Cybersecurity regulation in Tonga (2026)

Act 14 of 2025, gazetted by the Tongan Attorney General's office, is the primary national cybersecurity statute, establishing a Cybersecurity Advisory Board, formalising CERT Tonga in statute, providing powers to designate and protect critical infrastructure, and introducing financial penalties for security negligence.

The foundational cybercrime law (Act 14 of 2003), based on the Commonwealth Model Law, defines computer-related offences and grants the Royal Tonga Police investigative and prosecutorial procedural powers for cybercrime matters.

CERT Tonga, launched 15 July 2016, is the national point of contact for cybersecurity incidents. It provides incident handling, vulnerability handling, digital evidence, and forensic services. Incidents are reported to [email protected] or via the hotline 2378 (CERT). The 2022 National Framework mandates mandatory incident reporting across all government ministries and departments.

Approved 4 January 2022, the framework adopts a whole-of-government approach covering G2G, G2B, and G2C interactions, mandates incident reporting and centralised analysis across government entities, and assigns shared cybersecurity responsibility to public institutions, private enterprises, and civil society.

Act 34 of 2025 (Privacy Act 2025) was enacted alongside the Cybersecurity Act 2025, introducing Tonga's first formal data-protection and personal-information breach-notification regime, addressing a legislative gap previously identified by observers.

Tonga became the 55th party to the Council of Europe's Budapest Convention on Cybercrime in May 2017, providing the basis for international cooperation on cybercrime investigation and electronic evidence, and aligning domestic legislation with the Convention's standards.