Cybersecurity regulation in Tuvalu (2026)

Tuvalu has no enacted cybercrime or dedicated cybersecurity statute. The Council of Europe's Octopus Community records that a Cybercrime Bill has been drafted but approval remains pending, and Tuvalu is not a party to the Budapest Convention on Cybercrime.

A national Cybercrime Bill has been prepared as part of the government's response to transnational crime and digital threats, but as of 2025–2026 it has not been enacted. Its passage would be the country's first substantive cybercrime instrument.

The government's National ICT Policy (published 2024) identifies cybersecurity as one of seven strategic focuses, with explicit commitments to enact cyber laws, form a Cyber Incident Response capability, and run awareness programmes. This is a policy document, not legislation.

The Data Protection and Privacy Act 2020 is the closest instrument to a cybersecurity-adjacent law, establishing a framework for personal data handling and a Tuvalu Data Protection Authority. It does not impose breach-notification or cyber-incident reporting obligations comparable to GDPR or NIS2.

Section 33 of the Tuvalu Telecommunications Corporation Act criminalises interference with messages, interception, and disclosure of intercepted communications, providing the only in-force statutory cyber-offence provisions. These are incidental telecom offences, not a cybersecurity regime.

Tuvalu has no formal Cyber Incident Response Team (CIRT) and no statutory breach-notification or incident-reporting obligations. The government receives technical assistance from the Australian Cyber Security Centre (ACSC) and participates in the Pacific Cyber Security Operators Network (PaCSON) as its primary incident-response support.