Cybersecurity regulation in Monaco (2026)

Law No. 1.435 of 8 November 2016 on combating technological crime transposed the Budapest Convention, introduced criminal offences for unauthorised system access and cyberattacks, and mandated the Minister of State to secure the Principality's information systems. It also created the AMSN as the national supervisory authority.

Ministerial Order No. 2018-1053 (as amended by Orders 2020-902 and 2023-556) sets mandatory technical and organisational security baselines for OIVs, requiring a Protection Plan, AMSN audits at least every three years, and prompt notification to the Minister of State of any incident affecting information systems. Ministerial Order No. 2025-533 of 3 October 2025 further enhanced the regime.

Law No. 1.578 of 1 July 2025 raised the maximum financial penalty for OIV non-compliance with security rules to €150,000 per infraction for individuals and five times that amount for legal entities, and introduced a digital identity wallet framework.

Law No. 1.565 of 3 December 2024 on personal data protection requires controllers to notify the APDP (data-protection authority) of personal data breaches without undue delay and within 72 hours; affected individuals must be notified where the breach poses a high risk to their rights.

The Agence Monégasque de Sécurité Numérique (AMSN), established 2015, is Monaco's national cybersecurity authority; it hosts CERT-MC, an accredited incident-response team that assists government entities and OIVs. A bilateral ANSSI–AMSN cooperation agreement was renewed for 2025–2030.

Though not an EU member state, Monaco publicly committed to voluntary NIS2 alignment at the 2024 Assises de la cybersécurité. An inter-ministerial working group was established in January 2025 to prepare a draft bill covering broader entity scope with a 24h/72h/30-day incident-reporting ladder; no bill had been published as of mid-2025.