Cybersecurity · Dominican Republic
Cybersecurity regulation in Dominican Republic (2026)
Dominican Republic shaded by its cybersecurity status
The Dominican Republic has no comprehensive, in-force cybersecurity statute; obligations arise from a combination of executive decrees, a national strategy, the high-tech crime law, and a sector-specific financial regulation. A dedicated Cybersecurity Management Law was approved in first reading in the Senate (April 2024) but, as of 2025, remains under study and is not yet enacted. Mandatory incident-reporting duties currently apply to public-administration entities (via decree) and to regulated financial institutions (via the Monetary Authority's regulation).
Key points
A 'Proyecto de Ley sobre Gestión de la Ciberseguridad' was approved in first reading by the Senate in April 2024 and would create a statutory National Cybersecurity Center covering public administration and critical infrastructure, but it remained under committee study in September 2025 and is not in force.
Decree 230-18 adopted the first National Cybersecurity Strategy and created the National Cybersecurity Center (CNCS) under the Ministry of the Presidency; Decree 313-22 updated and extended the strategy to 2030. The framework is executive/policy-based rather than a comprehensive statute.
Decree 685-22 (Dec 2022) requires public-administration entities to report cybersecurity incidents in their technological infrastructure to the CSIRT-RD/CNCS within 24 hours of detection, and to notify affected individuals when data is compromised.
Since 2018 the Monetary Authority (Central Bank + Superintendency of Banks) imposes a binding 'Reglamento de Seguridad Cibernética y de la Información' on financial-intermediation entities, including risk management and incident notification to the payment-system response center (SPRICS).
Law 53-07 on High-Technology Crimes and Offenses (2007) criminalizes unauthorized system access, electronic fraud, and related conduct, providing the country's core penal framework for cyber offenses — distinct from operational cybersecurity obligations.
The CSIRT-RD, housed within the CNCS, handles incident response for the State's critical and IT infrastructure, runs a security operations/monitoring function, and operates platforms for incident reporting and vulnerability disclosure.
Timeline - major decisions & events
The CTEC and CNCS approved a new biennial action plan under the National Cybersecurity Strategy 2030, setting specific targets for capacity building, sectoral awareness campaigns, and incident-response protocols. It is the second implementation cycle following the 2022–2024 plan.
Centro Nacional de Ciberseguridad (CNCS) ↗President Abinader signed Decree 612-24, creating the Specialized Technical Commission on Cybersecurity (CTEC) under the National Security and Defense Council, transferring CSIRT-RD and the Strategy Coordination Team to the National Intelligence Directorate (DNI), and establishing a new National Cryptographic Institute (ICN).
Presidencia de la República Dominicana ↗After a public consultation, the Superintendencia de Electricidad published Resolution SIE-077-2024-ADM requiring all national electrical-system agents (generators, transmitters, distributors) to adopt cybersecurity management programs, with implementation entering force in early 2025.
Superintendencia de Electricidad (SIE) ↗Decree 313-22 superseded the 2018–2021 strategy, extending the CNCS mandate to 31 December 2030 and establishing a rolling Action Plan (first cycle 2022–2024) with six objectives covering critical infrastructure protection, cybercrime capacity, and sectoral regulation.
Presidencia de la República Dominicana ↗The INDOTEL Board issued Resolution 126-21 imposing cybersecurity obligations on all licensed internet service providers, including establishment of an independent Cybersecurity Committee, defined organisational structures with dedicated capability, and incident-reporting requirements.
Instituto Dominicano de las Telecomunicaciones (INDOTEL) ↗President Medina signed Decree 230-18, launching the first National Cybersecurity Strategy with four pillars — legal/institutional strengthening, critical-infrastructure protection, cybersecurity culture, and international alliances — and creating the National Cybersecurity Center (CNCS) as the coordinating authority.
Presidencia de la República Dominicana ↗Law 172-13 established the Dominican Republic's first comprehensive data-protection framework, requiring controllers to adopt technical security measures and granting data subjects rights to access, rectify, and delete personal data; the Ombudsman and Superintendent of Banks serve as enforcement bodies.
Portal Oficial del Estado Dominicano ↗The Dominican Republic deposited its instrument of accession to the Council of Europe's Budapest Convention, becoming the first nation in Latin America and the Caribbean to ratify the treaty, strengthening mutual legal assistance and cross-border cybercrime prosecution capacity.
Council of Europe – Cybercrime Division ↗Law 53-07 criminalised unauthorised system access, data interception, computer fraud, cyberviolence, and child online exploitation — one of the first standalone cybercrime statutes in Latin America, drafted in alignment with the Budapest Convention even before formal ratification, and creating specialist enforcement units DICAT and DIDI.
Ministerio de Interior y Policía ↗Dominican Republic - other topics
Last verified 5/25/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →