Cybersecurity - Cameroon

Law No. 2010/012 of 21 December 2010 criminalises unauthorised access, data/system interference, digital fraud, identity theft, and child sexual abuse material; it also establishes the legal regime for electronic evidence, cryptography, and certification. Penalties apply to both individuals and corporate entities.

ANTIC regulates electronic security activities, operates Cameroon's Public Key Infrastructure, and runs a Computer Incident Response Team (CIRT) that processes approximately 200 GB of threat data and handles around 200 urgent cyber-related judicial requisitions daily.

Law No. 2022/002 of 27 April 2022 authorised accession to the Budapest Convention on Cybercrime; Decree No. 2022/169 of 23 May 2022 proclaimed accession, bringing Cameroon's procedural and international-cooperation provisions into alignment with the Convention.

Law No. 2024/017 of 23 December 2024 requires data controllers and processors to notify the data protection authority and affected data subjects 'immediately' upon becoming aware of any breach (all breaches, not only serious ones). Controllers and processors are jointly and severally liable for unlawful disclosure. An 18-month compliance grace period runs until 23 June 2026.

Under Law No. 2010/012, network operators and electronic service providers must submit to mandatory security audits overseen by ANTIC. Since January 2024, ANTIC's audits of public administrations and private companies identified 8,502 vulnerabilities, illustrating active enforcement of these obligations.

The Council of Europe's Octopus Country Wiki notes that Cameroon has not yet adopted a dedicated national cybersecurity strategy document, a gap also identified in academic assessments of its cybersecurity resilience, even though operational capacities (CIRT, ANTIC) are in place.