Cybersecurity · Bolivia
Cybersecurity regulation in Bolivia (2026)
Bolivia shaded by its cybersecurity status
Bolivia has no comprehensive cybersecurity law; its operative framework is built on sectoral and public-sector-specific rules. AGETIC (the digital-government agency) operates the CGII national incident response centre, which mandates 24-hour incident reporting by all public entities. A national cybersecurity strategy is under development with EU/LAC4 support, and a data-protection bill remains pending in Congress.
Key points
AGETIC (Agencia de Gobierno Electrónico y Tecnologías de Información y Comunicación), established by Supreme Decree No. 2514 (2015) under Law No. 164, is Bolivia's central digital-government and cybersecurity body. Its CGII (Centro de Gestión de Incidentes Informáticos) functions as the national computer incident response team for the public sector.
All public-sector information security officers must notify the CGII of cybersecurity incidents within 24 hours of discovery. This is the principal breach/incident notification duty currently in force and applies exclusively to state entities; no equivalent private-sector obligation exists.
Supreme Decree No. 5468 (1 October 2025) approved the updated Electronic Government Implementation Plan (PIGE 2025–2028), which designates cybersecurity and incident management as one of three strategic pillars and requires each public entity to maintain an Institutional Information Security Plan.
Chapter XI of Bolivia's Criminal Code (as amended, 1997) criminalises unauthorised access, manipulation, and illegal acquisition of computer data. There is no standalone cybercrime statute; these provisions are embedded in the general penal code and are the only criminal-law recourse for cyber incidents against private actors.
Bolivia has no general personal data protection law and no NIS2-equivalent cybersecurity statute. Multiple data-protection bills have been proposed but remain stalled in Congress. Bolivia also missed the Andean Community's July 2024 deadline requiring member states to align domestic legislation with community cybersecurity guidelines.
Bolivia launched a national cybersecurity strategy development and implementation process in December 2024 with technical support from the EU-funded LAC4 programme. No national cybersecurity strategy has been formally adopted as of mid-2026; the process remains ongoing.
Timeline - major decisions & events
Bolivia enacted DS 5468 to update its Electronic Government Plan through 2028, adding a dedicated cybersecurity and incident-management pillar alongside digital sovereignty and interoperability objectives; all Executive Branch entities must align their institutional security plans with CGII guidelines.
LexiVox — DS 5468 text ↗President Luis Arce signed Bolivia's Agenda Digital 2030, a medium-term public policy instrument managed by AGETIC; cybersecurity and incident management are among its five strategic pillars, binding the Executive Branch to prioritise secure, sovereign digital infrastructure through 2030.
AGETIC (official) ↗Bolivia failed to enact domestic legislation by the two-year deadline set by Andean Community Decision 897; because the decision has supra-national legal force above domestic law, the lapse left Bolivian telecoms users without the enforceable personal-data, security, and network-neutrality protections the framework requires.
Andean Community (official) ↗LockBit ransomware actors compromised AXS Bolivia, a web-hosting and internet-services provider, exfiltrating customer data; the incident exposed the absence of mandatory private-sector cybersecurity obligations in Bolivia's legal framework.
BreachSense ↗AGETIC circulated Bolivia's first serious draft Personal Data Protection Bill, aimed at closing the Andean Community compliance gap and establishing an independent supervisory authority; as of 2025 the bill had not been enacted by the legislature.
AGETIC (official) ↗DS 3251 approved Bolivia's first formal Electronic Government Plan and mandatory Free/Open-Source Software Policy, providing the strategic framework under which AGETIC coordinates public-sector digital security standards and e-government services across all ministries.
Obras Públicas Bolivia — DS 3251 text (official) ↗The most significant cybersecurity governance milestone: DS 2514 created AGETIC as the central e-government authority and established the CGII as Bolivia's national CSIRT; it mandated every public entity to maintain an Institutional Information Security Plan and report incidents to CGII within 24 hours of discovery.
CGII / AGETIC (official) ↗DS 1793 issued the operational regulation for Law 164, governing digital certification authorities, electronic signatures, e-government services, and mandatory use of free software in public administration — establishing the technical-legal backbone for state cybersecurity practices.
LexiVox — DS 1793 text ↗Law 164 is the foundational statute for Bolivia's digital regulation: it established the legal basis for e-commerce, electronic signatures, and digital communications, and introduced cybercrime offences into the Penal Code (Arts. 179 bis, 363 bis, 363 ter) covering unauthorised access, data manipulation, and ICT sabotage.
Ministry of Education Bolivia (official) ↗Bolivia's new Political Constitution expressly recognised the right to privacy and intimacy, inviolability of communications, and informational self-determination (habeas data action), providing the constitutional foundation upon which all subsequent cybersecurity and data-protection obligations rest.
LexiVox — Constitution text ↗Bolivia - other topics
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →