Cybersecurity regulation in Madagascar (2026)

Law No. 2014-006 of 17 July 2014 criminalises illegal system access, data and system interference, illegal interception, device misuse, and computer-related fraud. It was amended by Law No. 2016-031 and is indexed by UNODC and the Council of Europe Octopus Cybercrime Community.

Law No. 2014-038 (promulgated January 2015, gazetted June 2015) requires data controllers to implement appropriate security measures but does not oblige notification to CMIL or affected individuals in the event of a breach — a significant gap in the incident-reporting framework.

The Commission Malagasy sur l'Informatique et des Libertés (CMIL) is the statutory data-protection and cybersecurity supervisory body, but it and the national CIRT have faced sustained institutional and resource constraints, limiting effective enforcement of existing obligations.

Law No. 2024-004, ratifying the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention), was adopted by both chambers of parliament on 21 June 2024. Publication in the Official Gazette was still pending as of early 2025, meaning treaty obligations had not yet entered domestic force.

Madagascar formally launched its national cybersecurity strategy drafting process in 2025 via a multi-stakeholder workshop in Antananarivo, involving ARTEC, the Ministry of Digital Technology, the Ministry of Justice, and international partners. The strategy is intended to update the 2014 legislative framework and establish coherent incident-response and prevention mechanisms.

The Autorité de Régulation des Technologies de Communication (ARTEC) grants licences and oversees compliance in the communications sector, playing a supporting role in cybersecurity governance alongside CMIL, though sector-specific critical-infrastructure cybersecurity obligations remain underdeveloped.