Cybersecurity regulation in Tunisia (2026)

Law No. 2018-5 of 23 January 2018 is the cornerstone cybersecurity statute establishing ANCS and mandating protection of public and private information systems and critical infrastructure. It built upon and superseded the earlier Law No. 5/2004 framework.

Decree-Law 2023-17 of 11 March 2023 (in force September 2023) broadened ANCS authority, introduced cloud-computing regulation for the first time in Tunisian law, and required operators of 'vital digital infrastructure' to use ANCS-certified software and maintain primary and backup hosting centres with certified cloud providers.

Organizations detecting a cybersecurity breach must notify ANCS within 72 hours. Companies processing personal data via telecommunications networks must separately inform ANCS of any cyberattack. Monetary sanctions apply for non-compliance.

Under Decree-Law 2023-17, companies involved in automated processing of personal data when providing services via telecommunications networks must conduct annual IT system audits following ANCS-approved standards and risk-analysis methodologies.

Decree-Law 2022-54 of 13 September 2022 introduced criminal sanctions for cybercrimes including unauthorized system access, data interception, and online dissemination of false information. As of January 2025, CPJ reported it has been used to imprison a record number of journalists, drawing human-rights criticism.

Tunisia operates under a National Cyberspace Strategy 2020-2025, with ANCS responsible for developing governance policies, monitoring implementation of action plans, and coordinating cybersecurity across all sectors including critical infrastructure such as energy, water, and health.