Cybersecurity regulation in Saint Vincent and the Grenadines (2026)

Act No. 20 of 2016 is the primary cyber-law instrument, covering illegal access, interception, data and system interference, critical-infrastructure attacks, identity-related offences, fraud, and child-exploitation material. Part III grants law-enforcement procedural powers including expedited preservation, production orders, real-time traffic-data collection, and remote forensic tools.

The Data Protection Act 2021 establishes a Data Protection Commissioner and requires data controllers to notify the Commissioner and affected individuals of a personal-data breach within 72 hours of becoming aware, unless no risk to individuals' rights and freedoms exists. Fines reach EC$100,000 for corporate bodies.

There is no dedicated national cybersecurity statute equivalent to the EU NIS2 Directive imposing sector-wide risk-management, incident-reporting, or critical-infrastructure resilience obligations on operators beyond what the Cybercrime Act and Data Protection Act already provide.

An ITU-supported National CIRT Assessment was undertaken to study institutional requirements for establishing a national Computer Incident Response Team. As of available 2025 records, a fully operational national CIRT has not been confirmed as deployed.

Saint Vincent and the Grenadines is a participant in the CARICOM Cyber Security and Cybercrime Action Plan (CCSCAP, 2017), which sets a harmonised baseline for cyber practices, incident response coordination, and legislation across Caribbean Community member states.

Domestic cybercrime law was explicitly drafted to mirror the Budapest Convention's offences and procedural powers; however, Saint Vincent and the Grenadines has not formally acceded to the Convention and is not listed among its parties.