Cybersecurity regulation in Somalia (2026)

On 26 January 2026 the House of the People of the Federal Parliament approved a Cybersecurity Bill establishing a national framework to prevent, report and respond to cyber incidents and protect critical digital infrastructure. It remains at the parliamentary-passage stage; full enactment (Senate/presidential assent) is not yet confirmed.

The law designates the National Communications Authority as the highest government body for cybersecurity governance, while policy responsibility sits with the Ministry of Communications and Technology and legal obligations fall on critical-infrastructure operators.

The framework creates the Somalia Computer Incident Response Team (SOM-CIRT), which receives and analyses cyber-incident reports, issues alerts/advisories, coordinates national response, and cooperates with international CERTs.

Operators of essential services and digital service providers are obliged to notify designated government authorities of cybersecurity incidents under the new framework.

The Data Protection Act No. 005 of 2023 (effective 23 March 2023) requires data controllers to notify the Somali Data Protection Authority of a personal-data breach posing risks to data subjects within 72 hours, and to keep breach records.

The Council of Ministers (Cabinet) approved a draft Cybercrime Bill to address digital security and criminal offences; it remains pending and is distinct from the National Cybersecurity Law.