Cybersecurity regulation in Mali (2026)

Law No. 2019-056 of 5 December 2019 criminalises unauthorised system access, data and system interference, computer fraud, online child sexual abuse material, and cyberbullying. It transposes ECOWAS Directive C/DIR/1/08/11 and prescribes penalties of 6 months to 20 years imprisonment plus fines up to 20 million CFA francs; the law applies to any ICT offence committed wholly or partly on Malian territory.

Law No. 2013-015 of 21 May 2013 established the APDP (Autorité de Protection des Données à caractère Personnel) as an independent supervisory authority and requires prior APDP authorisation for data processing. Breach notification to the APDP is envisaged but the original text does not prescribe a fixed mandatory timeline for notification.

On 3 December 2025 the Council of Ministers approved a decree adopting Mali's first National Cybersecurity Strategy and Action Plan 2026–2030, targeting improved governance coordination, a stronger cybersecurity culture across government and private sector, and protection of critical digital infrastructure; until this strategy no coordinated national framework existed.

Law No. 2019-056 mandates the creation of a Computer Incident Response Team (CIRT Mali) and a Platform for Combating Cybercrime (PLCC) with a digital forensics laboratory. No formal mandatory incident-reporting duty for operators comparable to EU NIS2 is yet in force.

The APDP supervises data protection; the AMRTP (Autorité Malienne de Régulation des Télécommunications et des Postes) regulates telecoms and publishes official ICT legislation; AGETIC (Agence des Technologies de l'Information et de la Communication, created by Decree No. 05-002 of 10 January 2005) is the government ICT implementation agency.

The ITU Global Cybersecurity Index 2024 places Mali at Tier 4 out of 5, indicating basic capabilities. Significant incidents motivating the 2026–2030 strategy include an August 2022 breach exposing 312,000 taxpayer records from the General Directorate of Taxes and a February 2023 attack on Bank of Africa Mali described as one of the largest ever recorded against a Malian financial institution.