Cybersecurity regulation in Comoros (2026)

Law No. 21-012/AU on Cybersecurity and the Fight Against Cybercrime was adopted in 2021 and formally promulgated by presidential Decree No. 22-003/PR on 18 January 2022, making it the binding legal foundation for cybersecurity in Comoros.

Articles 6 and 7 of Law 21-012/AU designate ANADEN (Agence Nationale pour le Développement du Numérique) as the competent national authority for cybersecurity strategy, policy development, and oversight. ANRTIC (National Regulation Authority for ICT) retains general ICT sector regulatory functions.

Chapter III of Law 21-012/AU (Articles 53–63) establishes obligations for operators of critical information infrastructure, including security requirements and incident-handling duties, though secondary regulations specifying sector-by-sector breach-notification timelines had not been publicly confirmed as adopted by early 2026.

A standalone Personal Data Protection Law enacted June 2021 establishes an independent supervisory authority with powers to investigate, warn, and sanction. It incorporates data-breach notification obligations; however, the supervisory authority had not been formally constituted or made operational as of mid-2024, leaving enforcement in abeyance.

ITU undertook a National CIRT Assessment for Comoros to evaluate readiness for establishing an operational Computer Incident Response Team. As of the latest available data, Comoros does not have a fully operational national CIRT, though the ITU assessment process included stakeholder engagement and basic CIRT training.

Comoros has signed the AU Malabo Convention on Cyber Security and Personal Data Protection but has not ratified it. The country scores 37.50/100 on the e-Governance Academy National Cyber Security Index (NCSI), ranked 92nd globally, reflecting the gap between enacted legislation and operational cybersecurity capacity.