Cybersecurity - Fiji

Passed 12 February 2021 and brought fully into force on 14 November 2022 (except s.34), the Act criminalises unauthorised access, interception and interference with computer systems and data, and provides procedural powers for electronic-evidence collection and international cooperation aligned with the Budapest Convention on Cybercrime.

Establishes the Online Safety Commission to receive complaints about harmful electronic communications; prescribes penalties of up to FJD 50,000 / 7 years imprisonment for individuals. Focuses on online harms rather than technical security obligations.

The Reserve Bank of Fiji's Prudential Supervision Policy Statement No. 2 sets mandatory minimum requirements for cybersecurity risk management across all RBF-supervised entities (commercial banks, insurers, FNPF, stockbrokers, etc.), representing the most binding sector-specific security obligations in force.

There is no general statutory breach-notification obligation in Fiji. The RBF's sector rules impose incident-reporting duties on supervised financial institutions; outside the financial sector no mandatory notification requirement is currently in force. Privacy and data-protection legislation (which would typically introduce breach notification) is pending.

Endorsed by Cabinet and launched by PM Rabuka in 2025, the strategy establishes a framework for critical infrastructure protection, incident response, and a national CERT. It succeeds the 2016 strategy and is a policy document, not binding legislation; companion privacy legislation and a formal CERT are still being finalised.

Fiji's Cybercrime Act 2021 was developed with Council of Europe Octopus Programme support and mirrors Budapest Convention provisions on substantive offences, procedural measures, and mutual legal assistance, enabling cross-border cooperation even before formal accession.