Cybersecurity regulation in Burundi (2026)

Law N°1/10 of 16 March 2022 is Burundi's primary cybersecurity instrument, comprising 70 articles across eight chapters covering offences against the confidentiality, integrity and availability of data and systems, obligations on electronic service providers and network operators, and state-security-related cyber offences.

Law N°1/03 of 10 March 2026 was adopted unanimously by the National Assembly on 15 January 2026 and promulgated on 10 March 2026. It establishes differentiated protection regimes for personal data and creates an independent administrative authority (a national data protection authority) responsible for oversight and enforcement, filling the prior absence of dedicated data protection legislation.

Law N°1/22 of 22 August 2024 consolidates the regulatory framework for electronic communications, imposing obligations on operators relevant to network security and integrity, and vesting ARCT with enforcement authority over the telecoms sector.

Under the pre-2026 regime there were no specific data breach notification requirements in Burundi. The 2026 Data Protection Law introduces new personal-data obligations compatible with the Penal Code and the 2022 Cybercrime Law; formal breach-notification implementing rules are pending the establishment of the new supervisory authority.

The Agence de Régulation et de Contrôle des Télécommunications (ARCT) is the competent authority for telecommunications and digital regulation in Burundi; it publishes and enforces the cybercrime and communications laws and coordinates regulatory reforms.

Burundi has not enacted a standalone, horizontal cybersecurity law (akin to NIS2 or a dedicated national cybersecurity strategy with critical-infrastructure protection mandates). The Council of Europe's Octopus profile confirms the absence of a formal national CSIRT/CERT; Burundi's cyber-resilience capacity remains nascent.