Cybersecurity - Bolivia

AGETIC (Agencia de Gobierno Electrónico y Tecnologías de Información y Comunicación), established by Supreme Decree No. 2514 (2015) under Law No. 164, is Bolivia's central digital-government and cybersecurity body. Its CGII (Centro de Gestión de Incidentes Informáticos) functions as the national computer incident response team for the public sector.

All public-sector information security officers must notify the CGII of cybersecurity incidents within 24 hours of discovery. This is the principal breach/incident notification duty currently in force and applies exclusively to state entities; no equivalent private-sector obligation exists.

Supreme Decree No. 5468 (1 October 2025) approved the updated Electronic Government Implementation Plan (PIGE 2025–2028), which designates cybersecurity and incident management as one of three strategic pillars and requires each public entity to maintain an Institutional Information Security Plan.

Chapter XI of Bolivia's Criminal Code (as amended, 1997) criminalises unauthorised access, manipulation, and illegal acquisition of computer data. There is no standalone cybercrime statute; these provisions are embedded in the general penal code and are the only criminal-law recourse for cyber incidents against private actors.

Bolivia has no general personal data protection law and no NIS2-equivalent cybersecurity statute. Multiple data-protection bills have been proposed but remain stalled in Congress. Bolivia also missed the Andean Community's July 2024 deadline requiring member states to align domestic legislation with community cybersecurity guidelines.

Bolivia launched a national cybersecurity strategy development and implementation process in December 2024 with technical support from the EU-funded LAC4 programme. No national cybersecurity strategy has been formally adopted as of mid-2026; the process remains ongoing.