Cybersecurity - Antigua and Barbuda

No. 14 of 2013 criminalises unauthorised access to electronic systems, identity theft, electronic fraud, cyber-terrorism, and online child exploitation; it also grants law enforcement powers for data preservation, search and seizure, and real-time traffic-data collection.

An earlier statute criminalising unauthorised computer access, data theft, and distribution of malicious software; its scope is largely superseded by the Electronic Crimes Act 2013 but remains on the books.

No. 10 of 2013 establishes the Information Commissioner and imposes data-security obligations on data controllers, but does not mandate formal breach notification to the authority or affected individuals — notification remains discretionary rather than legally compelled.

Antigua and Barbuda has no officially approved national cybersecurity strategy and no recognised national CIRT; a CIRT readiness assessment was conducted with international support but a fully operational team has not been established.

The country scored 17.89/100 in the ITU Global Cybersecurity Index 2024, placing it in Tier 5 — the lowest tier in the Americas — indicating inadequate progress across legal, technical, organisational, capacity-building, and cooperation pillars.

Antigua and Barbuda hosted a regional cybersecurity exercise in April 2024 aimed at enhancing cyber readiness among small island states, and collaborates with OAS and ITU on capacity-building; no binding incident-reporting framework has emerged from these efforts.