Cybersecurity regulation in Guinea (2026)

Law L/2016/037/AN (26 June 2016) is the foundational text, covering cybercrime definitions and sanctions (Part 1) and personal-data protection (Part 2), applicable across all sectors in Guinea.

ANSSI (Agence Nationale de la Sécurité des Systèmes d'Information), established under the Ministry of Posts, Telecommunications and Digital Economy, is responsible for securing public and private information systems, conducting audits and penetration tests, managing cyber-incident response, and operating a national CERT.

Decree D-2026/159/PRG/SGG (21 May 2026) requires all companies and public/private establishments conducting electronic transactions in Guinea — including foreign providers serving Guinean residents — to undergo mandatory security audits every three years, with interim controls for critical structures, supervised and certified by ARPT.

Under the May 2026 decree, entities must report cyber-attacks or system disruptions to ARPT within 24 hours of discovery when a significant number of users is affected, with a full incident report required within 72 hours — a formal breach-notification obligation now embedded in Guinean law.

The 2026 decree establishes financial penalties of up to 3 billion Guinean francs for serious violations, and daily fines of 50 million Guinean francs (capped at 4.5 billion) for entities that refuse mandatory audits; ARPT holds supervisory and sanctioning power.

The data-protection authority envisaged by the 2016 law had not been formally constituted as of recent reporting, leaving personal-data enforcement partially incomplete; ANSSI and ARPT carry the operational cybersecurity mandate in the interim.