Cybersecurity regulation in Trinidad and Tobago (2026)

The Computer Misuse Act (Chap. 11:17) is the main in-force statute criminalising unauthorised access and misuse of computer systems. Offences against 'critical information infrastructure' — defined to include finance, energy, public utilities, communications, transport, and public health — carry enhanced penalties of up to TT$2 million and 15 years imprisonment.

The Data Protection Act 2011 (Chap. 22:04) is only partially in force — Parts I and II establishing the Information Commissioner and broad privacy principles are proclaimed, but substantive obligations on data controllers, enforcement mechanisms, and formal breach-notification duties remain unproclaimed, leaving no statutory notification timeline currently enforceable.

The Telecommunications Authority of Trinidad and Tobago (TATT) published cybersecurity guidelines for public telecommunications and broadcasting networks following public consultations in October 2024 and May 2025, with the approved framework published January 2026. Concessionaires must promptly notify TATT of any incident materially threatening networks, services, or subscriber data, and submit periodic conformance reports.

A Cybercrime Bill introduced in 2015 and revised in 2017 remained unenacted as of 2026. The Bill was referred to a Joint Select Committee whose Final Report was published in 2019; the Attorney General signalled revised cybercrime legislation was expected in 2024, but no enactment has been confirmed. The Bill contemplates mandatory incident-reporting duties and whistleblower protections not present in current law.

A Trinidad and Tobago Cyber Security Agency (TTCSA) Bill was introduced in 2014 and again in 2015 to establish a statutory national cybersecurity coordination body, but has not been enacted. The National Cyber Security Strategy (2012) identifies creation of the TTCSA as a central governance objective.

TT-CSIRT, established November 2015 under the Ministry of Homeland Security with OAS and ITU support, is the operational national computer security incident response team. It provides threat intelligence, vulnerability assessments, and incident coordination for government and critical infrastructure operators, and participates in regional exercises such as Tradewinds 2026.