Cybersecurity ยท Vanuatu
Cybersecurity law & regulation in Vanuatu (2026)
Vanuatu shaded by its cybersecurity status
Cybersecurity in Vanuatu: sectoral rules, anchored by Vanuatu has no single NIS2-style comprehensive cybersecurity statute. Obligations are spread across the Cybercrime Act No. 22 of 2021 (criminal), the Data Protection and Privacy Act No. 13 of 2024 (security and breach-notification duties for personal data), and the National Cyber Security Strategy 2030, with CERT VU (under OGCIO) as the operational incident-response hub..
Vanuatu addresses cybersecurity through a set of instruments rather than one comprehensive law: a Budapest-Convention-aligned Cybercrime Act (2021) criminalises cyber offences, while the Data Protection and Privacy Act 2024 (in force January 2025) imposes security-safeguard and data-breach-notification obligations. A non-binding National Cyber Security Strategy 2030 sets critical-infrastructure resilience goals, and CERT Vanuatu provides incident response with currently voluntary reporting. There is no enacted NIS2-equivalent imposing mandatory cyber-incident reporting on critical-infrastructure operators.
Key points
The Cybercrime Act No. 22 of 2021 (in force 22 September 2021) is Vanuatu's flagship cyber law, criminalising offences against the confidentiality, integrity and availability of computer data and systems; it was drafted with Council of Europe GLACY+ support to align with the Budapest Convention.
The Data Protection and Privacy Act No. 13 of 2024 (effective 2 January 2025) requires reasonable and appropriate security measures, data protection impact assessments for high-risk processing, and data-breach notification, making breach reporting a legal duty for personal-data controllers.
Enforcement of data-protection/security obligations sits with a Commissioner of Data Protection and Privacy, established alongside the Digital Safety Authority framework introduced in 2024.
The NCSS 2030 is a non-binding policy aimed at improving the security and resilience of Vanuatu's national critical infrastructure through six national priorities; it sets objectives rather than enforceable obligations.
CERT VU, a unit within the Office of the Government Chief Information Officer, is the central cyber incident-response hub; reporting is via a voluntary online form/email rather than a statutory mandatory-reporting obligation.
Banks and authorised financial institutions licensed under the Financial Institutions Act are supervised by the Reserve Bank of Vanuatu, which can issue prudential guidelines affecting handling and security of customer information.
Vanuatu - other topics
Cybersecurity in other countries
Last verified 5/24/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ