Cybersecurity regulation in Samoa (2026)

The Crimes Act 2013 is Samoa's primary instrument criminalising cyber-offences, including unauthorised access to computer systems and harassment via electronic communication (s.219, max. 5 years). It is not a dedicated cybersecurity law and does not impose positive security or breach-notification obligations on the private sector.

Issued by MCIT in 2024, the policy sets minimum information-security requirements—aligned with ISO/IEC 27001—for all Government of Samoa ministries and agencies. It establishes seven binding operational standards covering incident response, patch management, network configuration, and information classification.

One of the seven standards under the 2024 Information Security Policy, published by MCIT in November 2024. It mandates that government staff and contractors report cyber incidents; it applies to public agencies only and does not create private-sector breach-notification duties.

The Samoa Computer Emergency Response Team (SamCERT) operates under MCIT's Digital Transformation and Innovation Division and serves as the national focal point for cyber-incident coordination. It does not yet have a statutory basis requiring mandatory reporting from the private sector.

Samoa's 2016–2021 strategy has expired. MCIT, in collaboration with the World Bank and ITU, conducted consultation workshops for a new 2025–2030 strategy; a stakeholder-validation workshop was planned for June 2025. The strategy remains a policy document and has not yet been enacted as binding legislation.

Samoa has not ratified the Budapest Convention on Cybercrime. Australia's Attorney-General's Department and the EU (Council of Europe GLACY+ programme) are supporting review and reform of Samoa's cybercrime legislation to align it with the Convention's provisions, but accession had not been completed as of mid-2025.