Cybersecurity regulation in Sao Tome and Principe (2026)

Law No. 15/2017 of 6 October 2017 criminalises illegal access, illegal interception, system/data interference, computer forgery, and cyber fraud, and establishes procedural powers (data preservation, seizure, interception). It was drafted in alignment with the Council of Europe Budapest Convention framework.

Law No. 03/2016 mirrors the European Data Protection Directive and established the National Data Protection Agency (ANPDP). It includes basic obligations on data controllers but does not contain an explicit mandatory security-breach notification timeline equivalent to GDPR Article 33.

Launched in December 2023, the strategy identifies five pillars: governance, legal framework modernisation, technical capacity, awareness/education, and international cooperation. It is a policy document, not enacted legislation, and calls for future laws rather than itself imposing binding obligations.

The 2024–2028 Strategy mandates creation of a National Cybersecurity Incident Response Centre (CERT-STP) and a cybersecurity incident-reporting system. As of early 2026 these structures are in establishment phase; no binding statutory incident-notification obligation has yet been reported as in force.

In the ITU Global Cybersecurity Index (GCI v5, 2024) São Tomé and Príncipe scored 0.0588, placing it among the lower-capacity states in Africa (ranked 29th regionally). ITU assessed it primarily through secondary/desk research, reflecting limited publicly documented cybersecurity infrastructure.

There is no enacted law imposing sector-neutral cybersecurity obligations (security baselines, mandatory incident notification to authorities, supply-chain risk management) comparable to the EU NIS2 Directive. The Cyber Policy Portal and Council of Europe Octopus community confirm the framework remains piecemeal and primarily criminal-law focused as of late 2025.