Cybersecurity regulation in Barbados (2026)

The foundational cybercrime statute criminalises unauthorised access to computer systems, data interference, and abuse by authorised users; it contains both substantive penal rules and procedural provisions and was recognised by the Council of Europe as Barbados's primary cybercrime framework.

Would replace the CMA and align Barbados with the Budapest Convention, covering cyberbullying, malicious communications, denial-of-service attacks, and international cooperation; passed the House of Assembly February 2024, referred to a Joint Select Committee after controversy over speech-related clauses, with Senate consideration of the committee's report pending as of early 2025.

In force since March 2021, the Act requires data controllers to notify the Data Protection Commissioner within 72 hours of becoming aware of a personal data breach (unless risk to individuals is unlikely) and to inform affected individuals without undue delay; non-compliance exposes organisations to fines up to approximately USD 250,000 and criminal sentences of up to three years.

Barbados signed an agreement with the ITU to establish a National Computer Incident Response Team (CIRT) to detect and manage cyber-threats, providing the primary institutional mechanism for cyber-incident coordination at the national level.

Barbados has announced development of a National Cybersecurity Strategy and launched the Cyber Nations Training Initiative in January 2023 to build workforce capacity, but as of available reporting no formally adopted national cybersecurity strategy document has been confirmed.

No enacted statute imposes sector-neutral cybersecurity risk-management or incident-reporting obligations on critical-infrastructure operators analogous to the EU NIS2 Directive; financial-sector guidance from the Central Bank of Barbados addresses cyber risks but does not constitute a statutory mandate.