Cybersecurity regulation in Equatorial Guinea (2026)

Enacted 22 July 2016, this is Equatorial Guinea's primary operative instrument on cybersecurity-adjacent obligations; it regulates collection, storage, and use of personal data and requires notification to the relevant authority and to affected individuals in the event of a data breach.

In April 2024, the parliament's legislative panel accepted articles defining offences including unauthorised access to computer systems, illegal interception, computer fraud, and espionage against sensitive personal or government data; the bill also addresses social-media conduct. No public evidence of final presidential assent or gazetting has been found as of May 2026.

Law 1/2016 created the Órgano Rector de Protección de Datos Personales as the supervisory authority, but the body had not become operational as of the latest available reporting, leaving enforcement of breach-notification and data-security obligations effectively dormant.

Prior to any dedicated cybercrime statute, Equatorial Guinea relies on scattered provisions within its Penal Code and Telecommunications Law to address computer-related crimes; the World Bank notes that many underlying laws date to the colonial era (pre-1968) and are considered outdated for digital-economy governance.

The AU Convention on Cybersecurity and Personal Data Protection was adopted in Malabo on 27 June 2014 and entered into force on 8 June 2023 after 15 ratifications; Equatorial Guinea's own ratification of the Convention is not confirmed in publicly available AU treaty records.

Equatorial Guinea ranked 180th of 181 countries in the ITU Global Cybersecurity Index 2020, reflecting very limited legal, technical, and organisational cybersecurity capacity; the World Bank's 2021 digital-economy assessment recommended conducting a national cybersecurity maturity assessment as a foundational priority.