Cybersecurity regulation in Kiribati (2026)

Enacted in August 2021, the Act criminalises unauthorised access, cyberstalking, CSAM distribution, identity theft, fraud, and denial-of-service attacks. It also established a National Cybersecurity Agency and sets procedural rules for law-enforcement search, seizure, data preservation, and international cooperation.

Kiribati formally acceded to the Council of Europe's Convention on Cybercrime (Budapest Convention) on 20 June 2024; the treaty entered into force for Kiribati on 1 October 2024, making it one of 75 State Parties and anchoring domestic cybercrime law in an internationally harmonised framework.

The strategy sets short-, medium-, and long-term objectives including a gap analysis of existing legislation, establishment of a Kiribati CERT, a Cybersecurity Working Group, critical-infrastructure protection planning, and introduction of cybersecurity into the national education curriculum.

The Data Protection Bill passed its first parliamentary reading on 1 April 2025. The Act imposes technical and organisational safeguards, requires breach notification to the DTO and affected individuals within 72 hours of becoming aware of a harmful breach, and grants the DTO investigative and fine-issuing powers.

Kiribati is a member of the Pacific Cyber Security Operational Network (PaCSON), which facilitates collective cyber-incident response capabilities and threat-intelligence sharing across Pacific island nations.

The updated National ICT Policy (2019) addresses e-government, national internet security, and ICT reform coordination, providing the broader digital-governance context within which the cybersecurity-specific instruments sit.