Cybersecurity regulation in Mauritius (2026)

The Cybersecurity and Cybercrime Act 2021 (Act No. 16 of 2021) repealed the 2003 Computer Misuse and Cybercrime Act. It criminalises unauthorised access, interception, data interference, and system interference, with penalties of up to MUR 2 million and 25 years imprisonment for offences targeting Critical Information Infrastructure.

The 2021 Act defines CII as assets whose incapacity or destruction would have a debilitating impact on essential services or national security. Designated CII owners must conduct annual threat/vulnerability risk assessments and commission annual independent IT Security Audits. The National Cybersecurity Committee is tasked with identifying and maintaining the list of CII.

Under the Data Protection Act 2017, controllers must notify the Data Protection Commissioner of a personal data breach without undue delay and, where feasible, within 72 hours of becoming aware. Where the breach poses a high risk to individuals, data subjects must also be notified. Non-compliance carries fines up to MUR 200,000 and up to five years imprisonment.

The Computer Emergency Response Team of Mauritius (CERT-MU), under the National Computer Board, coordinates national cybersecurity incident response, issues advisories, and operates a threat-mitigation knowledge-sharing hub launched in 2025. In 2023, CERT-MU was designated an ITU Academy global training centre for cybersecurity capacity building.

Mauritius's current national strategy is built on four pillars: resilient infrastructure, safer cyberspace, cybersecurity innovation and education, and international cooperation. It follows the 2014–2019 strategy and explicitly aims to strengthen incident-reporting mechanisms and law-enforcement technical capacity.

The Financial Services Commission (FSC) applies the Data Protection Act 2017 to licensed financial entities and has issued sector-specific cybersecurity guidance. ICTA retains regulatory oversight of the ICT sector under the ICT Act and administers the 2021 Cybersecurity Act, creating layered obligations for operators across critical sectors.