Cybersecurity regulation in British Virgin Islands (2026)

The CMCA 2014, amended in 2019, criminalises unauthorised computer access, data interference, identity theft, cyberbullying, and electronic defamation. It is primarily a criminal-law instrument rather than a preventive or incident-reporting regime.

A further Computer Misuse and Cybercrime (Amendment) Bill, 2024 was presented to the House of Assembly in January 2025, aiming to broaden offence definitions and align with international standards to avoid blacklisting; its enactment status was pending as of early 2025.

The DPA (in force 9 July 2021) requires data controllers to implement appropriate technical and organisational security measures to protect personal data, broadly tracking UK/EU standards; however, it contains no mandatory breach-notification obligations to regulators or data subjects.

The DPA does not require data controllers to notify BVI's Information Commissioner or affected individuals of personal data breaches. Voluntary notification is recommended where harm to data subjects is likely, but no statutory deadline or threshold exists.

The BVI Financial Services Commission expects regulated financial entities to maintain robust IT security and may require security audits, but there is no standalone, prescriptive cybersecurity regulation for the financial sector equivalent to EU DORA or similar frameworks.

BVI has enacted no legislation governing cybersecurity for critical infrastructure operators, no sector-wide incident-reporting mandate, and no national cybersecurity authority or strategy equivalent to NIS2 or similar regional frameworks.