Cybersecurity regulation in Grenada (2026)

Act No. 23 of 2013 (amended 2014, in force 2016) establishes 16 cybercrime offences including unauthorised access, identity theft, electronic fraud, malicious code, violation of privacy, and electronic terrorism. Part III provides investigation powers including preservation orders, production orders, search and seizure, and real-time traffic-data collection.

Act No. 1 of 2023, published in the Official Gazette and fully in force from 1 January 2025, requires data controllers to implement reasonable security measures (including risk assessments, audits, and penetration testing) and grants the Information Commission powers to investigate breaches. Penalties reach XCD $500,000 and five years' imprisonment.

On 22 April 2024, Grenada deposited its instrument of accession to the Council of Europe Convention on Cybercrime (ETS 185), becoming the 72nd State Party and the first OECS/CARICOM member to do so. Accession is expected to drive amendments to existing cybercrime legislation to ensure full alignment.

The Grenada National CSIRT was formally launched in May 2022 and provides 24/7 incident-response services to citizens, businesses, and government agencies, covering detection, triage, analysis, response, and recovery. A 16-week programme to train at least 100 additional cybersecurity professionals is underway in partnership with Canada.

The government has announced a dedicated facility to house a national Cybersecurity Agency, a Security Operations Centre, and a Network Operations Centre, with completion targeted for 2027. No enabling legislation for the Agency has been formally tabled in Parliament as of early 2026.

Grenada participates in the CARICOM Cybersecurity and Cybercrime Action Plan (CCSCAP) coordinated by CARICOM IMPACS. An updated CCSCAP incorporating AI provisions was expected to be distributed to all CARICOM Member States by end-2025, providing a regional baseline for cyber governance.