechanism — impeding cloud service providers, multinational enterprises, and international financial institutions from establishing compliant Iraqi operations.
No cloud-specific regulation exists. GAP: No cloud services regulatory framework inhibits hyperscaler entry (AWS, Azure, GCP) and prevents Iraqi enterprises from adopting cloud infrastructure with regulatory certainty. The GSMA/CMC ICT whitepaper (2025) identifies cloud adoption as a mid-term priority but no implementing regulation has followed.
Priority 1: Provide technical assistance for enactment of a comprehensive Personal Data Protection Law modeled on international best practice (GDPR-aligned principles with proportionate local adaptation), including establishment of an independent Data Protection Authority. Priority 2: Develop a data center regulatory framework including Tier classification, power resilience standards, and open-access/carrier-neutral requirements for publicly-funded facilities. Priority 3: Establish a cross-border data transfer mechanism — mutual adequacy framework or standard contractual clauses — as a precondition for international cloud service deployment. Priority 4: Advocate against mandatory broad data localization, instead recommending risk-tiered approaches that localize only genuinely sensitive government/security data while permitting commercial data to flow under appropriate safeguards.
The CMC was established by CPA Order No. 65 (2004) as a "financially and administratively independent institution." Its mandate encompasses licensing telecommunications, broadcasting, and information services; frequency management; code of practice development; and consumer protection. The Iraqi Constitution (2005) recognizes the CMC as an independent authority not subordinate to any governmental entity. Section 5 of Order 65 requires the CMC to operate in accordance with principles of "objectivity, transparency, non-discrimination, proportionality, and adherence to established legal procedures" and to be guided by Article 19 of the ICCPR.
Despite its statutory independence, the CMC's actual independence has deteriorated significantly. Under the current constitutional arrangement, the Prime Minister has assumed the CPA-era authority to appoint the CMC's Director General and board members. The Washington Institute documented in detail how political capture has advanced:
The CMC Director General chosen in 2022, Ali Hussein al-Moayad, was reportedly a relative of the leader of the Hikma political movement (part of the Coordination Framework coalition). In August 2023, a leaked CMC letter showed al-Moayad ordering telecom providers to provide free SMS support for Hikma's political messaging. In 2024, three Sunni- and Kurdish-appointed CMC board members and one Shiite-appointed member were removed by instruction of Prime Minister al-Sudani. By November 2024, the acting board chair was Mahmoud al-Rubaie, who previously served as spokesman for the political office of Asaib Ahl al-Haq (designated as a terrorist organization by the United States). Five of six CMC board seats are now held by members aligned with the Coordination Framework/muqawama (resistance) militias. In February 2025, al-Moayad's resignation was accepted and Mohammed Abdallah Abdalamir al-Ghuraybawi became the new CMC head.
This represents GAP: CMC independence severely compromised by political appointment process. The regulator lacks structural safeguards against political interference — no fixed terms for commissioners, no transparent selection criteria, no parliamentary oversight of appointments, and no conflict-of-interest requirements.
GAP: Overlapping jurisdiction between CMC and MoC. The CMC licenses mobile operators; the MoC operates state-owned telecoms (ITPC, SCIS) and is establishing the National Mobile Company. The MoC has explicitly stated it has "no authority over mobile operators" (February 2025 statement during the Korek dispute), yet it controls the backbone infrastructure on which those operators depend. This creates a structural conflict: the MoC is simultaneously a market participant (through ITPC/SCIS/National Mobile Company) and the entity controlling the wholesale infrastructure that private competitors must access. The CMC lacks the authority or capacity to mediate this conflict effectively.
GAP: Insufficient technical and analytical capacity. The CMC does not publish market data, spectrum utilization reports, or quality-of-service benchmarks. No publicly available regulatory impact assessments accompany CMC decisions. Spectrum management decisions lack published technical methodology. The absence of transparent data prevents evidence-based policymaking and impedes investor due diligence.
GAP: Non-transparent regulatory process. The CMC does not conduct public consultations on regulatory decisions in a systematic, documented manner. Draft regulations (such as the digital content regulation and the digital platform framework) are published without structured comment-and-response processes. Enforcement actions (such as the Korek interconnection cut-off) are taken without published reasoning or appeal pathways. The December 2024 "directives" to media organizations to counter "the media machine of the usurping Zionist entity" illustrate the politicized nature of CMC communications that would be unthinkable from an independent regulator.
| Gap | Severity | Impact on Investment |
|---|---|---|
| Political capture of CMC appointments | High | Regulatory decisions subject to political/militia influence; investors cannot rely on rule-of-law consistency |
| CMC-MoC jurisdictional overlap | High | MoC as regulator, operator, and infrastructure gatekeeper creates irreconcilable conflicts of interest |
| No published market data or analysis | Medium | Investors lack reliable data for market sizing, business case development, and risk assessment |
| No public consultation process | Medium | Regulatory changes are unpredictable; stakeholders cannot influence policy formation |
| No regulatory appeals mechanism | High | Operators have no recourse against arbitrary CMC decisions; Korek dispute showed regulator acting as judge and enforcer simultaneously |
Priority 1: Condition sector-level engagement on governance reform roadmap including: fixed terms for CMC commissioners, transparent appointment criteria with professional competence requirements, parliamentary confirmation, and statutory cooling-off periods. Priority 2: Advocate for functional separation of the MoC's operational role (ITPC/SCIS/National Mobile Company) from the CMC's regulatory role — ideally through a Telecommunications Law that clearly delineates responsibilities. Priority 3: Fund technical capacity building: regulatory economics training, spectrum management systems, quality-of-service monitoring platforms, and market data collection/publication. Priority 4: Require structured public consultation processes for all material regulatory decisions, with published comment-and-response documents. Priority 5: Establish an independent regulatory appeals tribunal, or at minimum a clear judicial review pathway, for CMC licensing and enforcement decisions.
The following entities serve as nodes connecting regulatory conditions to market structure and investment opportunity. Each entity is typed for knowledge graph ingestion: REG (regulation/legal instrument), INST (institution/regulator), GAP (regulatory deficiency).
| Entity ID | Full Name | Dimensions |
|---|---|---|
| REG-001 | CPA Order No. 65 (2004) — Establishing the CMC | 1, 2, 3, 6 |
| REG-002 | Draft Telecommunications and Postal Law (2006+, un-enacted) | 1, 2, 6 |
| REG-003 | Iraqi Constitution (2005) — Articles 17, 38 | 4, 5, 6 |
| REG-004 | Iraqi Penal Code (1969) — Articles 229, 433, 437–438 | 4, 5 |
| REG-005 | Electronic Signature and Electronic Transactions Law (2012) | 4 |
| REG-006 | National Investment Law No. 13 (2006) | 4 |
| REG-007 | Banking Law No. 94 (2004) | 1, 5 |
| REG-008 | Anti-Money Laundering Law No. 39 (2015) | 1 |
| REG-009 | Electronic Payment Services Regulation No. 2 (2024) | 1, 5 |
| REG-010 | CMC Decision No. 2024/Q78 — Satellite Ground Station Licensing | 3 |
| REG-011 | CMC Framework Regulations for Digital Platforms and Services (2025) | 5 |
| REG-012 | Draft Personal Data Protection Law (2019, un-enacted) | 5 |
| REG-013 | Cabinet Resolution — 20% FTTH/Wi-Fi Service Fee (December 2025) | 2 |
| REG-014 | National Financial Inclusion Strategy (CBI, May 2025) | 1 |
| Entity ID | Full Name | Role |
|---|---|---|
| INST-001 | Communications and Media Commission (CMC) | Independent regulator — licensing, spectrum, broadcasting, digital platforms |
| INST-002 | Ministry of Communications (MoC) | Government ministry — infrastructure operator, policy formulation |
| INST-003 | Iraqi Telephone and Postal Company (ITPC) | State-owned — fiber backbone monopoly, microwave, WLL |
| INST-004 | State Company for Internet Services (SCIS) | State-owned — internet, DSL, government connectivity |
| INST-005 | Central Bank of Iraq (CBI) | Financial regulator — electronic payments, mobile money licensing |
| INST-006 | Zain Iraq | MNO — 53% market share, Kuwaiti-owned, Nokia partnership |
| INST-007 | Asiacell | MNO — 31% market share, Ooredoo/Qatar Telecom subsidiary |
| INST-008 | Korek Telecom | MNO — 15.7% market share, Kurdistan-origin, $1.3B government debt |
| INST-009 | National Mobile Company (planned) | State-backed 5G operator — MoC subsidiary, Vodafone partnership |
| INST-010 | SpaceX/Starlink | LEO satellite operator — in licensing negotiation |
| INST-011 | O3 Telecom | Kurdistan fiber gateway — sole Turkey import rights, KDP-linked |
| INST-012 | EarthLink Iraq | Largest private ISP — FTTH deployment partner |
| INST-013 | iQ Networks / Gulf Bridge International | Dark fibre IRU framework — Baghdad (January 2025) |
| INST-014 | IRAQ-IXP | First neutral Internet Exchange Point — 3rd largest in region |
| INST-015 | Huawei | Equipment vendor — presence across Iraqi operators |
| INST-016 | Nokia | Equipment vendor — Zain Iraq modernization partner |
| INST-017 | Ericsson | Equipment vendor — presence in Iraqi market |
| INST-018 | Vodafone International | Technology partner — National Mobile Company operator |
| INST-019 | EBRD | IFI — Iraq approved as economy of operation 2025; first investment $100M trade finance |
| Entity ID | Gap Description | Severity | Dim. |
|---|---|---|---|
| GAP-01 | Draft Telecom Law un-enacted (20+ years) | 1 | |
| GAP-02 | No national spectrum roadmap or auction framework | 1 | |
| GAP-03 | No mandatory infrastructure sharing regulation | 1, 2 | |
| GAP-04 | No small cell deployment framework | 1 | |
| GAP-05 | Competitive neutrality risk — state 5G operator | 1 | |
| GAP-06 | No integrated mobile money license pathway | 1 | |
| GAP-07 | ITPC fiber monopoly — no structural separation | 2 | |
| GAP-08 | No wholesale pricing regulation | 2 | |
| GAP-09 | No local loop unbundling | 2 | |
| GAP-10 | No duct/pole access rights | 2 | |
| GAP-11 | No dig-once policy | 2 | |
| GAP-12 | Kurdistan parallel backbone monopoly | 2 | |
| GAP-13 | No data center regulatory framework | 2, 5 | |
| GAP-14 | No LEO/NGSO satellite licensing framework | 3 | |
| GAP-15 | VSAT restricted to oil & gas | 3 | |
| GAP-16 | Non-transparent Starlink licensing conditions | 3 | |
| GAP-17 | No dedicated cybersecurity law | 4 | |
| GAP-18 | No high-risk vendor assessment framework | 4 | |
| GAP-19 | No mandatory operator security requirements | 4 | |
| GAP-20 | No national CERT/CSIRT | 4 | |
| GAP-21 | No comprehensive data protection law | 5 | |
| GAP-22 | No cross-border data transfer mechanism | 5 | |
| GAP-23 | No cloud services regulatory framework | 5 | |
| GAP-24 | CMC independence compromised by political appointments | 6 | |
| GAP-25 | CMC-MoC jurisdictional overlap / MoC conflict of interest | 6 | |
| GAP-26 | No published market data or regulatory analysis | 6 | |
| GAP-27 | No public consultation process | 6 | |
| GAP-28 | No regulatory appeals mechanism | 6 |