Cybersecurity - Andorra

Approved by the General Council on 9 June 2022, Law 22/2022 establishes mandatory security obligations for operators of essential services and digital service providers, modelled on EU Directive 2016/1148 (NIS1). It requires critical operators to implement risk-based security plans and report significant incidents.

ANC-AD is the designated national competent authority under Law 22/2022. It ensures regulatory compliance, provides risk-assessment methodologies and tools to critical operators, and advises public and private entities on security planning.

The Computer Security Incident Response Team (CSIRT-AD), overseen by ANC-AD, serves as the national point of contact for cyber incident reporting and response. It coordinates with authorities, operators, and international partners. In 2025, ANC-AD managed 1,624 reported incidents, up 5.6% from 2024.

Law 29/2021 (Qualified Personal Data Protection Law, LQPD), in force since 17 May 2022, requires data controllers to notify the Andorran Data Protection Agency (APDA) of personal data breaches within 72 hours. Where there is high risk to data subjects, direct notification to affected individuals is also mandatory.

The Andorran Financial Authority (AFA) supervises banks' compliance with Law 22/2022 cybersecurity requirements. Banks must self-identify as critical or essential institutions and implement measures to manage digital risks associated with critical infrastructure, consistent with AFA's broader supervisory mandate.

Andorra is not an EU Member State and is therefore not legally bound by NIS2 (Directive 2022/2555). No publicly announced legislative initiative to align with NIS2 has been identified as of May 2026; the Law 22/2022 / NIS1-aligned framework remains in force.