What is AI regulation in Cape Verde?
AI regulation: countries and regions
Cape Verde does not appear to have a dedicated AI law or AI-specific regulator in force. As of 7 June 2026, the main hard law affecting AI is its personal data protection regime, overseen by the CNPD, together with constitutional privacy guarantees and wider digital government rules. In practice, AI governance in Cape Verde is mostly about lawful data use, profiling, automated decisions, security, breach reporting, cross-border transfers and public sector digital policy, not a standalone AI act.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
The clearest answer is that Cape Verde is not yet running a separate AI statute in the way some larger jurisdictions are trying to do. The official materials reviewed for this article show AI appearing inside broader digital transformation policy, while the binding day to day duties come mainly from the Constitution, the personal data protection law and the powers of the Comissao Nacional de Proteccao de Dados, or CNPD.
That matters because many practical AI questions are already covered even without an AI Act. If an AI system uses personal, biometric, behavioural or other sensitive data, helps make important decisions about people, or sends data abroad, Cape Verde's existing data protection rules can apply immediately.
The official policy picture also shows movement without a finished AI code. A 2020 government resolution pushed AI use in public administration and called for a draft national AI strategy, but Cape Verde's 2021 digital governance strategy still marked a national AI strategy as not yet in place, and a 2026 government digital economy paper still speaks of implementing one. That points to a live policy agenda, but not a settled standalone framework.
Why it matters
For organisations deploying AI in Cape Verde, the absence of a dedicated AI Act does not mean a free regulatory space. If your system handles personal data, supports hiring, credit, education, health, public services, identity checks, CCTV or customer profiling, you may already be inside a legal framework that demands lawful processing, security controls, transparency, rights handling and regulator engagement.
In practice, the biggest operational issues are likely to be whether the system relies on personal data at all, whether it uses profiling or fully automated decision-making, whether it processes special or biometric data, whether a data protection impact assessment is needed, whether a data protection officer must be appointed, whether CNPD notification or authorisation is required, and whether foreign hosting or model providers create transfer issues. For public sector projects, those questions become more pressing because Cape Verde's digital state policies actively encourage automation and AI use.
How it works
There is no clear standalone AI act in force
The official sources reviewed for this article do not show a dedicated AI statute or AI-specific regulator currently in force in Cape Verde. Instead, AI is addressed indirectly through constitutional protections, the personal data protection regime, the CNPD's supervisory powers and public sector digital policy. That makes Cape Verde a jurisdiction where AI governance is presently built from adjacent legal tools rather than one consolidated AI code.
The Constitution and the data protection law do most of the legal work
Article 45 of the Constitution protects access to computerised personal data, correction and updating rights, and transparency around purpose. It also requires law to regulate personal data files, access conditions and data banks used by public and private bodies.
The main operational rules sit in the personal data protection law, especially after the 2021 amendments and republication of the underlying regime. That law applies to automated processing and to structured non-automated files. It also reaches some processing outside Cape Verde where services are offered to people in Cape Verde or their behaviour is monitored there. So a foreign AI provider is not automatically outside scope just because its servers or company headquarters are elsewhere.
CNPD is the key authority, but it is a data regulator, not an AI regulator
The CNPD is an independent public authority with powers of authority and administrative and financial autonomy, operating alongside the Assembleia Nacional. Its remit is personal data protection, not AI as a technology in the abstract.
That still makes CNPD central to many AI projects. It can investigate, demand information, access relevant systems and files, order blocking, erasure or destruction of data, prohibit processing, issue directives, apply fines and sanctions, and handle complaints. It also has authorisation and registration roles for certain processing and must be consulted on legislative and regulatory initiatives concerning personal data protection. If your AI project touches personal data, CNPD is likely to be the first institution you need to understand.
Automated decisions, profiling and high risk processing receive extra scrutiny
Cape Verde's data protection law is especially relevant to AI because it expressly addresses profiling, large scale monitoring and decisions taken solely by automated means. The law gives people a right not to be subject to a decision that produces legal effects, or similarly significant effects, when that decision is taken exclusively through automated processing, including profiling, unless a lawful exception applies and safeguards are respected.
The same law requires a data protection impact assessment before high risk processing begins, especially for systematic profiling, large scale special category data processing and large scale monitoring of publicly accessible areas. Public bodies, and some organisations whose main activities involve high risk large scale monitoring or sensitive data processing, must designate an encarregado de proteccao de dados, broadly equivalent to a data protection officer.
Cape Verde's regime also still keeps a prior notification model that many readers will find stricter and older in style than the UK GDPR approach. Before carrying out an automated processing operation, the controller must notify CNPD unless a simplification or exemption applies. Some uses also need prior CNPD authorisation, including certain special data, credit and solvency data, interconnection of data sets and re-use for purposes not aligned with the original collection purpose.
Security, breach reporting and cross border transfers are already live issues for AI teams
The law requires appropriate technical and organisational measures, data protection by design and by default, and documentation around incidents. Where a personal data breach creates relevant risk, the controller must notify CNPD within 72 hours after becoming aware of it. If the breach is likely to create a high risk to people, the affected individuals must also be informed without undue delay.
International transfers matter as well. Personal data sent abroad may be transferred only where the destination ensures an adequate level of protection, or where CNPD permits the transfer under the law's derogations and safeguard mechanisms, including appropriate contractual guarantees. For AI procurement, this means foreign model providers, cloud hosting, remote support teams and vendor sub-processors cannot be treated as a side issue.
Public sector AI is being encouraged through strategy and operational policy
Even without a dedicated AI law, Cape Verde's state has shown clear policy interest in AI for government modernisation. A 2020 Council of Ministers resolution on accelerating digital transformation in public administration promoted recourse to AI in administrative activity, including repetitive tasks such as validation of biographic and biometric data in electronic document requests, civil registration and related services. The same resolution instructed a CNED team, under NOSi coordination, to present a draft National Strategy for Artificial Intelligence within 90 days.
But the later legal and strategy picture is revealing. The 2021 Estrategia para a Governacao Digital de Cabo Verde, approved for 2021/2024, listed both a National Strategy for Artificial Intelligence and an AI system as not existing in its annex. A 2026 government digital economy paper still refers to implementing a national AI strategy and creating a Digital and AI Centre of Excellence. So the state is plainly interested in AI, but the official texts reviewed here still read as strategy and implementation ambition, not a distinct AI code.
African Union frameworks matter, but they do not replace domestic law
Cape Verde's AI position should also be read in its African context. The African Union endorsed the Continental AI Strategy in July 2024. That strategy gives a continent level reference point built around ethics, inclusion, human rights, development and African institutional coordination. It is important directionally, especially for policymakers and public sector bodies, but it is not the same thing as a domestic Cape Verde AI statute.
Cape Verde has also linked itself to wider AU data and cyber governance through accession to the African Union Convention on Cyber Security and Personal Data Protection, often called the Malabo Convention. That reinforces the broader regional architecture around privacy, cyber governance and cross-border digital trust, even though the immediate enforceable duties for most AI deployers in Cape Verde still come from national law.
Examples
Public service identity and document checks. A 2020 government resolution expressly encouraged the use of AI in public administration for repetitive tasks, including validation of biographic and biometric data in requests for electronic documents, civil registration and related services. If a ministry or agency builds that kind of workflow, the live compliance questions are whether the data use is lawful, whether CNPD notification or authorisation is needed, whether the project triggers a data protection impact assessment, and whether people are being exposed to solely automated significant decisions.
GovTech triage and citizen support. NOSi's 2026 plan describes investment in natural language processing, predictive analysis, automated service handling and process triage for GovTech. If those tools move from plan to live deployment and process personal data, privacy by design, logging, DPO involvement, security controls, breach response and vendor management should be designed in from the start, not added later.
Cross-border AI procurement. Cape Verde's data protection law applies not only to local entities but also to providers outside Cape Verde when they offer services to people in Cape Verde or monitor their behaviour there. So if a foreign AI vendor handles Cape Verde user data, the deployment workflow should include scope analysis, transfer checks, contract review, and, where needed, CNPD-facing steps on notification or authorisation.
Common misunderstandings
"Cape Verde has no AI Act, so AI is unregulated." Wrong. Existing constitutional, privacy and digital governance rules can already govern many AI uses.
"CNPD is Cape Verde's AI regulator." Not exactly. CNPD is the personal data protection authority, which matters for many AI systems because they process personal data.
"If the model is hosted abroad, Cape Verde law disappears." Not necessarily. The law can still apply to foreign providers serving or monitoring people in Cape Verde.
"Cape Verde follows the UK GDPR or the EU AI Act automatically." No. Its framework borrows some familiar data protection concepts, but it is its own legal regime.
"Cape Verde already has a published national AI strategy in force." That is not clearly shown by the official sources reviewed here. What is visible is policy ambition and continuing references to future implementation.
Risks and boundaries
What is confirmed is that Cape Verde has a functioning constitutional and statutory data protection framework, an independent CNPD, and official digital government strategy documents that contemplate AI use in the public sector. What is not confirmed by the official sources reviewed for this article is a dedicated AI statute, a published AI-specific regulator, or a clearly adopted national AI strategy already in force.
That gap matters. A 2020 resolution called for a draft national AI strategy within 90 days, but the 2021 digital governance strategy still marked such a strategy as absent, and a 2026 government paper still talks about implementing one. So some strategy work may well exist in draft, internal, political or programme form, but a clear, publicly located AI framework with the force of a dedicated domestic code was not found in the official materials used here.
It is also important not to overread the data protection regime. It covers a large share of practical AI risk where personal data is involved, but it does not answer every question about product safety, labour, education, competition, consumer protection, procurement, administrative law or sector specific accountability. Those issues may arise through other laws or future reforms, but the AI-specific position remains comparatively narrow.
What to do next
Start with an inventory. Identify every AI use that touches personal, biometric, behavioural or other sensitive data, note whether any recommendation or decision is fully automated, and map where data enters, where it is stored and which vendors can access it.
Then run the right assessment. For higher risk uses, treat a data protection impact assessment as a minimum and fold it into a broader AI review covering legality, fairness, human oversight, security, record keeping and escalation. Check whether your organisation needs an encarregado de proteccao de dados and whether the processing must be notified to CNPD before launch.
Next, tighten procurement and data transfer discipline. Ask foreign AI vendors where data is hosted, whether customer data is used for model training, which sub-processors are involved, how deletion works, how incidents are reported and what transfer safeguards are in place.
Finally, monitor policy change. Cape Verde's official documents show continuing momentum towards stronger digital state architecture and a possible future national AI strategy. Leaders should treat the present regime as active now, while staying ready for more AI-specific rules later.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Cape Verde have a dedicated AI law?
Not clearly. Based on the official sources reviewed up to 7 June 2026, Cape Verde does not appear to have a standalone AI Act in force.
Who is the main regulator relevant to AI in Cape Verde?
The key institution is the CNPD, the Comissao Nacional de Proteccao de Dados. It is a data protection authority, not an AI-only regulator, but it is central whenever AI uses personal data.
Does Cape Verde's data protection law apply to foreign AI suppliers?
Yes, it can. The law extends to providers outside Cape Verde when they offer services to people in Cape Verde or monitor their behaviour there.
Are solely automated decisions allowed?
They are restricted. People have a right not to be subject to solely automated decisions that produce legal or similarly significant effects, unless a lawful exception applies and safeguards are in place.
When is an impact assessment needed for AI?
Before higher risk processing, especially where there is systematic profiling, large scale special category data processing or large scale monitoring of publicly accessible areas.
Do organisations need to notify CNPD before using AI?
Often, yes, if the AI use involves automated personal data processing. Cape Verde's regime still keeps a prior notification model, and some categories of processing can also require CNPD authorisation.
Is Cape Verde's regime basically the same as the UK GDPR?
No. There are family resemblances, especially after the 2021 update, but Cape Verde has its own statute and still keeps features such as prior notification that differ from the UK GDPR approach.
Is a national AI strategy already in force in Cape Verde?
The official materials reviewed show policy work towards one and references to future implementation, but they do not clearly show a published national AI strategy already in force.