Cybersecurity regulation in Fiji (2026)

Fiji's first whole-of-government National Digital Strategy embeds cybersecurity as a cross-cutting pillar alongside e-government, digital inclusion, and data governance, committing to secure-by-design digital infrastructure and 80% of public services online by 2030. It provides the overarching framework within which the 2026–2031 Cybersecurity Strategy operates.

Fiji stood up its first national CERT to serve as digital first-responders to significant cyber incidents, supported by Australian capacity-building assistance for technical staff. The government simultaneously committed over FJD 5 million to upgrade GovNet infrastructure and launch a 24/7 Government Security Operations Centre.

Prime Minister Rabuka launched Fiji's second national cybersecurity strategy, establishing a coordinated framework to protect critical infrastructure, build a skilled cyber workforce, and strengthen international cooperation, alongside a dedicated national cybersecurity public awareness website. Cabinet had separately endorsed the strategy and it was welcomed by Australia's High Commission as a regional milestone.

Fiji became the 74th Party to the Council of Europe's Budapest Convention — the principal international treaty harmonising cybercrime laws and enabling mutual legal assistance for electronic evidence. Accession completed a process begun with Fiji's invitation in December 2021 and obligates Fiji to maintain its Cybercrime Act 2021 in Convention-compliant form.

The World Bank's KoDi programme conducted a Cybersecurity Capacity Maturity Model assessment of Fiji, identifying gaps across governance, technical response, and institutional dimensions. The findings directly informed the design of the 2026–2031 strategy and the CERT establishment.

After a transitional period following parliament's passage in February 2021, the Cybercrime Act (Act No. 3 of 2021) came into full effect, repealing Sections 336–346 of the Crimes Act 2009 and creating a standalone, Budapest Convention-aligned statute covering unauthorised access, data and system interference, computer-related fraud and forgery, and electronic evidence rules.

A cyber attack on Fiji's government IT infrastructure took down GovNet and more than 30 government websites — including the COVID-19 vaccine registry, justice, education, and agriculture portals — requiring days of forensic recovery. The Attorney-General's statement attributed the incident to a compromised government server outside ITC Department controls, exposing critical gaps in Fiji's incident-response capacity and accelerating CERT planning.

Parliament passed Fiji's first standalone, comprehensive cybercrime statute (Act No. 3 of 2021), covering offences against computer system confidentiality, integrity and availability, computer-related forgery and fraud, child sexual abuse material online, and binding electronic evidence rules — replacing the patchwork Sections 336–346 of the Crimes Act 2009 after a two-year reform process supported by the Council of Europe.

Parliament passed the Online Safety Act 2018, establishing the Online Safety Commission as a statutory body empowered to receive complaints about harmful electronic communications and direct content removal. The Act introduced offences for cyber-bullying, harassment, stalking, and harmful online content, with penalties up to FJD 50,000 and/or 7 years imprisonment for individuals.

Australia launched PaCSON — a government-to-government cyber threat intelligence and incident coordination network for 16 Pacific nations — with Fiji as a member. PaCSON gives Fiji access to regional threat sharing, joint incident response capability, and bilateral technical capacity-building, anchoring Fiji in the Pacific's collective cyber defence architecture.

Fiji published its inaugural National Cybersecurity Strategy, providing the first whole-of-government framework for cyber governance, awareness, and incident response. The strategy set foundational priorities that later drove legislative reform (the Cybercrime Act 2021) and was eventually superseded by the 2026–2031 strategy.