The Legal Regime for Cybersecurity in Cabo Verde was recently approved, with the entities subject to this new framework being obligated to, by July, adopt the necessary legal, organisation, technical and logistical measures, in order to adjust to, and ensure compliance with, the new legal obligations on cybersecurity.*  

The approval of this diploma reflects governmental investment and focus on cybersecurity issues, at a time when an increasingly digital society faces exponential growth in information security risks.  

The new legal regime is applicable to several stakeholders, including: (i) Public Administration; (ii) critical infrastructure operators; (iii) operators active in sectors such as energy, transportation, banking, financial market infrastructure, health services, water supply and distribution, and digital and telecommunication infrastructures; (iv) digital service providers (providers of online market services, search engines, cloud computing or others operating in the digital economy sector), among others.  

The entities to which the Legal Regime for Cybersecurity applies must comply with a number of obligations, such as:

Security measures: i.e. the adoption of appropriate and proportionate measures to manage the security risks that threaten the used networks and information systems.

Notification of incidents: i.e. notification, to the National Cybersecurity Agency (“Centro Nacional de Cibersegurança”), of all security incidents with a relevant impact.

Internal audits: i.e. carrying out annual internal audits, following a report that must be submitted to the National Cybersecurity Agency.  

In the event of non-compliance, fines may apply, ranging from 20.000$00 to 300.000$00 for natural persons, and from 80.000$00 to 1.000.000$00 for legal persons, depending on the breach and its seriousness.  

In addition to the Legal Regime for Cybersecurity, the Council of Ministers approved the law creating and regulating the Informatic Security Incident Response Team (CSIRT.CV) - an entity that will ensure confidentiality and availability of data and communications, by detecting, eliminating and preventing computer incidents.**

 

* Decree-Law no. 9/2021 of 29 January 2021  - which approves the Cabo Verde Legal Regime for Cybersecurity

**Decree no. 1/2021 of 29 January – which creates the Informatic Security Incident Response Team (CSIRT.CV)