What is AI regulation in the Democratic Republic of the Congo?
AI regulation: countries and regions
The Democratic Republic of the Congo (DRC) has no dedicated artificial intelligence law, bill or adopted national AI strategy as of June 2026. AI is governed indirectly through the 2023 Digital Code (Ordonnance-loi No. 23/010), which contains data protection, cybersecurity and electronic transaction rules. A first National AI Strategy entered drafting in October 2025 but is not yet adopted. The DRC also aligns with the African Union Continental AI Strategy.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
The DRC does not regulate artificial intelligence directly. There is no AI Act, no AI bill before Parliament, and no published national AI strategy with binding force. Anyone deploying AI in the DRC is governed by general digital and data rules rather than by AI-specific law.
The central instrument is the Code du numerique (Digital Code), enacted as Ordonnance-loi No. 23/010 of 13 March 2023 and published in the Journal Officiel on 11 April 2023. It is a broad statute covering digital activities and services, electronic transactions, cybersecurity, digital content and personal data protection. Its data protection provisions (in Book III) are the rules most likely to bite on an AI system that processes personal data of people in the DRC.
Policy is moving, but slowly. The government validated its Rapport national sur l'etat de preparation a l'intelligence artificielle (the UNESCO AI readiness report, or RAM) at a Kinshasa workshop on 19 June 2025, presided over by Minister Augustin Kibassa Maliba, who said it had paved the way for the adoption and widespread use of AI in the country. On 8 October 2025 the government launched the inter-institutional drafting commission for the Plan National du Numerique 2026-2030 (PNN 2) and its first Strategie nationale de l'Intelligence Artificielle, backed by a USD 1 billion Treasury investment for 2026 to 2030. These are strategy and policy documents in progress, not law.
Why it matters
For organisations building or buying AI that touches the DRC, the practical point is that compliance turns on data protection, cybersecurity and consumer rules, not on a bespoke AI regime. The Digital Code applies broadly to digital activities and services carried out from or to the DRC, regardless of where the provider is established, so foreign AI vendors can be in scope. The Code mandates that data controllers and processors appoint a data protection officer, restricts cross-border transfers of personal data, and contains data localisation expectations that can affect cloud and model-hosting choices. Because the supervisory authority is not yet operational, enforcement is uncertain, but the legal duties exist now and penalties on paper are significant.
How it works
No dedicated AI law yet
There is no statute, ordinance or bill in the DRC that regulates artificial intelligence as such. AI obligations are inferred from general rules: the Digital Code, the telecommunications law, and sector rules. The country is building AI policy through strategy documents rather than through legislation.
The Digital Code (Ordonnance-loi No. 23/010 of 13 March 2023)
The Digital Code is the backbone of digital regulation. It applies to digital activities and services, electronic tools and trusted service providers, digital content, and the security and criminal protection of IT systems. It sets three licensing regimes (authorisation, declaration and homologation), recognises electronic contracts and e-commerce, and creates or confirms several institutions: a digital regulatory authority, a national electronic certification authority, a national cybersecurity agency, and a national digital council. The Code took effect on publication in the Journal Officiel on 11 April 2023.
Data protection inside the Code
Book III of the Digital Code contains a dedicated title on personal data. It defines personal data, biometric data and profiling, sets principles such as lawful processing, transparency and data minimisation, and gives individuals rights over their data. It requires every data controller and processor to appoint a data protection officer. Cross-border transfers of personal data are generally restricted unless the destination provides equivalent protection or the responsible minister authorises the transfer. These are the provisions most relevant to AI systems that train on or process personal data.
The data protection authority that does not yet exist
Article 262 of the Digital Code provides for a data protection authority (Autorite de protection des donnees) to be established by a decree of the Prime Minister setting its organisation, functioning and powers. No such decree has been adopted. A ministerial decree of 17 August 2024 temporarily transferred the authority's functions to the telecoms regulator (ARPTC). Brozeck Kandolo, writing in Droit-Numerique's News-Juritech No. 11 of 28 June 2025, questions the conformity of assigning these powers to ARPTC via Arrete ministeriel No. cab/min/pt&n/akim/kl/kbs/051/2024 of 17 August 2024. The upshot: duties are in force but there is no fully operational, independent regulator enforcing them.
The telecoms regulator (ARPTC)
The Autorite de Regulation de la Poste et des Telecommunications du Congo (ARPTC) regulates posts, telecommunications and ICT: licensing, spectrum, type approval of equipment, competition and consumer protection in the sector. Law No. 20/017 of 25 November 2020 on telecommunications and ICT introduced the first personal data protection provisions in Congolese law and provided for a renamed regulator (ARPTIC). ARPTC is the body to which data protection functions were provisionally assigned in 2024.
The Ministry and the national digital plan
The Ministry of Posts, Telecommunications and Digital Economy leads digital policy. The Plan National du Numerique Horizon 2025, launched by the Presidency in September 2019, is built on four pillars: infrastructure, content, applications and governance/regulation. It mentions AI among emerging technologies but does not regulate it. On 8 October 2025 the government launched drafting of a successor plan (2026 to 2030) and a first National AI Strategy, with a flagship Congolese AI Academy. These remain in drafting and are not yet adopted.
African Union and regional context
The DRC is bound into a continental framework. It ratified the African Union Convention on Cybersecurity and Personal Data Protection (the Malabo Convention), becoming the 17th state party when it deposited its ratification instrument with the AU Secretary-General at Addis Ababa on 27 June 2025; according to Droit-Numerique this legally bound the state to the Convention's obligations. The Convention was adopted on 27 June 2014 in Malabo and entered into force on 8 June 2023. The AU Executive Council adopted the Continental Artificial Intelligence Strategy at its 45th Ordinary Session in Accra, Ghana, on 18 to 19 July 2024, which encourages member states to develop national AI strategies and to ground AI governance in data protection. The DRC is a member of several regional bodies including SADC, ECCAS and COMESA, and has joined the East African Community.
Examples
A fintech deploying an AI credit-scoring model for Congolese customers: the model processes personal data, so the Digital Code's Book III applies. The operator must appoint a data protection officer, process data lawfully and transparently, and respect restrictions on transferring data outside the DRC, even though no AI-specific rule governs the model itself.
A health programme using an AI diagnostic tool: there is no AI medical-device approval regime, but the data protection rules on sensitive data, the requirement to keep data secure, and data localisation expectations all apply. The provider should document its lawful basis and data flows now, because duties are in force regardless of the regulator's incomplete status.
A foreign SaaS vendor selling an AI tool to Congolese businesses from abroad: because the Digital Code reaches digital services provided to the DRC, the vendor can fall within scope. A provider without an establishment in the DRC may need to consider local representation for data protection compliance.
Common misunderstandings
"The DRC has an AI law." It does not. There is no AI statute, bill or adopted national AI strategy as of June 2026; AI is covered indirectly by general digital and data rules.
"The DRC and the Republic of the Congo are the same place." They are different countries. The DRC (Kinshasa) is the subject here. The Republic of the Congo (Brazzaville) is a separate state that hosts the African Research Center on Artificial Intelligence and pursues its own Vision Congo Digital 2025.
"There is a working data protection regulator." The authority exists on paper in the Digital Code but has not been established by the required Prime Minister's decree; its functions were provisionally handed to the telecoms regulator in 2024, a move some lawyers dispute.
"Because enforcement is weak, the rules do not apply." The Digital Code is in force. Data protection duties, including appointing a data protection officer and limiting cross-border transfers, apply now even if active enforcement is limited.
"The Malabo Convention is just symbolic." The DRC ratified it and deposited its instruments in June 2025, which under Congolese constitutional rules gives ratified treaties precedence over ordinary domestic law and creates an obligation to align national rules.
Risks and boundaries
This article describes the legal architecture, not legal advice. The picture is genuinely in flux. What is confirmed: the Digital Code is in force and contains data protection, cybersecurity and electronic transaction rules; the data protection authority is not yet operationally established; the DRC has ratified the Malabo Convention; and the AU has a Continental AI Strategy. What is pending or uncertain: the first National AI Strategy and the 2026 to 2030 National Digital Plan are still being drafted and have not been adopted; the legality of assigning data protection functions to the telecoms regulator is contested; and several implementing decrees under the Digital Code are still awaited. There is no AI-specific risk classification, conformity assessment or AI impact assessment requirement in DRC law.
What to do next
Treat DRC AI compliance as a data protection and cybersecurity exercise, not an AI-law exercise. Map whether your AI system processes personal data of people in the DRC and whether the Digital Code reaches your service. Appoint a data protection officer where the Code requires it, document your lawful basis and data flows, and check cross-border transfer and localisation constraints before choosing cloud or model-hosting arrangements. Watch for two triggers that would change the analysis: adoption of the National AI Strategy and the 2026 to 2030 Digital Plan, and the Prime Minister's decree actually establishing the data protection authority. Align voluntarily with the AU Continental AI Strategy and recognised AI standards, since the direction of travel is toward data-governance-led AI oversight.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does the DRC have an AI law?
No. As of June 2026 there is no dedicated AI statute, no AI bill in Parliament and no adopted national AI strategy. AI is governed indirectly through the Digital Code and related rules.
What is the Digital Code?
It is Ordonnance-loi No. 23/010 of 13 March 2023, published in the Journal Officiel on 11 April 2023. It is a broad law on digital activities, electronic transactions, cybersecurity, digital content and personal data protection.
Is there a data protection authority in the DRC?
The Digital Code provides for one (Article 262), but it has not been established by the required Prime Minister's decree. A 2024 ministerial decree provisionally transferred its functions to the telecoms regulator, which some lawyers consider legally doubtful.
Who regulates telecoms and ICT?
The Autorite de Regulation de la Poste et des Telecommunications du Congo (ARPTC), under Law No. 20/017 of 25 November 2020. It handles licensing, spectrum, equipment approval and sector consumer protection.
Has the DRC adopted a national AI strategy?
Not yet. Drafting of a first National AI Strategy and a 2026 to 2030 National Digital Plan was launched on 8 October 2025, but neither has been adopted as of June 2026.
How is the DRC different from the Republic of the Congo?
They are two separate countries. The DRC has its capital at Kinshasa; the Republic of the Congo (Congo-Brazzaville) is a different state with its own digital and AI initiatives.
Does the African Union AI strategy bind the DRC?
The AU Continental AI Strategy, adopted in July 2024, is a guiding framework rather than binding law. It encourages member states such as the DRC to build national AI strategies grounded in data protection.
What should businesses do now?
Focus on data protection and cybersecurity compliance under the Digital Code, appoint a data protection officer where required, manage cross-border data transfers, and monitor for the National AI Strategy and the data protection authority decree.