Cybersecurity · Saint Lucia
Cybersecurity regulation in Saint Lucia (2026)
Saint Lucia shaded by its cybersecurity status
Saint Lucia's cybersecurity regime rests on two primary statutes: the Computer Misuse Act 2011, which criminalises unauthorised access, fraud, and malicious communications, and the Privacy and Data Protection Act, which imposes security obligations on data controllers. No comprehensive national cybersecurity law or formally adopted national cybersecurity strategy is in force; institutional capacity — including a government Cyber Incident Response Team (CIRT) — is still being built under the World Bank-funded Caribbean Digital Transformation Project (CARDTP), with CIRT recruitment planned for 2026.
Key points
The Computer Misuse Act (Cap 13.17), revised to 31 December 2023, criminalises unauthorised access, interception, modification, electronic fraud, unlawful possession of hacking devices, and malicious communications. It is the primary cybercrime instrument but does not impose proactive cybersecurity obligations or incident-reporting duties on organisations.
The Privacy and Data Protection Act (Cap 8.18) requires data controllers to implement appropriate technical and organisational security measures and to register with the Data Protection Commissioner before processing personal data. Penalties for non-compliance reach EC$100,000 for corporate bodies. The Act came partially into force in 2023 with full enforcement targeting January 2025.
The ITU Cyberwellness Profile confirms Saint Lucia has no officially approved national cybersecurity framework, no sector-specific cybersecurity certification regime, and no formally published national cybersecurity strategy as of the most recent assessment. The strategy and capacity layers remain under development.
Under the World Bank Caribbean Digital Transformation Project (CARDTP), the OECS Commission engaged NRD Cyber Security to design a national government CIRT for Saint Lucia, covering governance, constituency, services, and a step-by-step roadmap. CIRT staff recruitment is set to begin in 2026, alongside a national government data centre. A public cybersecurity awareness campaign launched August 2025.
The Electronic Transactions Act 2011 (Act No. 16 of 2011) provides the legal basis for electronic contracts and transactions but does not contain specific cybersecurity incident-reporting or critical-infrastructure protection obligations.
Saint Lucia has no NIS2-equivalent mandatory incident-reporting regime for critical infrastructure operators or financial institutions. The National Telecommunications Regulatory Commission (NTRC) under the Telecommunications Act oversees the telecoms sector but no published cybersecurity incident-notification obligations attach to it.
Saint Lucia - other topics
Last verified 5/25/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →