Cybersecurity regulation in DR Congo (2026)

Ordinance-Law No. 23/010 of 13 March 2023 is the primary legal instrument, addressing cybersecurity obligations for operators, cybercrime definitions and penalties, personal data protection (Title III) with mandatory breach notification, electronic signatures, and regulation of digital platforms.

The Digital Code and National Cybersecurity Strategy mandated creation of the Agence Nationale de Cybersécurité (ANCS) under the Presidency, responsible for piloting national cyber defence, protecting critical infrastructure, and coordinating the 2022–2025 strategy; a sovereign cybersecurity fund was also created to finance these activities.

A seven-pillar strategy presented to the Council of Ministers on 14 October 2022 and validated by President Tshisekedi on 23 June 2023, aiming to build digital trust, protect critical infrastructure, develop incident-response capacity, and establish governance institutions.

Title III of the Digital Code mandates breach notifications and empowers a Data Protection Authority (DPA) to investigate violations and impose penalties ranging from 8 million to 200 million Congolese francs; injunctions to halt processing are available where national security is endangered.

Law No. 20/017 of 25 November 2020 on telecommunications and ICT first introduced legal definitions of cyberattacks (Article 4) — encompassing hacking, espionage, data manipulation, and disruption of critical infrastructure — and established the ARPTC regulator, forming the sector-level foundation that the Digital Code built upon.

The DRC's Council of Ministers authorised ratification of the AU Malabo Convention in December 2022, with ratification subsequently completed (DRC cited as the 19th state to ratify as of June 2025); DRC has not ratified the Budapest Convention but is engaged in accession steps with EU GLACY+ programme support.