Data protection and cybersecurity laws in Algeria

The law N° 18-07 dated on 10 June 2018  related to the protection of individuals with regard to the processing of personal data, as amended and supplemented by law No. 25-11 (hereafter referred to as the "Law 18-07 ") has set out the conditions of the collection, recording, organisation, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, reconciliation or interconnection, as well as locking, encryption, erasure or destruction of any information, whatever its support, concerning an identified or identifiable person, directly or indirectly, in particular by reference to an identification number or to one or more elements specific to their physical, physiological, genetic, biometric, psychic, economic, cultural or social identity.

Although the Law 18-07 was published in 2018, its entry into force was contingent upon the establishment of the authority responsible for overseeing personal data protection, namely the National Authority for the Protection of Personal Data (ANPDP). The President and members of the Authority were appointed on 18 May 2022, and the authority was officially installed on 11 August 2022.

Subsequently, Presidential Decree No. 23-73 defined the missions and operational procedures of the Authority’s Executive Secretariat, while Presidential Decree No. 23-147, dated 5 April 2023, established the status of the authority’s personnel. According to Article 75 of the Law, it became enforceable within a maximum period of one year from the date of installation of the Authority, i.e., 14 February 2023. Consequently, the Law has been applicable since August 2023.

Law No. 25-11 of 24 July 2025, amending and supplementing Law 18-07 (hereinafter referred to as “Law 25-11”). introduces new definitions and obligations, including Data Protection Officer (DPO) requirements, records of processing, logging, data protection impact assessments, prior consultation for high-risk processing, and breach notification rules.

The National Authority for the Protection of Personal Data (hereafter the "Authority") is an independent and autonomous authority composed by magistrates, representatives of parliament, senate, human right council, representatives of relevant ministries, and other individuals designated by the President based on their legal and/or technical expertise in the field of personal data processing.

The Authority may also call upon any competent person to assist in its work. The President and members are appointed by presidential decree for a renewable five-year term, in accordance with Article 23 of Law 18-07.

The Authority, under Law 18-07, ensures that personal data processing complies with the law and respects individual rights, public freedoms, and privacy. Its main functions include:

• Receiving declarations and granting authorisations for data processing;
• Informing and advising data subjects and controllers on their rights and obligations;
• Handling complaints and authorising cross-border transfers;
• Ordering modifications, closures, withdrawal, or destruction of non-compliant data;
• Proposing improvements to the legal framework and issuing standards and rules of conduct;
• Publishing authorisations and opinions in the national register;
• Cooperating with foreign data protection authorities;
• Imposing administrative sanctions under the law.

Through these powers, the Authority supervises, guides, and enforces data protection effectively across Algeria.

The Authority is referred to as the ANPDP under Law No. 18-07, and oversees registration/authorisation, supervision, and enforcement, including breach notification and prior consultation for high-risk processing.

There are several types of sanctions for each kind of infringement to the rules related to protection of personal data. 

Administrative sanctions:

In case of non-respect of the rules related to data protection, the abovementioned authority can decide the following administrative sanctions:

• a warning;
• a formal notice;
• provisional withdrawal for a period that may not exceed one year, or the definitive withdrawal of the declaration receipt or authorisation;
• a fine

Other sanctions are provided for under Law No. 18‑07

• other

Criminal sanctions:

There are various criminal offences under the Law 18-07 among others:

• Violation of the obligation to obtain the explicit consent of the data subject as required by Law 18‑07;
• Failure to comply with the data processing declaration regime under Law 18‑07;
• Transfer of personal data without authorization;
• Collection of personal data by fraudulent, unfair, or unlawful means;
• Obstruction of the action of the National Authority by:

1. Opposing on‑site inspections;
2. Refusing to provide its members or designated agents with information and documents necessary for the mission entrusted to them by the National Authority, or by concealing or destroying such documents or information;
3. Providing information that does not accurately reflect the content of the records at the relevant time.

Criminal sanctions, depending on the nature of the offence, with imprisonment ranging from two months to five years, are provided for under Law No. 18‑07. Persons who violate the provisions of Law No. 18‑07 may incur additional penalties provided for in the Criminal Code

In the event of a repeat offense, the criminal sanctions provided for by Law 18‑07 shall be doubled.

Others:

The above-mentioned Authority has the following enforcement powers:

• To issue information notices and publish them.
• To confiscate the object of the offense for reassignment or destruction in compliance with applicable legislation. The costs of reassignment or destruction are borne by the convicted party.
• To order the erasure of all or part of the personal data involved in the processing that led to the offense.
• To verify data erasure: Members and staff of the National Authority are authorized to ascertain that the erasure of such data has been carried out.

A data subject may (in addition to making a complaint to the Authority) also make a claim to the courts for compensation for material or non-material damage. 

There are two kinds of regimes:

Under Algerian Law 18‑07, any processing of personal data requires a prior declaration to the National Authority for the Protection of Personal Data (ANPDP). If, upon examining the declaration, the Authority determines that the proposed processing poses clear risks to the privacy and fundamental rights and freedoms of individuals, it shall require that the processing be subject to the prior authorization regime. A prior authorization is required only for processing presenting significant risks (e.g., sensitive data, international transfers, or the interconnection of files managed by one or more legal entities providing a public service and serving different public interests, which must be authorized by the National Authority).

The key distinction is that a declaration represents the standard procedure, simply informing the Authority, whereas authorization is an exception, providing specific validation for high-risk processing and subjecting it to stricter oversight by the ANPDP before commencement.

Processing of personal data for public interest purposes related to research, study, or evaluation in the field of health is authorized by the National Authority, in compliance with the principles set forth in this Law and based on the public interest served by the research, study, or evaluation.

Under Law 25-11, prior consultation with the Authority is required before any processing forming part of a new envisaged filing system where a DPIA indicates a high risk that has not been mitigated by the data controller, or where the processing presents a high risk due to the mechanisms or technologies used. The Authority, as the competent national authority, may also issue a list of processing operations subject to its consultation.

Any personal data processing is subject to a prior declaration to the national Authority or its authorisation. The controller must implement the appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, accidental loss, alteration, unauthorised dissemination or access, in particular when the processing involves data transmission in a network, as well as against any other form of unlawful processing. The controller as well as the persons who, in the performance of their duties, have knowledge of personal data, are required to respect professional secrecy even after having ceased to exercise their functions , in accordance with Article 40 of Law 18-07.

Any person acting under the authority of the controller or that of the subcontractor who has access to personal data may only process them on the instruction of the controller, except in the case of execution of a legal obligation. When the controller is not established on Algerian territory, but uses automated or non-automated means located in Algeria for the purpose of processing personal data (excluding processing solely for the purpose of transit within the national territory), the controller must notify the Authority of the identity of his or her representative established in Algeria. This representative, without prejudice to his or her personal responsibility, replaces the controller in all rights and obligations resulting from the provisions of this law and its implementing regulation. The interconnection of files containing personal data is subject to prior authorisation by the Authority where it involves files managed by one or more legal persons responsible for a public service and pursuing different public interests, or files relating to natural persons whose principal purposes are different. Such interconnection must pursue lawful and legitimate objectives for the data controllers and must not result in discrimination or in any reduction of the rights, freedoms or guarantees of the data subjects. The processing of personal data with a purpose of public interest research, study or evaluation in the field of health is authorised by the Authority, in compliance with principles defined by this law and according to the public interest that the research, study or evaluation presents. There is no age limit regarding the data subject. The processing of personal data relating to a child may only be carried out after obtaining the consent of the child’s legal representative or, where applicable, the authorisation of the competent judge. The judge may authorise such processing even in the absence of the legal representative’s consent where the best interests of the child so require, and may withdraw such authorisation at any time. Processing of personal data classified as sensitive data, revealing the racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership of the data subject or which relates to his health including his genetic data is forbidden except when:

• the processing is necessary for the safeguard of vital interests of the data subject or of another person and if the data subject is physically or legally unable to give consent; 
• the processing is carried out, with the consent of the data subject, by a foundation, association or non-profit organisation of a political, philosophical, religious or trade union nature, within the framework of its legitimate activities, provided that the processing concerns only the members of this body or the persons who maintain regular contact with it related to its purpose that the data are not communicated to third parties without the consent of the persons concerned. 
• the processing relates to data clearly made public by the data subject, as long as his or her consent to the processing of the data can be inferred from his or her statements; 
• the processing is necessary for the recognition, exercise or defence of legal claims and is carried out exclusively for this purpose; 
• the processing of genetic data, excluding those carried out by doctors or biologists and which are necessary for the practice of preventive medicine, medical diagnostics and the administration of care or treatment. 
• Personal data relating to offences, penalties and security measures can only be processed by the judicial authority, legally empowered public services, court officials, justice auxiliaries, and prison administration services, within the scope of their legal powers. The processing must define the controller, purpose, data subjects, recipients, data origin, and security measures. Prior consent of the data subject is not required, and the data may only be used for the purposes specified above.

Law 25-11 creates a new Title V bis governing the processing of personal data for the prevention and detection of offences, investigations, criminal inquiries, prosecutions, enforcement, and application of penalties. Such processing may be carried out only by judicial authorities, authorized investigative bodies, judicial auxiliaries within their legal scope, and prison administration services. Prior consent of the data subject is not required, and processing must comply with legal requirements regarding purpose, data security, and scope.

Law No. 25-11 further imposes:

• an obligation to maintain a register of processing activities (Article 41 bis 2); 
• an obligation to maintain an automated logbook of personal data processing operations (Article 41 bis 3); and
• an obligation to conduct a data protection impact assessment (Article 45 bis 6) for processing likely to result in a high risk to the rights and freedoms of natural persons.

Unless already aware of this information, the data subject must be expressly and unequivocally informed in advance by the person responsible for the data processing or his or her representative of the following elements :

• the identity of the controller and, where applicable, his or her representative; 
• the purposes of the processing; 
• any additional useful information in particular the recipient, the obligation to respond and its consequences, as well as their rights and the transfer of data abroad.

The data subject has an access right to his or her data and is entitled to obtain:

• confirmation of whether his or her personal data is processed or not, the purposes of the processing, the categories of data to which it relates and the recipients;
• communication, in an intelligible form, of his or her data which is the subject of processing, as well as any available information on the origin of the data. 

The data controller may request from the Authority an extension of the response time for legitimate access requests and may object to requests that are manifestly abusive, in particular due to their number or repetitive nature. The burden of proof for demonstrating that a request is manifestly abusive rests with the data controller.

The data subject has the right of rectification and to obtain:

• updating, rectification, erasure or blocking of personal data whose processing does not comply with this law, in particular because of the incomplete or inaccurate nature of such data or whose processing is prohibited by the law. The controller is required to make the necessary corrections at no cost to the requester, within ten days of referral. In the event of refusal or failure to respond within the aforementioned period, the data subject may submit a request for rectification to the Authority, which shall instruct one of its members to carry out all necessary investigations and make the necessary rectifications as soon as possible. The person concerned shall be kept informed of the action taken on their request;
• notification to third parties to whom the personal data has been communicated of any updating, rectification, erasure or blocking of personal data carried out in accordance with point above, if it is not impossible.  

The heirs of the person concerned may exercise the right provided for above.

The data subject has the objection right, for legitimate reasons, to the processing of his personal data. He or she has the right to object to use his or her data for prospecting purposes, in particular commercial purposes. Under Title V bis introduced by Law No. 25-11, certain rights may be restricted where processing is carried out by judicial authorities for law enforcement purposes, by the current controller or any subsequent controller.

These rights do not apply when the processing is required to comply with a legal obligation or when an express provision of the act authorizing the processing excludes their application - Under Title V bis introduced by Law 25-11, certain rights may be restricted where processing is carried out by judicial authorities for law enforcement purposes.

Any third-party subcontractor must provide sufficient guarantees on the technical security and organisational measures relating to the processing to be carried out and must ensure compliance with these measures. Any subcontracting must be governed by a contract or a legal act (in writing or under another equivalent form) that binds the subcontractor to the controller and which provides in particular that the subcontractor acts only under the sole instruction of the controller and in compliance with the obligations provided for in the law (mainly those related to confidentiality and security of the data). Processors must promptly notify the controller of personal data breaches as soon as they become aware, pursuant to Article 45 bis 8 of Law No. 25-11.

The controller may transfer personal data to a foreign state with the authorisation of the Authority, only if that state ensures a sufficient level of protection of privacy and of the fundamental rights and freedoms of individuals with regard to the processing of such data.It is prohibited, in any case, to communicate or transfer personal data to a foreign country, when such transfer is likely to endanger public security or the vital interests of the State. 

It is possible to transfer data abroad when expressly authorised  by the data subject, or deemed necessary:

• to safeguard the life of that person;
• to preserve the public interest;
• to comply with obligations to ensure the establishment, exercise or defence of legal claims; contractual measures at the request of the data subject;
• to perform a contract between the controller and the data subject;
• to conclude or perform a contract concluded or to be concluded, in the interest of the data subject, between the controller and a third party;
• to execute an international legal assistance measure;
• to prevent, diagnose or treat medical conditions.
• if the transfer is carried out pursuant to a bilateral or multilateral agreement to which Algeria is a party;
• with the authorisation of the Authority, if the processing complies with the provisions of the Law 18-07.

Law No. 25-11 introduces Articles 45 bis 13 and 45 bis 14, which require an adequacy-type assessment by the Authority prior to transfers to a foreign State or international organisation, and restrict onward transfers without the sender’s prior consent, subject to narrow exceptions (including protection of fundamental State interests or averting a serious and imminent threat to public security of the State concerned or that of another State).

Any natural or legal person, public or private or any other entity which, alone or jointly with others, determines the purposes and means of data processing is the designated data controller. Data controller is responsible to the data subject regarding all the commitments related to the rights of the latter. He or she is also liable towards the Authority regarding general commitments before and during processing of data. Law No. 25-11 introduces an obligation to designate a Data Protection Officer chosen on the basis of professional qualifications, particularly specialised knowledge of law and practices relating to data protection, with missions defined in Article 41 bis 1. Controllers must also maintain a register of processing (Article 41 bis 2) and an automated logbook of processing operations (Article 41 bis 3).

The data controller must guarantee that any person working for him or her or on his or her behalf, any subcontractor, any representative and any participant in the data processing will respect the general commitments of confidentiality and security of the data, in accordance with the rights of the data subject. These measures must be appropriate to the risks involved and the sensitivity of the data, and must comply with applicable obligations under Law 18-07 and Law 25-11, including logging and Data Protection Impact Assessments (DPIA). Article 38 of Law 18-07 requires appropriate technical and organisational measures commensurate with risks and data sensitivity; Law 25-11 complements this with logging and DPIA obligations.

The law has not defined the conditions for introducing a claim, appeal or complaint relating to the implementation of the processing of personal data. [Article 45 bis 8 of Law 25-11 introduces mandatory obligation for the data controller to notify the Authority no later than five (5) days after becoming aware of a personal data breach; where the notification is made after this deadline, the reasons for the delay must be provided. Processors (subcontractors) must inform the data controller of any personal data breach as soon as they become aware of it.

If the data controller or the processor is unable to provide all the required information at the same time, such information may be provided progressively.

Direct prospecting is forbidden except by email under certain conditions. No specific changes are introduced in Law No. 25-11 regarding direct marketing beyond the general consent-based framework under Law No. 18-07.

There is no provision related to cookies and adtech in the Law. No express cookie/adtech regime has been introduced in Law No. 25-11.

Moderate. This assessment may vary depending on the scope of processing, cross-border transfers, and sector-specific constraints.

ANPDP – السلطة الوطنية لحماية المعطيات ذات الطابع الشخصي

Page d'Accueil - arpce.dz

As regard to the security, please note that there is no particular law related to cybersecurity in Algeria. However, there are general provisions of the regulation in force applicable to different areas, which provide for the concept of the electronic privacy and data protection as well as information security and secrecy, etc. The operational framework for cybersecurity within public institutions is established by Presidential Decree No. 26-07 of 7 January 2026, which creates dedicated cybersecurity units and defines their missions, organization, and responsibilities. These provisions have a preventive and repressive character in order to fight any criminal acts (e.g. corruption, terrorism, attacks on state security, money laundering and terrorism financing, smuggling, fraudulent use of data, technology and communication offences, discrimination and hate speech, etc). As an indication, these are some of the provisions:

• The Criminal Code in its Articles 394bis and following protects the right of protection of the integrity of automated data processing systems; 
• The Law n° 09-04 of 5 August 2009 on the Prevention and Combating of Offenses Related to Information and Communication Technologies (hereafter referred to as “Law 09-04”);  
• The Law No. 18-04 of 10 May 2018 establishing the general rules relating to the post and electronic communications (hereafter referred to as “Law 18-04”);
• The Decrees related to licences to operate public telecommunication networks;
• Decision N° 48/SP/PC/ARPT/17 dated 29 November 2017 approving the specifications defining the conditions and modalities for the establishment and operation of hosting and storage services for computerised content for user benefit in the context of cloud computing services (hereafter "Decision N° 48/SP/PC/ARPT/17");
• The Executive Decree n° 02-156 of 9 May 2002 setting the conditions for interconnection of networks and telecommunications services ,  as amended by Executive Decree  No. 16-107 of March 21, 2016  (hereafter referred to as “Executive Decree 02-156”). Presidential Decree No. 20-05 of 20 January 2020 establishing a national information systems security framework, as amended and supplemented by Presidential Decree No. 25‑298 of 10 November 2025 Decree No. 20-05 (hereafter referred to as “Presidential Decree No. 20-05”). It establishes a national system for the security of information systems and creates the National Council for the Security of Information Systems (CNSSI) and the National Agency for the Security of Information Systems (ANSSI). References to any separate “National Cybersecurity Law” are deleted.
• Presidential Decree No. 26-07 of 7 January 2026 – establishing dedicated cybersecurity units within public institutions and defining their missions, organization, and responsibilities.
• Presidential Decree No. 25-320 of 30 December 2025 – establishing a national data governance framework, defining data classification, cataloguing, and secure interoperability between public administrations, in line with cybersecurity and personal data protection.
• Presidential Decree No. 25-321 of 30 December 2025 – approving the national information systems security strategy for 2025–2029, reinforcing the protection of State digital infrastructures and administrations, in continuity with the existing national cybersecurity framework. 

We have updated the document to reflect recent legislative developments in the field of cybersecurity in Algeria. These include amendments and new decrees affecting the existing framework, notably the modification of Presidential Decree No. 20-05 through Presidential Decree No. 25-298 of 10 November 2025, as well as the adoption of Presidential Decree No. 26-07 of 7 January 2026, establishing dedicated cybersecurity units within public institutions and defining their missions, organization, and responsibilities. The national system under Presidential Decree No. 20-05 continues to be implemented through CNSSI (strategic coordination) and ANSSI (technical and operational execution). No legislative change beyond the existing framework in Law No. 09-04 and Law No. 18-04 is reflected in the table. The national system under Presidential Decree No. 20-05, as amended and supplemented by Presidential Decree No. 25-298 of 10 November 2025, continues to be implemented through CNSSI (strategic coordination) and ANSSI (technical and operational execution). No legislative change beyond the existing framework in Law No. 09-04 and Law No. 18-04 is reflected in the table.

• Criminal law provides for the prohibition of any fraudulent access to any system, or the collection, processing, storage, transfer of personal data for criminal reasons and considers as an offender:
  • anyone who fraudulently introduces data into an automated processing system or fraudulently deletes or modifies the data it contains;
  • anyone who willfully and fraudulently: designs, researches, collects, makes available, disseminates or markets data that is stored, processed or transmitted by a computer system;
  • anyone who holds, reveals, discloses, or makes any use whatsoever of the data obtained by the above mentioned means. Criminal Code Articles 394 bis to 394 nonies (as introduced by Law No. 04-15) set out imprisonment and fines for fraudulent access, interference, and related conduct.
• The Law n° 09-04 establishes specific measures for the prevention and prosecution of offences relating to information and communication technologies. It requires service providers to cooperate with the authorities in charge of judicial investigations, in accordance with the conditions set forth by law.
• The above-mentioned surveillance operations may only be carried out with the written authorisation of the competent judicial authority.It may, in some circumstances, be issued to judicial police officers by the General Attorney at the Court of Algiers, for a period of six months renewable, on the basis of a report indicating the nature of the technical process used and its objectives.In the latter case, the technical devices put in place must focus, exclusively, on the collection and the recording of data relating to the prevention and combating of terrorist acts and attacks on the security of the State.
• The Law 18-04 consecrates the principle of protection of the privacy and personal data of subscribers and users of internet networks, defines among other provisions the “cybersecurity” and measures to implement in this regard, and also provides for the obligations of electronic communications operators.
• The Law 18-04 defines cybersecurity as the set of tools, policies, security concepts, security mechanisms, guidelines, risk management methods, actions, training, good practices, guarantees and technologies that can be used to protect electronic communications against any event that could compromise availability, integrity or confidentiality of data stored, processed or transmitted.The authority in charge of the regulation of electronic communications scrutinises and verifies that electronic communications operators respect their commitments to cybersecurity. It is worth mentioning that there are no more details regarding cybersecurity conditions nor sanction in case of infringement. Specific cybersecurity offences and penalties concerning confidentiality and integrity of electronic communications are provided under Law No. 18-04.
• The Decrees related to licences to operate public telecommunication networks provide for some provisions applicable to the contractor holding thd telecom licence on the confidentiality of information and protection of users and personal information, as well as provisions required for national defence and cooperation with governmental authorities, including the applicable sanctions.
• Decision N° 48/SP/PC/ARPT/17, provides for some rules in connection with data protection and security such as the commitment to:
  • establish infrastructure on the national territory and ensure that this uses equipment integrating the most recent and proven technologies;
  • guarantee that customer data is hosted and stored on national territory;
  • ensure the integrity and confidentiality of customer data except in the cases provided for by the texts in force;
  • guarantee a backup solution for hosted or stored data;
  • establish a customer identification file;
  • do not disclose or use customer data;
  • implement the necessary logical and physical mechanisms to ensure the security of data, applications, and the associated infrastructure, particularly in the context of Cloud Computing, with regard to:
    • The integrity and confidentiality of data, notably through the implementation of information security mechanisms to protect against various threats and intrusions;
    • The physical and environmental security of the premises housing the infrastructure, particularly against fires and water damage.  
    • The Decree n° 02-156 states the obligation for operators and service providers to take all necessary measures to ensure compliance, including: network security; maintenance of network integrity; service interoperability; data protection, including personal, protection of privacy and confidentiality of information processed, transmitted and stored.

Regulatory Authority for Post and Electronic Communications: https://www.arpce.dz/fr

Cybersecurity governance also includes the National Council for the Security of Information Systems (CNSSI) and the National Agency for the Security of Information Systems (ANSSI), as established under Presidential Decree No. 20-05.

• CNSSI (the Council) is responsible for developing and adopting the national strategy for information systems security and ensuring its strategic guidance following approval by presidential decree.
• ANSSI (the Agency) is tasked with coordinating the implementation of the national information systems security strategy.

In carrying out its missions, the Council relies, in addition to the Agency, on the structures of the Ministry of National Defense competent in the field of cybersecurity.

There is no defined process or steps to follow in case of a data breach. Under the current framework (Law No. 18-04; Presidential Decree No. 20-05; and ARPCE’s oversight), operators in the electronic communications sector must ensure confidentiality, integrity, and availability, and cooperate with competent authorities. The table does not introduce a cross-sector statutory cybersecurity breach notification timeline outside the personal data breach regime under Law No. 25-11.

In case of any infringement the Regulatory Authority for Post and Electronic Communications may decide administrative sanctions. Criminal sanctions fall within the competence of the judge.

Administrative sanctions: 

• Issuance of a formal notice (mise en demeure) requiring compliance.
• Suspension of the authorization, either partially or fully.
• Reduction of the validity period of the authorization.
• Definitive withdrawal of the autorisation in case of persistent non-compliance.

Criminal sanctions: 

Sanctions may vary between, depending on the nature and seriousness of the offence, , range from two (2) months and ten (10) years’ imprisonment, and a fine of DZD 5,000 to DZD 10,000,000 (EUR 33  to EUR 65 800). The legal person who has committed the offence is punished by a fine equivalent to five times the maximum of the fine provided for the natural person. [Law 18-04 also provides sanctions for violations concerning confidentiality and integrity of electronic communications (e.g., imprisonment and fines for breach of secrecy of correspondence and material acts compromising electronic communications services).

Yes. Algeria has a national Computer Emergency Response Team, DZ-CERT (Algerian Computer Emergency Response Team), hosted by the Research Center on Scientific and Technical Information (CERIST). DZ-CERT serves as the national operational center for cybersecurity incident response, including the collection, analysis, and dissemination of information on cyber threats, vulnerabilities, and incidents, and coordination with international CERTs.

In addition to DZ-CERT, several public authorities are involved in cybersecurity governance and oversight in Algeria, including the National Authority for the Protection of Personal Data, the Regulatory Authority for Post and Telecommunications, the National Institute of Industrial Property, the National Body for the Prevention and Fight Against Offenses Related to Information and Communication Technologies, the Agency for Information Systems Security under the Ministry of National Defense, the Central Department for Combating Cybercrime, the General Agency for Electronic Communications, and the National Commission for the Security of Information Systems

There is no such structure. Presidential Decree No. 20-05 establishes a national system for information systems security under CNSSI (coordination/strategy) and ANSSI (technical/operational), which collectively form the national governance structure.

In addition to Presidential Decree No. 20-05, which establishes the National Information Systems Security Council (CNSSI) and the National Agency for the Security of Information Systems (ANSSI), the following decrees further reinforce Algeria’s national cybersecurity framework:

1. Presidential Decree No. 25-320 of 30 December 2025 establishes a national data governance framework, including classification, cataloguing, and secure interoperability between public administrations, with specific links to cybersecurity and personal data protection.
2. Presidential Decree No. 25-321 of 30 December 2025 approves the National Cybersecurity Strategy for 2025–2029, aimed at strengthening the protection of public administrations and state digital infrastructures, complementing the existing national information security framework.
3. Presidential Decree No. 26-07 of 7 January 2026 establishes the operational framework for cybersecurity within public institutions, creating dedicated cybersecurity units and defining their missions, organization, and responsibilities.

Together, these initiatives provide a comprehensive legal and operational framework for cybersecurity governance and implementation in Algeria.

• ANPDP – السلطة الوطنية لحماية المعطيات ذات الطابع الشخصي
• Page d'Accueil - arpce.dz