Your QR code is about to cross borders. Is it protected?

WorldTechnology
15 Jul 2026 • 12:05 AM MYT
The Manila Times
The Manila Times

One of the longest-running English broadsheets in the Philippines

Your QR code is about to cross borders. Is it protected?

TRY a small experiment. Count the number of times you touched a screen today to get something essential done. You paid for breakfast with a QR code. You checked if your salary had landed in your bank app. You booked a ride. You messaged a relative abroad who sends money home. You beat the deadline on an online government transaction.

None of that is magic. Behind every tap is a computer system: the bank’s payment switch, the telco’s network, the power grid’s control room, the airport’s check-in system, the government’s databases. These systems have a formal name in law and policy: critical information infrastructure, or CII. The definition sounds technical, but the idea is simple. CII is any computer system so important that if it goes down, ordinary life goes down with it.

We already know how this feels. When a bank’s app freezes on payday, tempers flare in every GCash-adjacent household in the country. When an airline’s check-in system fails, thousands sleep in terminals. When a telco outage hits, businesses lose a day of sales. Now imagine those failures caused not by accident but by attack, aimed at the systems that run our power, water, hospitals and elections. That is the problem that CII protection, or CIIP, exists to solve.

Why raise this now? Because of a date: November 2026. That is when Asean leaders are expected to sign the Digital Economy Framework Agreement, or DEFA, the world’s first regionwide digital economy agreement. Negotiations finished in Manila last May. The signing is set for the Asean Summit, during the year the Philippines chairs the association.

DEFA is good news for ordinary people. In plain terms, it aims to make the digital economy of 11 Southeast Asian countries work like one market. Your QR code should work in Bangkok the way it works in Baclaran. A small online seller in Cebu should reach buyers in Vietnam as easily as buyers in the Visayas. Trade documents should move between customs offices electronically, without the paper chase. Studies say this could more than double the region’s digital economy by 2030. Some of that money should land in Filipino pockets.

But here is the part the press releases will not dwell on. When you connect 11 economies through shared digital rails, you also connect their risks. The payment link that lets you pay in Bangkok means that a failure in one country’s payment switch can interrupt transactions from every connected country. The electronic customs window that speeds up trade means an attack on one member’s system can stall cargo at everyone’s borders. The undersea cables that carry the region’s internet serve several countries at once; damage one, and many feel it.

In other words: The more we integrate, the more your day depends on the security of a computer system in another country, run by people you will never meet, under laws your Congress never passed. That is not a reason to fear DEFA. It is a reason to take CIIP seriously before the ink dries.

Our neighbors have been doing exactly that. Singapore has had a CII law since 2018 and strengthened it just last year. Malaysia’s law took effect in 2024. Thailand has had one since 2019. Vietnam’s new cybersecurity law took effect this July. Even Laos passed its first cybersecurity law in 2025. Across the region, governments now designate critical systems by law, require their operators to meet security standards, and require them to report attacks within hours.

And the Philippines? We have a national cybersecurity plan and agency circulars, but no CII law in force. The good news is that the proposed Cybersecurity and Critical Information Infrastructure Protection Act, consolidating 28 bills, was approved at the House committee level last May. It would name a national authority to designate our critical systems, set duties for the companies that run them, and require them to disclose serious incidents instead of keeping quiet. Congress should pass it, and pass it well, before we plug ourselves deeper into the region’s shared rails.

There is a regional task, too. Every Asean member now protects its critical systems, but each in its own words, on its own clock. One country requires attack reports in two hours, another in six, another in 24. And no country’s law requires telling a neighbor when an incident spills across the border, even though, as we have seen, incidents will not respect borders. Asean has a guidance document for this, the Asean CIIP Framework, but it was written before the QR linkages, before the cloud boom, and before DEFA. It deserves an update: common definitions, a common way to classify and report incidents, and a simple promise that neighbors will warn each other. All voluntary, all respectful of each country’s sovereignty, in the Asean way.

The Philippines chairs Asean this year. The DEFA signing will happen on our watch. We are well placed to propose that the region update its CIIP playbook at the same time it opens its digital market, so that the protection grows with the connection.

Think of DEFA as a grand new building for the region’s digital economy: bigger doors, more visitors, more business for everyone. CIIP is the fire code, the sprinklers, and the locks. No sane builder opens the doors first and installs the fire exits later.

We are about to sign up for a more connected digital life. Connection is only a blessing when the things we connect are protected. Pass the law. Update the playbook. Then sign with confidence in November.

Newswav Malaysia Best News App

Newswav is an online content aggregator and obtains its content from different online sources. The content in the app do not belong to Newswav nor do they reflect the opinions of Newswav and its staff. Your use of this app indicates your understanding and acceptance of this information.

Newswav Sdn. Bhd. (201701008480 (1222645-M)) 2026 All Rights Reserved