Cybersecurity regulation in Senegal (2026)

Law No. 2008-11 of 25 January 2008 on cybercrime criminalises unauthorised system access, data interference, and digital fraud, drawing directly from the Budapest Convention. It also compels telecommunications operators and ISPs to cooperate with investigators and to retain traffic data on judicial order.

Laws No. 2016-29 and 2016-30 of 8 November 2016 expanded the cybercrime framework by adding offences of fraudulent data copying, digital identity theft, and cyberterrorism, and aligned procedural rules for electronic evidence with the 2008 cybercrime statute.

Law No. 2008-12 on Personal Data Protection, enforced by the CDP, governs data security obligations. However, there is currently no mandatory cyber-incident or breach-notification requirement applicable to operators of vital importance (OIVs) under Senegalese law — a gap acknowledged by capacity reviews. A new data-protection bill has been under preparation since April 2024.

The DCSSI, reorganised in 2021 under the General Secretariat of the Presidency, is Senegal's central cybersecurity authority. Its national CERT, SNCSIRT, became operational in 2023-2024 and began issuing public alert bulletins. Incident reporting to SNCSIRT is encouraged but not yet legally mandated for critical-sector operators.

Senegal's Stratégie Nationale de Cybersécurité 2022, published in 2017, set five strategic axes: strengthening the legal and institutional framework, protecting critical information infrastructure (CII), promoting a security culture, building technical capacity, and engaging in regional/international cooperation.

Launched on 24 February 2025, President Faye's New Deal Technologique replaces the SN2025 strategy and allocates 1.097 trillion FCFA (~USD 1.7 billion) over 2025–2029 to digital transformation, explicitly prioritising digital sovereignty, critical infrastructure protection, and cybersecurity capacity-building, including plans to update Law 2008-11 and enact a new data-governance law.