Cybersecurity · Bahamas
Cybersecurity regulation in Bahamas (2026)
Bahamas shaded by its cybersecurity status
The Bahamas relies on a fragmented set of domain-specific laws — principally the Computer Misuse Act 2003 and Data Protection Act 2003 — rather than a single comprehensive cybersecurity statute. There is currently no mandatory breach-notification or incident-reporting duty, though a Data Protection Bill 2025 under parliamentary consideration would introduce GDPR-inspired requirements including mandatory breach notification. A Cabinet-approved National Cybersecurity Strategy was launched in December 2024, establishing a policy road-map but not yet backed by new primary legislation.
Key points
The sole Bahamian law addressing cybercrime directly, criminalising unauthorised access, modification, and interception of computer systems, as well as disclosure of access codes. It carries extraterritorial jurisdiction when either the accused or the affected computer was in The Bahamas at the time of the offence.
Data controllers must implement appropriate technical and organisational security measures, but there is currently no statutory obligation to notify the Data Protection Commissioner or affected individuals of a data breach. The Commissioner has issued voluntary guidance on managing security breaches.
A draft bill tabled in Parliament in 2025 would repeal and replace the 2003 DPA with a GDPR-inspired regime covering biometrics, AI, cloud computing, and digital assets. It explicitly introduces a 'Notification of breach of personal data' obligation and establishes a statutory Office of the Data Protection Commissioner.
The Cabinet-approved National Cybersecurity Strategy, launched at a December 2024 workshop, sets out five pillars: cybersecurity governance, national incident prevention and response, critical information infrastructure protection, cybersecurity awareness and skills, and international cooperation. It is a policy instrument, not a binding legal framework.
Governs electronic signatures, data retention for communications, intermediary liability, and electronic evidence. It complements but does not substitute for dedicated cybersecurity legislation; ISPs and hosts receive limited safe-harbour protections.
The Bahamas is listed in the Council of Europe Octopus Cybercrime Community as an observer but has not ratified the Budapest Convention on Cybercrime. It has engaged with the OAS, ITU, and US Embassy for technical assistance in developing its cybersecurity strategy and a national CERT.
Timeline - major decisions & events
The Bahamas laid the Data Protection Bill 2025 before Parliament to repeal and replace the 2003 Act with a GDPR-inspired framework covering breach notification, cross-border data-transfer controls, a strengthened Data Protection Commissioner's office, and provisions for AI, biometrics, and cloud computing. The lower chamber passed the draft; phased commencement by ministerial notice is anticipated.
Bahamas Laws (Official Gazette) ↗The Cabinet-approved National Cybersecurity Strategy was publicly launched at a multi-day workshop (3–6 December, Nassau) co-supported by the U.S. Embassy, CISA, and MITRE, setting five strategic pillars to guide Bahamian cyber resilience. CIRT-BS was designated as the primary implementation authority.
Magnetic Media TV ↗Parliament enacted the Digital Assets and Registered Exchanges Act 2024, replacing the 2020 version; it extended the Securities Commission's jurisdiction to cover custody, staking, and derivatives and imposed stringent systems-and-controls/cybersecurity requirements on all registered digital-asset businesses operating in or from The Bahamas.
Securities Commission of The Bahamas ↗The National Computer Incident Response Team commenced full public services — incident management, vulnerability assessments, and awareness training — and The Bahamas became the first English-speaking Caribbean nation admitted to the global Forum of Incident Response and Security Teams (FIRST), cementing its regional coordination role.
Caribbean Development Portal (UN ECLAC) ↗The Government officially launched the National Computer Incident Response Team (CIRT-BS) on 14 December 2023, creating the country's first national cyber-incident response body under the Office of the Prime Minister, responsible for real-time monitoring and coordinated public/private-sector response to cyberattacks.
Cybil Portal (ITU/GFCE) ↗During FTX's bankruptcy, approximately $400 million in crypto was drained from FTX wallets in a disputed incident; the Securities Commission of The Bahamas acknowledged directing a separate transfer of ~$3.5 billion in digital assets to a government-controlled wallet. The episode exposed catastrophic cybersecurity deficiencies at FTX (keys stored in plaintext, no wallet inventory) and stress-tested Bahamian regulatory response capabilities under global scrutiny.
BankInfoSecurity ↗Parliament enacted the first DARE Act, making The Bahamas one of the earliest jurisdictions to establish a comprehensive regulatory framework for digital-asset businesses, requiring mandatory registration with the Securities Commission and imposing cybersecurity, AML/CFT, and systems-controls obligations on exchanges and token issuers.
Securities Commission of The Bahamas ↗The Central Bank of The Bahamas published sector-wide Technology Risk Management Guidelines mandating board-level IT-risk oversight, cybersecurity controls (strong card authentication, encryption, patch management), business-continuity planning, and customer-data protection for all regulated financial institutions — the principal cybersecurity compliance instrument for the Bahamian financial sector.
Central Bank of The Bahamas ↗The Ministry of National Security merged the Tracing & Forfeiture Section and Commercial Crime Section into a new RBPF Cyber Security Unit staffed by trained cyber investigators and forensic specialists (partly trained by U.S. federal law enforcement agencies), giving The Bahamas its first dedicated law-enforcement capability for cybercrime investigation.
Magnetic Media TV ↗The Data Protection (Privacy of Personal Information) Act 2003 was brought into force in 2007, activating obligations on data controllers to collect, process, and securely store personal data lawfully, and empowering the Data Protection Commissioner to investigate breaches and enforce compliance across public and private sectors.
Bahamas Laws (Official Gazette) ↗The Computer Misuse Act, enacted April 2003 and brought into force June 2003, became the Bahamas' principal cybercrime law, criminalising unauthorised computer access, interception, modification, and disclosure of access codes; it applies extraterritorially and remains the primary statute under which cybercrime offences are charged.
Council of Europe Octopus Cybercrime Community ↗The ECTA gave electronic signatures and records legal equivalence with paper instruments, established data-retention rules for electronic communications, and granted limited liability protections to ISPs and intermediaries — forming the foundational legal infrastructure for e-commerce trust and cybersecurity obligations across the Bahamian digital economy.
Bahamas Laws (Official Gazette) ↗Bahamas - other topics
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →