Cybersecurity regulation in Guinea-Bissau (2026)

Guinea-Bissau has enacted no standalone cybersecurity or cybercrime legislation. The 1993 Penal Code contains no provisions addressing computer-related offences, leaving a fundamental legal gap.

The National Regulatory Authority for ICT (ARN), created by Law No. 5/2010, oversees the .gw ccTLD and DNSSEC deployment but has no explicit cybersecurity enforcement or incident-reporting mandate.

Guinea-Bissau has no data protection statute and no dedicated supervisory authority, meaning there are no domestic breach-notification obligations for controllers or processors.

Guinea-Bissau signed the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention), which includes cybersecurity and data-protection obligations, but those obligations have not been enacted into domestic legislation.

The ITU Global Cybersecurity Index 2024 placed Guinea-Bissau in Tier 5 (Building) — one of only four African states at this lowest tier — reflecting minimal legal, technical, and organisational cybersecurity measures.

Guinea-Bissau participates in ECOWAS's 2021 Regional Cybersecurity and Cybercrime Strategy and hosted the ECOWAS CSIRT Week in Bissau in October 2022, but has not formally adopted a national cybersecurity strategy.