What is AI regulation in the Central African Republic?
AI regulation: countries and regions
The Central African Republic does not yet have a dedicated AI law, AI regulator or published national AI strategy. AI is instead governed through adjacent digital law: a 2024 personal data protection law, a 2024 cybersecurity and cybercrime law, older electronic communications and electronic transactions laws, and an ongoing public-sector digital-governance programme. For most organisations, the main AI compliance hooks are personal data, profiling, cybersecurity, cross-border transfers and public-sector digital service rules, not AI-specific licensing.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
That means the Central African Republic is not using an EU-style AI Act model. The current framework is broader: telecoms, electronic transactions, cybersecurity, digital government and personal data protection. The most important AI-relevant statute is Law 24.001 on personal data protection. It covers automated processing, defines profiling, treats biometric and other sensitive data as specially protected, requires a data protection delegate, and gives people rights of access, rectification and opposition.
For public bodies and GovTech suppliers, the picture matters even more. The data law requires authorisation for some interconnections of public files and for some electronic administration uses, while the wider digital-governance programme is building cyber, data storage and digital service capacity across government. At continental level, the AU Continental AI Strategy is guidance rather than binding CAR AI legislation, and I did not identify a separate national AI strategy in the official sources reviewed.
Why it matters
Organisations should not treat the Central African Republic as a no-rules market for AI. If your system uses personal data, profiling, biometrics, public records or cross-border transfers, the 2024 data protection law is likely to be the main legal touchpoint. That is true for local deployers and can also be true for foreign providers where the processing produces effects in the country.
The practical stakes are in governance, procurement and system design. You need a clear view of controller and processor roles, security responsibilities, retention, transfer routes, user notices and how to handle requests to access, correct or oppose data processing. If an AI-enabled process helps drive a decision with legal effects, the law also points toward explainability and contestability of the automated mechanism. Because CAR still lacks AI-specific risk tiers or a general AI impact assessment duty, internal governance matters more, not less.
How it works
No AI-specific statute
The official ARCEP laws page lists the core digital laws now visible in the Central African Republic: the 2024 personal data protection law, the 2024 cybersecurity and cybercrime law, the 2022 electronic transactions law, the 2018 communications law and the 2017 law creating ARCEP. None of those texts is an AI law. I also did not identify an official national AI strategy or an AI-only regulator in the official materials reviewed.
Personal data law is the main AI hook
Law 24.001 is the strongest AI-relevant domestic text. It applies to processing carried out by a controller or processor established in the Central African Republic, and also to processing that produces effects there even if the processing happens abroad. It defines profiling, automated processing, biometric data, sensitive data, controller, processor and personal data breach. It requires lawful, fair, transparent and secure processing, restricts purpose and retention, and requires stronger protection for sensitive data and for children.
Decision rights, delegates and enforcement
The law gives people rights to access, rectify, update, block or erase certain data, and rights of opposition. It also says that a person must be able to know and contest the mechanism of automated processing when a decision based on that mechanism produces legal effects. Every controller must designate a data protection delegate. The supervising agency can issue warnings, order a processing activity to stop, withdraw an authorisation or certification, and impose monetary penalties capped at 5 percent of turnover. The law also creates criminal offences for some breaches.
Public-sector and cross-border mechanics
For AI that relies on linked government datasets, the rules become more specific. Interconnection of files held by public bodies with different public interests is subject to authorisation by the data protection agency. The same applies to some data processing by the state for electronic administration and remote public services. Cross-border transfers matter too: transfers outside CEMAC or CEEAC require an adequate level of protection or a permitted derogation, and the agency must be informed in advance. This is highly relevant for cloud AI, foreign model providers and shared regional datasets.
Institutions and African context
ARCEP remains the communications and post regulator rather than an AI regulator. The data law provides for a separate independent data protection agency and gave the ministry in charge of the digital economy, posts and telecommunications 12 months from promulgation to put that agency in place. I did not identify a public official source confirming that the agency is already fully operational. In parallel, the public-sector digital-governance project is intended to define a strategy and action plan for digital development in government, while strengthening cyber, data storage and digital service delivery. At AU level, the Continental AI Strategy is soft law guidance for member states, and the AU status list does not show the Central African Republic as a signatory or ratifying state to the Malabo Convention as of 2 February 2026.
Examples
A ministry wants to add AI-based triage to an online public service portal. Under the public-sector digital-governance programme, government services and data systems are being digitised. If the new tool links civil-status, identity or service-delivery files, the team should check whether prior authorisation is needed for interconnection or electronic administration uses. If the system informs a decision with legal effects, the automated mechanism should be explainable and contestable, and the data protection delegate should be involved before launch.
A telecoms operator or online service wants to use AI for profiling, fraud detection or service personalisation. ARCEP and the wider communications framework still matter for the sector, but the personal data law is the main rulebook for profiling, security and sensitive data. If the service uses biometric inputs, data about children, or direct marketing through SMS, email or social platforms, the data law becomes even more important.
A foreign AI vendor hosts a CAR-facing service abroad for a company or public body in Bangui. The data law can still apply if the processing produces effects in the Central African Republic. The parties should map controller and processor roles, identify the data protection delegate, test whether the transfer falls outside CEMAC or CEEAC, document the legal basis and retention period, and prepare a route for access, rectification and opposition requests.
Common misunderstandings
Misunderstanding: The Central African Republic has no AI Act, so AI is unregulated. Correction: There is no AI-specific law, but data protection, cybersecurity, communications and electronic transactions law still apply.
Misunderstanding: ARCEP is the country's AI regulator. Correction: ARCEP is the communications and post regulator. The data law points to a separate independent data protection agency, not an AI authority.
Misunderstanding: Only businesses physically based in CAR need to care. Correction: The data law can also reach processing that produces effects in the Central African Republic, even if it happens abroad.
Misunderstanding: Automated recommendation tools are outside the legal picture. Correction: Once automated processing feeds into a decision with legal effects, the law points to a right to know and contest the mechanism.
Misunderstanding: The AU AI Strategy already gives CAR a full AI rulebook. Correction: The AU strategy is continental guidance. It is not the same thing as a domestic CAR AI statute.
Risks and boundaries
The Central African Republic still has no AI-specific risk classes, AI registration scheme, frontier model rules, foundation model duties or general statutory duty to run an AI impact assessment. If you are looking for an AI-only compliance regime, it is not there yet.
The key live uncertainty is implementation. The 2024 data protection law clearly exists and is detailed. It also clearly provides for an independent data protection agency and gave the ministry 12 months from promulgation to establish it. But I did not identify a public official source confirming that the agency is already fully operational, staffed and publicly active. That limits certainty on real-world enforcement pathways.
This article also does not unpack article-level obligations from the 2024 cybersecurity law beyond its confirmed existence on the official ARCEP laws page. Finally, some processing tied to state security, defence, public safety and criminal investigation can depart from ordinary access and rectification rights, so the framework is not identical across all uses.
What to do next
Treat AI in CAR first as a data-governance and cyber-governance issue, not as a standalone AI licensing question. Start by mapping whether the system uses personal data, biometric data, children's data, sensitive data, public records or cross-border hosting.
Identify who is the controller, who is the processor and who will act as the data protection delegate. Document purpose, legal basis, retention, vendor instructions, human review points, security controls and how people can access, correct or oppose processing. If an automated mechanism may shape decisions with legal effects, make sure the mechanism can be explained and challenged.
For public-sector or GovTech deployments, check early whether the project will interconnect official files or support remote electronic administration. If it will, authorisation issues may arise. For cross-border deployments, test whether data will leave CEMAC or CEEAC and record the transfer basis.
Because CAR has not yet built an AI-specific regime, use voluntary AI governance discipline: system inventory, risk tiering, pre-deployment testing, incident response, vendor due diligence and an internal AI impact assessment even where the law does not yet require one by name.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does the Central African Republic have an AI Act?
No. I did not identify a dedicated AI Act or AI-specific regulator in the official sources reviewed.
Is there a personal data protection law?
Yes. Official ARCEP sources list Law 24.001 of 25 January 2024 on personal data protection.
Does the law reach foreign AI suppliers?
Yes, potentially. It applies not only to controllers and processors established in CAR, but also to processing that produces effects in the country.
What does the law say about automated decisions?
It defines profiling and says people must be able to know and contest the mechanism of automated processing when a decision based on that mechanism has legal effects.
Is there a data protection authority?
The law provides for an independent data protection agency and gave the ministry 12 months to establish it. I did not identify a public official source confirming that it is already fully operational.
Are cross-border transfers restricted?
Yes. Transfers outside CEMAC or CEEAC require an adequate level of protection or a permitted derogation, and the agency must be informed in advance.
Is there a national AI strategy?
I did not identify a published national AI strategy. The visible government work is broader digital-government reform under the public-sector digital-governance programme.
How does the African Union matter here?
The AU Continental AI Strategy gives soft-law guidance for member states, but it does not itself create CAR domestic AI offences, approvals or AI licensing duties.