Cybersecurity regulation in Cape Verde (2026)

Decreto-Lei n.º 9/2021 of 29 January 2021 enacted a general legal regime for cybersecurity applicable to public administration, critical infrastructure operators, essential service operators, and digital service providers. It establishes mandatory security measures, incident-reporting obligations, and penalties (fines of CVE 20,000–1,000,000 depending on actor type).

The same decree established the Centro Nacional de Cibersegurança (CNCS) for strategic oversight and Decreto Regulamentar n.º 1/2021 created CSIRT.CV as the national computer security incident response team for both public and private entities. A national Security Operations Centre (SOC) was subsequently activated within the State's Private Technological Network (RTPE).

Law n.º 8/IX/2017 (in force March 2017) establishes substantive and procedural criminal law covering cybercrime offences and electronic evidence, developed in alignment with the Budapest Convention. Cabo Verde is one of a small group of African states to have ratified the Budapest Convention.

Under Law n.º 121/IX/2021 (amended Data Protection Law), data controllers must notify the national data protection authority (CNPD) of personal data breaches within 72 hours of becoming aware, unless the breach poses no risk. High-risk breaches must also be communicated to affected data subjects. The CNCS regime additionally requires notification of cybersecurity incidents with significant impact.

A National Cybersecurity Strategy was adopted in February 2016 as a four-year plan identifying legislative, institutional, and operational priorities. Its implementation led to the 2017 cybercrime law and the 2021 cybersecurity decree-law. Cabo Verde's ITU Global Cybersecurity Index ranking improved by 27 positions following the 2021 reforms.

Cabo Verde is party to the Budapest Convention on Cybercrime and an ECOWAS member bound by the 2021 ECOWAS Regional Cybersecurity and Cybercrime Strategy. Cabo Verde also participated in the African Union Malabo Convention process. Ongoing capacity-building programmes (e.g., LuxDev training, 2023–2024) support implementation.