Cybersecurity regulation in Guyana (2026)

Act No. 16 of 2018 criminalises unauthorised access, computer fraud, data interference, and online harassment. It is the primary legal instrument for prosecuting cyber offences but does not impose proactive security or incident-reporting obligations on operators.

Act No. 18 of 2023 (gazetted 16 August 2023) requires data controllers to notify the Data Protection Authority within 72 hours of becoming aware of a personal data breach that poses a risk to individuals' rights and freedoms; processors must notify the controller without undue delay.

In April 2024 the NDMA launched 43 cybersecurity policies covering government information systems, critical national infrastructure (energy, transport, telecoms), incident response mechanisms, and inter-agency roles. The framework is administrative policy, not primary legislation.

The Guyana National Computer Incident Response Team (CIRT.GY), established 2013 and now operating under the NDMA, is the central body for incident management, technical remediation, and public awareness; it provides the primary incident-reporting channel for government entities.

The Attorney General announced a revision of the Cybercrime Act to close jurisdictional gaps, address social-media-based offences, and align with the UN Convention on Cybercrime. The Law Reform Commission was engaged; amending legislation had not been passed as of early 2026.

The ITU's 2024 Global Cybersecurity Index placed Guyana in the 'Evolving' (Tier 4) category, reflecting ongoing but incomplete development of legal, technical, and organisational cybersecurity capacity.