Cybersecurity · Vanuatu

Cybersecurity regulation in Vanuatu (2026)

Sectoral rulesVanuatu has no single NIS2-style comprehensive cybersecurity statute. Obligations are spread across the Cybercrime Act No. 22 of 2021 (criminal), the Data Protection and Privacy Act No. 13 of 2024 (security and breach-notification duties for personal data), and the National Cyber Security Strategy 2030, with CERT VU (under OGCIO) as the operational incident-response hub.Country index 80 · B+

Vanuatu shaded by its cybersecurity status

Vanuatu addresses cybersecurity through a set of instruments rather than one comprehensive law: a Budapest-Convention-aligned Cybercrime Act (2021) criminalises cyber offences, while the Data Protection and Privacy Act 2024 (in force January 2025) imposes security-safeguard and data-breach-notification obligations. A non-binding National Cyber Security Strategy 2030 sets critical-infrastructure resilience goals, and CERT Vanuatu provides incident response with currently voluntary reporting. There is no enacted NIS2-equivalent imposing mandatory cyber-incident reporting on critical-infrastructure operators.

Key points

Cybercrime Act 2021

The Cybercrime Act No. 22 of 2021 (in force 22 September 2021) is Vanuatu's flagship cyber law, criminalising offences against the confidentiality, integrity and availability of computer data and systems; it was drafted with Council of Europe GLACY+ support to align with the Budapest Convention.

source 1 ↗source 2 ↗

Data protection security & breach notification

The Data Protection and Privacy Act No. 13 of 2024 (effective 2 January 2025) requires reasonable and appropriate security measures, data protection impact assessments for high-risk processing, and data-breach notification — making breach reporting a legal duty for personal-data controllers.

source 1 ↗source 2 ↗

Oversight authority

Enforcement of data-protection/security obligations sits with a Commissioner of Data Protection and Privacy, established alongside the Digital Safety Authority framework introduced in 2024.

source 1 ↗source 2 ↗

National Cyber Security Strategy 2030

The NCSS 2030 is a non-binding policy aimed at improving the security and resilience of Vanuatu's national critical infrastructure through six national priorities; it sets objectives rather than enforceable obligations.

source 1 ↗source 2 ↗

CERT Vanuatu incident reporting

CERT VU, a unit within the Office of the Government Chief Information Officer, is the central cyber incident-response hub; reporting is via a voluntary online form/email rather than a statutory mandatory-reporting obligation.

source 1 ↗source 2 ↗

Financial-sector supervision

Banks and authorised financial institutions licensed under the Financial Institutions Act are supervised by the Reserve Bank of Vanuatu, which can issue prudential guidelines affecting handling and security of customer information.

source 1 ↗

Vanuatu - other topics

Crypto & Digital Assets Artificial Intelligence Data & Privacy Digital Payments & Fintech Digital Nomad & Residency Internet & Online Safety Starting a Business

Read in:Spanish French German Portuguese Hindi

Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →