Cybersecurity regulation in Sudan (2026)

The Law on Combating Cybercrimes 2018 criminalizes illegal access, illegal interception and data interference, and was amended in July 2020 to increase prison terms—including raising the Article 23 'spreading fake news' offence to up to four years. It is enforcement/conduct-focused rather than an obligations framework for operators.

Cybersecurity functions sit with the Telecommunication and Post Regulatory Authority (TPRA, formerly the National Telecommunication Corporation), the officially recognized body for national cybersecurity policy, applied mainly through the telecom sector.

Sudan CERT, established in 2010 under the regulator, is the national first responder for information-security incidents, providing incident handling, digital forensics, advisories and awareness—operational capacity rather than a legal reporting mandate.

There is no identified general statutory breach-notification or mandatory incident-reporting obligation; reporting to Sudan CERT is largely voluntary/advisory, and the cybercrime law does not impose economy-wide reporting duties on data controllers or operators.

Sudan has no comprehensive data-protection statute; privacy/security matters are addressed only through scattered sectoral instruments such as the Electronic Transactions Act 2007 and the cybercrime legislation.

Sudan is tracked in the Council of Europe Octopus cybercrime community and the ITU cyberwellness profile, which note partial alignment with substantive cybercrime provisions but a still-developing institutional and strategic framework.