Cybersecurity regulation in Central African Republic (2026)

Loi No. 24/001, enacted January 2024, establishes obligations for data controllers and processors, defines individual rights over personal data, and applies to any processing within CAR or with effects on its territory. A data protection authority is to be established within 12 months by the Ministry of Digital Economy, Posts and Telecommunications, but had not yet been operationalised as of 2025.

A law passed shortly after Loi 24/001 in early 2024 created the Agence Nationale de la Cybersécurité (ANCY), placed under joint supervision of the Ministry of Public Security and the Ministry of Digital Economy. ANCY is mandated to monitor information system security, manage cyber alerts, and regulate the sector — the first such dedicated body in CAR's history.

As of January 2024, a dedicated draft law on cybercrime and cybersecurity was under parliamentary consideration, aimed at penalising offences such as hate speech, defamation, and disinformation on digital platforms. Final adoption status into binding law could not be confirmed from official government sources as of mid-2026.

Loi 24/001 mandates data controllers to notify the (forthcoming) data protection authority of a personal data breach without undue delay, with disclosure of the nature of the breach, categories of data affected, and risk-mitigation guidance. Notification obligations toward affected individuals are also established, but operationalisation is contingent on the authority being set up.

As an ECCAS member state, CAR adopted the Brazzaville Declaration in December 2016, a non-binding commitment to harmonise national policies on telecommunications, cybersecurity, and cross-border interconnection across the Central African subregion, developed with ECA and ITU technical support.

The ITU Global Cybersecurity Index 2024 placed the Central African Republic in Tier 5 (the lowest tier), alongside Burundi, Eritrea, and Guinea-Bissau, with a score of 4.76/100. The assessment found severe deficiencies in legal, organisational, and technical cybersecurity capacity, leaving the country highly exposed to cyber threats despite recent legislative steps.