Cybersecurity regulation in Haiti (2026)

Articles 587–593 of the new Penal Code (adopted 24 June 2025) criminalise unauthorised access to automated systems, interception of data, and intentional destruction/alteration of computer data, with penalties of 1–5 years' imprisonment and fines of 25,000–150,000 gourdes. Articles 437–442 and 981–984 provide for personal-data and privacy protections within the criminal law.

Haiti has no standalone cybersecurity act, no national cybersecurity agency, and no designated Computer Security Incident Response Team (CSIRT) established by law. Observers and the press have characterised the pre-2025 landscape as a 'legal void' for digital security.

CONATEL, Haiti's telecom regulator under the MTPTC ministry, created a Cybersecurity and Cybercrime Working Group (GTCSC) by internal circular in July 2015 to develop a national cybersecurity strategy and draft sector-specific texts. Its mandate remains telecom-sector focused; broader cross-sector cybersecurity authority is not established by legislation.

DLA Piper's Data Protection Laws of the World confirms Haiti has no statutory breach-notification requirement. Neither the new Penal Code nor any telecom regulation imposes mandatory timelines for notifying individuals or authorities following a data breach or cyber incident.

The World Bank's Haiti Digital Acceleration Project (P171976), active through at least 2025, includes a component to strengthen Haiti's cybersecurity framework, conduct a cybersecurity maturity assessment, and build public-sector capacity via CONATEL — signalling that foundational institution-building is still ongoing rather than complete.

Haiti participated in the ITU-EC HIPCAR programme (Harmonisation of ICT Policies in the Caribbean), which provided model policy and legislative texts on cybercrime and electronic evidence intended to guide national legislation — indicating that any future comprehensive law is likely to draw on these templates.