bizpain.org
Home/ Professional services/ Amendment 13 — Israel
Professional services · Israel · Privacy & data protection

Israel's privacy law just grew teeth.

Amendment 13 to Israel's Protection of Privacy Law took effect on 14 August 2025 — the most sweeping rewrite of the country's data-protection regime since 1981. The Privacy Protection Authority (PPA) can now impose monetary sanctions in the millions of shekels, demand a mandatory Data Protection Officer (DPO), order processing suspensions, and open criminal investigations.

01The pain

On 14 August 2025, the privacy regime for Israeli companies changed overnight. A Ramat Gan fintech with 80,000 user records. A Petah Tikva clinic with twelve years of patient files. A Tel Aviv business-software firm tracking trial sign-ups. Amendment 13 to the Protection of Privacy Law took effect that day, the most sweeping rewrite of Israeli data-protection rules since 1981, handing the Privacy Protection Authority (PPA, the Israeli data-protection regulator) the power to impose monetary sanctions reaching millions of shekels and to demand a Data Protection Officer (DPO) inside any organisation whose core activity involves large-scale processing or systematic monitoring.1

The compliance load lands as a recurring drumbeat: ten distinct duties spanning annual database-definition updates, security-procedure reviews, 18-month penetration tests, quarterly incident reviews, refreshed consent forms, data-flow mapping across HR (human-resources) systems and cloud apps, staff training, vendor agreements, and breach notification to the PPA.2 Administrative fines reach millions of shekels for sensitive-data or large-database breaches; civil claims add up to NIS 100,000 (New Israeli Shekel, ≈€25,000) per affected individual on top.4 Missing a single risk assessment or penetration test alone costs NIS 320,000 (≈€80,000) per violation.3

Healthcare, fintech and HR-tech firms get the strictest treatment, since they hold biometric, financial and employee data at scale. The PPA can also order processing suspensions and open criminal investigations. The DPO chair is no longer a recommendation.4

Effective 14 Aug 2025. NIS 320,000 (~€80,000) per missed risk assessment.3
"It also empowers the PPA to impose hefty fines, order the suspension of data processing and conduct criminal investigations." — IAPP, "Israel marks a new era in privacy law: Amendment 13 ushers in sweeping reform," 2025

Further reading

  • 1 IAPP — "Israel marks a new era in privacy law: Amendment 13 ushers in sweeping reform" (effective date, PPA powers, DPO requirement, English): iapp.org
  • 2 Gornitzky & Co. — "Privacy Protection in 2025: 10 steps to navigate the implementation of obligations" (the ten-item compliance drumbeat, English): gornitzky.com
  • 3 BigID — "What Israel's Amendment 13 means for businesses in 2025" (per-violation NIS 320,000 figure for missed risk assessment, vendor self-marketed compliance capabilities, English): bigid.com
  • 4 Safetica — "Israel's Amendment 13: what the new data protection law means for your business" (millions-of-shekels administrative fine band, NIS 100,000 civil-claim figure, sector exposure, English): safetica.com
Ad · rail 1
A Ramat Gan fintech is auditing 80,000 consent forms. A Petah Tikva clinic is hunting for a fractional Data Protection Officer. A Tel Aviv business-software firm is budgeting its first penetration test. Buy the slot next to them.
"Do we need a DPO?" Yes. "Since when?" Since 14 August 2025, the morning of.
Ad · inline 1
Selling DPO-as-a-service for Israeli mid-market firms, a consent-management and data-mapping SaaS priced for one-to-fifty-headcount shops, an 18-month penetration-test bundle, a breach-notification automation tied to the Privacy Protection Authority's reporting flow, or a fractional-DPO marketplace? Your buyers are on this page right now.
Banner size: bigger than the PPA's enforcement budget. Also slightly less likely to suspend your data processing.

02Who solves this today

Three vendors and firms that name Israel's Amendment 13 (or the country's Privacy Protection Law / mandatory DPO obligation) on their own pages — the route a mid-market Israeli employer actually takes when its general counsel sends back the question "who do we hire?" Each was checked live on the date of writing. The list is intentionally narrow.

BigID
Data-discovery and privacy platform. Publishes a dedicated "How BigID Helps with Israel's New Privacy Updates" page covering DPO dashboards, consent records, AI risk evaluation and PPA breach reporting.
bigid.com
Safetica
Data-loss-prevention and classification vendor. Ships a dedicated Amendment 13 guide pitching automated sensitive-data discovery across endpoints, cloud apps and storage for Israeli organisations.
safetica.com
Pearl Cohen Zedek Latzer Baratz
Israeli law firm. Privacy & cybersecurity practice page explicitly markets "tailored-fit organizational programs for clients to align with Amendment 13 to the Israeli Privacy Protection Law."
pearlcohen.com

Listed providers publicly market to the Israel Amendment 13 / Israeli Data Protection Officer / Israeli privacy-compliance niche on their own pages. Inclusion is not endorsement. Adjacent vendors and firms were considered and excluded where their public homepage did not explicitly name the niche at the date of writing — OneTrust (onetrust.com) returned HTTP 200 but the homepage marketed only generic GDPR / DORA / EU AI Act compliance with no reference to Israeli law, so it was dropped per the named-niche-on-homepage rule; Securiti.ai (securiti.ai) returned HTTP 200 but the homepage listed only GDPR / CPRA / LGPD / PIPEDA / PIPL / EU AI Act and named no Israeli regulation, so it was dropped (an attempted Amendment 13 blog URL returned HTTP 404); DataGuard (dataguard.com) returned HTTP 200 but the homepage covered GDPR / ISO 27001 / TISAX / NIS2 / EU AI Act with no Israel-specific service line, so it was dropped; Herzog Fox & Neeman (herzoglaw.co.il) returned HTTP 404 on the cyber-data-protection-and-privacy practice URL probed and the niche could not be confirmed at the front-page level, so it was dropped pending re-check; Gornitzky & Co. (gornitzky.com) returned HTTP 404 on the cyber-privacy-and-data-protection practice URL probed and the front-page niche reference could not be confirmed, so the firm is referenced in section 01 as the author of the cited 10-step practitioner guide rather than listed as a third-party solution provider; Cookiebot / Usercentrics, ComplyCloud, Cyberint, Komrad, ITGRC, Goldfarb Seligman, FBC and Gross GKH were considered but either did not surface a public Amendment 13 / Israeli-DPO service page on their homepage at the date of writing or could not be reached for verification, so all were dropped pending re-check. The Privacy Protection Authority — the regulator publishing the Amendment 13 guidance and enforcement notices — is referenced in section 01 as the rule-maker rather than listed as a third-party solution. IAPP, Gornitzky & Co., BigID and Safetica are referenced in section 01 as advisory and trade-press citations as well; BigID and Safetica double as solution providers because their own front-line resources self-market specific Amendment 13 capabilities.

Listed companies — manage your entry. If you are one of the providers above and anything here is wrong, missing, or out of date — or you'd rather not be listed — write to us. Removal within 24 hours; corrections within 7 business days. We do not contact listed companies first; we publish what your own public marketing claims and respond when you reach out. Email contact@aikraft.com.

Ad · rail 2
No middlemen, no auction, no algorithm. Cancel any time.
We will personally email you when your banner goes live. We are that bootstrapped.