Cybersecurity regulation in Congo (2026)

Ordinance-Law No. 23/010 of 13 March 2023 (published in the Official Journal 11 April 2023) is the principal instrument, covering cybersecurity governance, cybercrime offences, cryptology, electronic transactions, and personal data protection in a single statute.

The DRC adopted a National Cybersecurity Strategy in 2022 under the broader Plan National du Numérique – Horizon 2025, establishing strategic objectives for protecting critical information infrastructure and building national cyber capacity.

Decree No. 23/13 of 3 March 2023 created ARPTIC as the sector regulator for posts, telecommunications, and ICT, with oversight responsibilities that include cybersecurity compliance for licensed operators.

The Digital Code imposes notification duties on digital service providers and operators of essential services: significant cybersecurity incidents must be reported to designated government authorities. A national CSIRT/CERT function for coordinating incident response is referenced in the framework.

The Digital Code mandates establishment of an independent Data Protection Authority empowered to investigate breaches, issue warnings, and impose fines of 8 million to 200 million Congolese francs; several implementing decrees remain pending as of 2024–2025.

The DRC ratified the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention) on 6 March 2025, binding it to AU-level standards on cybersecurity, cybercrime, and data protection.