Cybersecurity regulation in Maldives (2026)

Law No. 16/2017 is the primary in-force statute governing ICT use, including cybersecurity requirements and electronic transactions; it underpins government-sector security obligations but does not constitute a comprehensive cybersecurity regime.

President Muizzu constituted the National Cyber Security Agency on 18 March 2024 via Presidential Directive 07/2024; the NCSA sets national cybersecurity policy, coordinates incident response, and issues standards for both public and private sectors.

The NCSA published a five-year national strategy covering legal-framework development, critical-infrastructure protection, a national Security Operations Centre, capacity building, and international cooperation; it is a policy document, not binding legislation.

The NCSA has issued a National Baseline Cyber Security Framework providing mandatory baseline controls for government entities and guidance for the private sector, operating under the authority of the NCSA rather than an enacted statute.

The government launched public consultations on a standalone Cybersecurity Bill and a Privacy and Personal Data Protection Bill; the latter would require organisations to notify a Data Protection Authority and affected individuals of breaches, but neither bill had been enacted as of mid-2026.

The Maldives Penal Code criminalises unauthorised access to computer systems, data interception, and digital fraud; a Cybercrime Amendment Bill to broaden these offences was under parliamentary deliberation but had not passed as of mid-2026.