Cybersecurity ยท Mauritius
Cybersecurity law & regulation in Mauritius (2026)
Mauritius shaded by its cybersecurity status
Cybersecurity in Mauritius: comprehensive law, anchored by Cybersecurity and Cybercrime Act 2021 (Act No. 16 of 2021), supplemented by the Data Protection Act 2017 (Act No. 20 of 2017); administered by ICTA, CERT-MU, and the Data Protection Commissioner.
Mauritius enacted a comprehensive Cybersecurity and Cybercrime Act in 2021, replacing the earlier Computer Misuse and Cybercrime Act 2003, establishing a National Cybersecurity Committee, a Critical Information Infrastructure (CII) protection regime, and mandatory annual security audits for designated CII operators. The Data Protection Act 2017 runs in parallel, requiring 72-hour breach notification to the Data Protection Commissioner for personal data incidents. Mauritius also operates an active National Cybersecurity Strategy 2023-2026 and a government-run CERT (CERT-MU).
Key points
The Cybersecurity and Cybercrime Act 2021 (Act No. 16 of 2021) repealed the 2003 Computer Misuse and Cybercrime Act. It criminalises unauthorised access, interception, data interference, and system interference, with penalties of up to MUR 2 million and 25 years imprisonment for offences targeting Critical Information Infrastructure.
The 2021 Act defines CII as assets whose incapacity or destruction would have a debilitating impact on essential services or national security. Designated CII owners must conduct annual threat/vulnerability risk assessments and commission annual independent IT Security Audits. The National Cybersecurity Committee is tasked with identifying and maintaining the list of CII.
Under the Data Protection Act 2017, controllers must notify the Data Protection Commissioner of a personal data breach without undue delay and, where feasible, within 72 hours of becoming aware. Where the breach poses a high risk to individuals, data subjects must also be notified. Non-compliance carries fines up to MUR 200,000 and up to five years imprisonment.
The Computer Emergency Response Team of Mauritius (CERT-MU), under the National Computer Board, coordinates national cybersecurity incident response, issues advisories, and operates a threat-mitigation knowledge-sharing hub launched in 2025. In 2023, CERT-MU was designated an ITU Academy global training centre for cybersecurity capacity building.
Mauritius's current national strategy is built on four pillars: resilient infrastructure, safer cyberspace, cybersecurity innovation and education, and international cooperation. It follows the 2014-2019 strategy and explicitly aims to strengthen incident-reporting mechanisms and law-enforcement technical capacity.
The Financial Services Commission (FSC) applies the Data Protection Act 2017 to licensed financial entities and has issued sector-specific cybersecurity guidance. ICTA retains regulatory oversight of the ICT sector under the ICT Act and administers the 2021 Cybersecurity Act, creating layered obligations for operators across critical sectors.
Timeline - major decisions & events
The National Budget 2025/26 committed Rs 16.2 million to establish a national Cyber Security Operation Centre and to equip CERT-MU and the IT Security Unit (ITSU) with updated tools, responding to more than 5,000 cyber incidents reported in 2024 including hacking, phishing, sextortion, and early AI-enhanced attacks.
CERT-MU, Government of Mauritius โPublished 9 March 2023 and effective 29 May 2023, this guideline sets binding minimum requirements for all BOM-licensed banks and financial institutions covering cyber governance, threat monitoring, incident response, and third-party technology risk, the first sector-specific cyber rulebook issued by the central bank.
Bank of Mauritius โIn February 2023 the ITU Academy nominated CERT-MU as a global training centre for cybersecurity capacity building, recognising Mauritius as a regional hub for cyber skills development and cementing its role in supporting other African and island-state governments.
ITU Academy โMauritius launched its second-generation National Cybersecurity Strategy for 2023-2026, built on four pillars: resilient critical information infrastructure, safer cyberspace, innovation and education, and regional/international partnerships. It operationalises enforcement of the 2021 Act, mandating periodic IT security risk assessments and incident-reporting policies for critical-infrastructure operators.
Ministry of Information Technology, Communication and Innovation (MITCI) โAct No. 16 of 2021 replaced the 2003 Computer Misuse and Cybercrime Act, creating a comprehensive framework: it formally constituted CERT-MU as a statutory department, established the National Cybersecurity Committee, defined and protected Critical Information Infrastructure (CII), and raised maximum penalties for CII attacks to Rs 2 million and 25 years imprisonment.
ICTA / Government of Mauritius (Official Gazette) โAct No. 20 of 2017, published in the Official Gazette on 23 December 2017 and entering force 15 January 2018, replaced the 2004 Act and aligned Mauritius with GDPR principles, strengthening data-subject rights, cross-border transfer controls, and breach-notification obligations that intersect directly with cybersecurity incident response duties.
Data Protection Office, Government of Mauritius โMauritius published a stand-alone Cybercrime Strategy (August 2017) to operationalise the criminal-justice dimension of cybersecurity: guiding police and prosecutors in detecting and prosecuting cybercrime, and building judicial capacity to handle digital evidence, complementing the broader 2014 cybersecurity strategy.
Government of Mauritius (Ministry of Defence and Home Affairs) โMauritius adopted its inaugural National Cybersecurity Strategy, establishing a governance architecture for protecting information systems and networks across government and critical sectors. This document set the policy foundation later codified in the 2021 Act and the 2023-2026 strategy.
ITU National Strategies Repository (Government of Mauritius document) โOn 21 November 2013, Mauritius deposited its instrument of accession to the Council of Europe's Budapest Convention on Cybercrime, becoming the first African country to do so. Accession aligned domestic legislation with international standards and enabled mutual legal assistance for cross-border cybercrime investigations.
Council of Europe โ Cybercrime Division โMauritius enacted its first dedicated cybercrime statute on 9 August 2003, criminalising unauthorised computer access, interception of data, malicious code distribution, and electronic fraud. Amended in 2016 to add cyber-harassment offences, the Act remained the primary cybercrime law until replaced by the 2021 Act.
WIPO Lex (Mauritius legislature) โAct No. 44/2001 established the Information and Communication Technologies Authority (ICTA) as the national ICT regulator and created the overarching legal framework for ICT governance in Mauritius, the foundational statute upon which all subsequent cybersecurity legislation was built.
ICTA, Government of Mauritius โMauritius - other topics
Cybersecurity in other countries
Last verified 5/24/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ