Cybersecurity regulation in Andorra (2026)

Andorra's National Cybersecurity Agency (ANC-AD) and Spain's National Cybersecurity Institute (INCIBE) signed a four-year renewable agreement covering incident-prevention, information sharing, best-practice exchange, and joint support for critical infrastructure. The pact fulfils a key deliverable of Andorra's national Digital Transformation Strategy and extends its bilateral cybersecurity partnerships beyond CSIRT-level cooperation.

The National Cybersecurity Agency released Andorra's first multi-year national cybersecurity strategy, setting objectives across prevention, detection, response, and recovery while addressing AI, cloud, and blockchain resilience. The strategy formally designates ANC-AD as the competent national authority and CSIRT-AD as the point of coordination for all cyber incidents.

Andorra deposited instruments of ratification of the amending Protocol to Convention 108 (Convention 108+), updating its commitment to the Council of Europe's data-protection treaty with GDPR-era requirements on risk-based security, data minimisation, and cross-border transfer safeguards. Andorra was the 20th state to ratify the modernised treaty.

Decree 368/2022 (14 September) established the operational regulations of the APDA, and Decree 391/2022 (28 September) set the implementing rules for Law 29/2021, operationalising breach-notification timelines, DPO appointment criteria, and technical/organisational security measures required of controllers and processors.

Andorra's parliament passed its first standalone cybersecurity law, transposing EU NIS Directive 2016/1148 and creating the National Cybersecurity Agency (ANC-AD) and the national CSIRT-AD. The law imposes mandatory security obligations and incident-notification requirements on operators of essential services and digital service providers.

At the Council of Europe Ministerial Meeting in Turin, Andorra became the 23rd state to sign the Second Additional Protocol to the Budapest Convention, which establishes enhanced cross-border mechanisms for disclosure of electronic evidence in criminal investigations. Ratification would bind operators to disclose subscriber and traffic data to foreign authorities under mutual legal assistance frameworks.

Andorra's Qualified Personal Data Protection Law, enacted 28 October 2021 and published in BOPA no. 119 on 17 November 2021, became fully effective. It replaced the 2003 act, aligned national rules with GDPR, and imposed binding technical and organisational security obligations, DPO appointments, and breach notifications to the APDA on all public and private processors.

Sustained DDoS attacks peaking at 100 Gbps targeted Andorra Telecom — the country's sole ISP — reducing national connectivity to approximately 37.5% for over 30 minutes, with attacks continuing daily for several days thereafter. Linked to a DDoS-for-hire service targeting players in the SquidCraft Minecraft tournament, the incident exposed the systemic risk of a single-ISP national infrastructure and accelerated work on Law 22/2022.

Andorra enacted a comprehensive privacy law closely modelled on the EU GDPR, requiring risk-based security measures, data-protection impact assessments, and mandatory breach notification to the APDA. The law replaced the 2003 act and became the primary instrument governing cybersecurity obligations for personal data held by private and public entities.

The General Council passed Andorra's foundational data-protection statute, modelled on Spain's 1999 LOPD, establishing the Andorran Data Protection Agency (APDA, operational from 2004) and imposing security obligations on data controllers. This law created the institutional framework — including security measures and controller registration — that underpins all subsequent cybersecurity regulation in the Principality.