Cybersecurity regulation in Gambia (2026)

Chapter III, Part III of the Information and Communications Act 2009 covers computer integrity offences and computer-related crimes broadly aligned with the Budapest Convention, making it the foundational statutory instrument for cybercrime prosecution. Investigatory powers and service-provider obligations under the Act have been assessed by the Council of Europe as requiring significant improvement.

The Personal Data Protection and Privacy Act, assented by President Adama Barrow on 7 November 2025, requires data controllers to notify the Data Protection Commission within 72 hours of discovering a breach and to inform affected data subjects without undue delay where there is high risk to their rights. Concealment of a breach is criminalised with up to two years' imprisonment; obstruction of the Commission carries up to seven years.

The Ministry of Communications and Digital Economy published both a National Cybersecurity Policy (2022–2026) and a National Cybersecurity Strategy and Action Plan (2022–2026), which set governance priorities including protection of critical information infrastructure, institutional capacity building, and international cooperation. These are policy instruments, not binding law.

The Public Utilities Regulatory Authority (PURA) hosts the Gambian Computer Security Incident Response Team (gmCSIRT), the national CSIRT mandated to support all Critical Information Infrastructure holders. In February 2026 PURA signed an MoU with CTM360 for threat intelligence and capacity building, and in April 2026 launched its first structured cybersecurity training for critical-infrastructure operators.

A dedicated Cybercrime Bill introduced in early 2024 for parliamentary consideration would broaden criminal categories for online conduct, compel service providers to assist in decryption and interception, and restrict anonymity tools. Article 19 raised concerns about threats to online dissent. As of May 2026 the bill has not been enacted into law.

The Communications Bill 2025, introduced on second reading in the National Assembly on 23 March 2026, seeks to consolidate electronic communications, broadcasting, electronic commerce, and cybersecurity regulation into a single framework. It is currently under committee scrutiny and has not yet received presidential assent.