Cybersecurity regulation in Albania (2026)

The Council of Ministers formally adopted Albania's second-generation national cybersecurity strategy, aligning with EU NIS2, eIDAS2, and the EUCC certification framework and covering both NATO and EU accession commitments. The accompanying three-year action plan operationalises the strategy's goals for building a secure digital ecosystem.

Parliament adopted a comprehensive data-protection law replacing the 2008 framework, introducing GDPR-equivalent principles including data-protection by design/default, mandatory 72-hour breach notification to the Commissioner, Data Protection Impact Assessments, DPO requirements, and fines up to ALL 20 million or 4 % of global turnover. The law entered into force on 31 January 2025.

Albania's Parliament enacted a new, comprehensive cybersecurity law (in force 3 May 2024) repealing Law 2/2017, classifying critical and important information infrastructures, imposing risk-management and incident-reporting obligations on entities in energy, finance, healthcare, telecoms and public administration, and empowering the National Cybersecurity Authority (AKSK) as the national CSIRT and supervisor. Administrative fines range from ALL 200,000 to ALL 10,000,000.

Hackers claiming affiliation with Homeland Justice — attributed by Albanian authorities to the Iranian government — hit INSTAT, disabling systems on 40 computers and claiming exfiltration of over 100 TB of geographic and population data; INSTAT immediately isolated its network and Albanian authorities confirmed census data from the 2023 census was unaffected. The attack marked a continuation of the Iran-Albania cyber conflict that began in 2022.

The Council of Ministers opened a month-long public consultation on the bill that would become Law 25/2024, signalling Albania's intent to transpose the EU NIS2 Directive as part of its EU accession commitments; the consultation closed 24 May 2023.

The US Cybersecurity and Infrastructure Security Agency and FBI released a joint advisory formally attributing both the July and September 2022 attacks on Albanian government systems to Iranian state cyber actors (IRGC-linked groups), detailing the use of ransomware-style file encryptors, disk-wiping malware, and initial access gained approximately 14 months before the destructive phase. The advisory provided TTPs and indicators of compromise for defenders worldwide.

Prime Minister Edi Rama announced Albania was cutting all diplomatic ties with Iran and ordering Iranian embassy staff to leave within 24 hours, citing 'indisputable evidence' of state-sponsored orchestration of the July cyberattack; this was the first time any country had severed diplomatic relations directly because of a cyberattack, setting a significant precedent in international cyber norms.

Albania formalised its first standalone five-year cybersecurity strategy, establishing priority pillars for legal-framework development, institutional capacity, public-private cooperation, and international alignment with NATO and EU standards; the strategy set the groundwork for the 2024 legislative reform.

Parliament enacted Albania's inaugural standalone cybersecurity statute, establishing the National Authority for Electronic Certification and Cybersecurity (AKCESK) as the central regulatory and CSIRT body, defining obligations for operators of critical and important information infrastructures, and creating a framework for incident reporting and sectoral CSIRTs; the law was aligned with EU NIS1 and remained in force until superseded by Law 25/2024.

Albania became one of the early state parties to the Council of Europe's Budapest Convention on Cybercrime — the primary international treaty governing cybercrime offences, procedural powers, and cross-border cooperation — embedding its obligations into domestic criminal law and laying the treaty-law foundation for all subsequent cybersecurity legislation.