Cybersecurity regulation in Saint Kitts and Nevis (2026)

The primary cybersecurity-adjacent law criminalises illegal access, data interference, system interference, illegal interception, computer-related fraud, identity crimes, child pornography, and spam. Amendments in 2012 and 2017 added critical-infrastructure references and extensive definitions, bringing the Act nearly in line with Budapest Convention requirements.

Saint Kitts and Nevis has acceded to the Budapest Convention on Cybercrime. The Electronic Crimes Act covers most Budapest Convention procedural powers (search and seizure with judicial warrant, production orders, expedited data preservation, interception under judiciary supervision), with one noted gap: real-time traffic-data collection is not covered.

The Data Protection Act 2018, modelled on the OECS template, was enacted but has not been commenced (no commencement order published as of early 2025). When in force it would introduce data breach notification and processing obligations for public and private entities; revisions were on the legislative agenda for 2025.

Because the Data Protection Act 2018 is not yet in force, there is currently no statutory obligation on organisations to notify authorities or affected individuals following a data breach or cyber incident. Incident-reporting requirements are therefore absent at the general legal level.

A formal national CIRT has not yet been established. A CIRT readiness assessment was conducted with stakeholders, and the CARDTP (Caribbean Digital Transformation Project) is advancing plans for both a national government data centre and a governmental CIRT as of 2025.

The Eastern Caribbean Central Bank (ECCB) published policy considerations for data protection and privacy legislation applicable to ECCU member states including Saint Kitts and Nevis, providing guidance for financial institutions. In February 2025, the government launched the Cyber Nations Program 2025 (with Protexxa) targeting 25,000 citizens for cybersecurity training.