What is AI regulation in Djibouti?
AI regulation: countries and regions
Djibouti has no dedicated artificial intelligence law or AI regulator. AI use is governed indirectly through the Digital Code passed in June 2025, which includes data protection rules and names a data protection authority (the CNDP), plus sector oversight by the multisector regulator ARMD. A national AI strategy was in draft as of January 2026 but not yet adopted. Djibouti also sits within the African Union Continental AI Strategy framework.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
There is no statute in Djibouti that regulates artificial intelligence as such. Anyone looking for an "AI Act", an AI-specific regulator or a mandatory AI risk-classification regime will not find one. What exists instead is a set of adjacent rules that touch AI in practice: data protection, electronic communications, cybersecurity and consumer protection, mostly consolidated in the Digital Code that the National Assembly passed on 30 June 2025. The Digital Code is broad digital legislation covering electronic communications, electronic transactions, electronic commerce, protection of personal data, and cybersecurity. Its personal data provisions are the part most relevant to AI, because many AI systems process personal information. The Code names a National Commission for the Protection of Personal Data (Commission Nationale de Protection des Donnees Personnelles, CNDP) as the supervisory authority, though that body still needs to be set up and made operational. Separately, Djibouti has been preparing a national AI strategy with United Nations support. As of a consultative workshop held in January 2026, that strategy was still in draft and awaiting official adoption. So the honest summary is: data protection and sector rules apply now; a dedicated AI policy is coming but is not yet law.
Why it matters
If you build, buy or deploy AI that touches people in Djibouti, you are not in a rule-free zone, but you are also not governed by a bespoke AI regime. The practical compliance surface today is data protection and sector regulation, not AI-specific duties. That means the questions that matter are familiar ones: what personal data does the system process, on what legal basis, with what security, and who is accountable. It matters because the position is changing. The Digital Code is recent, its supervisory authority is not yet fully operational, and a national AI strategy is in preparation. Organisations that map their obligations to durable building blocks (lawful data processing, security, transparency, accountability) will be far better placed when AI-specific guidance arrives than those waiting for a single "AI law" that does not yet exist.
How it works
No dedicated AI statute
Djibouti has not enacted an AI-specific law, has not created an AI regulator, and has no risk-based AI classification regime in force. Any AI governance therefore flows from general digital, data protection and sector rules rather than from a standalone instrument. This should be stated plainly to anyone assuming a local equivalent of the EU AI Act exists; it does not.
The Digital Code (2025)
The principal instrument is the Digital Code, approved by the National Assembly on 30 June 2025 and developed by the ministry responsible for the digital economy. It is consolidated digital legislation covering electronic communications, electronic tools such as electronic signatures, electronic commerce, protection of personal data, and cybersecurity and cybercrime. The Code is structured as a legislative section to be supplemented by later regulatory texts, so detailed implementing rules are expected to follow.
Data protection and the CNDP
The data protection component is the part most likely to bite on AI projects, since AI commonly processes personal data. The Code follows recognised data protection architecture: obligations around lawful processing, data protection by design and by default, security and confidentiality, and breach notification, together with rights for individuals. It designates a National Commission for the Protection of Personal Data (CNDP) as the independent supervisory authority. Reporting on the Code indicates the CNDP had not yet been operationally established, which limits active enforcement in the near term. Treat the law as in force but the enforcement machinery as still maturing.
The sector regulator: ARMD
The Autorite de Regulation Multisectorielle de Djibouti (ARMD) is the country's independent multisector regulator, created by Law No. 74/AN/20/8eme L of 13 February 2020 and placed under the Presidency of the Republic. It regulates telecommunications and information and communication technologies, alongside energy. ARMD is not an AI regulator, but because AI services are typically delivered over regulated telecoms and ICT infrastructure, it is part of the institutional landscape that AI deployments in Djibouti will encounter.
National AI strategy in preparation
Djibouti has been developing a national AI strategy with United Nations support, coordinated through the ministry responsible for the digital economy and innovation. A consultative workshop in January 2026 reviewed a draft strategy ahead of intended official adoption, framing AI around responsible, inclusive and ethical use and aligning it with Vision Djibouti 2035 and the 2025 to 2030 national development plan. As of that point it was a draft strategy, not a binding legal framework, and no adoption date should be assumed.
African and continental context
As an African Union member, Djibouti sits within the AU Continental Artificial Intelligence Strategy, adopted by the AU Executive Council in July 2024. That strategy is guidance for member states rather than directly binding law: it encourages countries to develop national AI approaches, strengthen data governance, and balance innovation with managing risks, on an implementation timeline running from 2025 to 2030. It helps explain the direction of Djibouti's own draft strategy without itself imposing enforceable AI duties domestically.
Examples
A fintech deploying an AI credit-scoring tool for customers in Djibouti: there is no AI-specific approval to obtain, but the personal data processing falls under the Digital Code's data protection provisions, including duties around lawful processing, security and breach notification, with the CNDP as the designated authority once operational. A telecoms or ICT provider layering AI features (for example automated customer handling or network optimisation) onto regulated services: the AI element itself is not separately licensed, but the underlying telecoms and ICT activity sits within ARMD's regulatory remit under the 2020 law that created it. A public-sector or development project piloting AI (the draft national strategy highlights areas such as health, education, logistics and language preservation): such pilots currently operate against the draft strategy's stated principles of responsible, inclusive and ethical AI rather than against binding AI rules, while still being subject to data protection law where personal data is involved.
Common misunderstandings
"Djibouti has an AI law." It does not. AI is governed indirectly through data protection, telecoms and cybersecurity rules, chiefly the 2025 Digital Code, not through a dedicated AI statute. "There is an AI regulator." There is no AI-specific regulator. The Digital Code names the CNDP for data protection, and ARMD regulates telecoms, ICT and energy; neither is an AI authority. "The data protection authority is fully up and running." The Digital Code designates the CNDP, but reporting indicates it was not yet operationally established, so active enforcement is still developing. "The national AI strategy is already in force." As of January 2026 it was a draft under consultation, awaiting official adoption. It is policy in preparation, not binding law. "The African Union strategy directly regulates AI in Djibouti." The AU Continental AI Strategy is guidance for member states, not directly enforceable domestic law.
Risks and boundaries
The clearest boundary is that this is not a dedicated AI framework. Djibouti has no AI Act, no AI regulator and no statutory AI risk tiers. Organisations should not infer AI-specific duties (such as mandatory AI impact assessments or conformity assessments) from the existence of the Digital Code. Legal status is partly uncertain and partly transitional. The Digital Code is recent and is to be supplemented by later regulatory texts, so detailed rules may still change. The CNDP is designated but not yet shown to be operational, which affects how and when data protection enforcement will bite. The national AI strategy is a draft awaiting adoption, so its eventual content, status and timing are not settled. Where this article relies on reporting about operational status rather than a confirmed official notice, that distinction should be respected: confirmed is the Digital Code's passage in June 2025 and ARMD's existence since 2020; pending or uncertain is full CNDP operation, the regulatory texts under the Code, and adoption of the AI strategy. This is general information, not legal advice; verify current status with the relevant Djiboutian authorities before acting.
What to do next
Treat data protection as the operative regime for AI today. Map what personal data your AI systems process, on what basis, and with what security and breach-handling, in line with the Digital Code's data protection provisions. Watch two moving parts: the operationalisation of the CNDP and the regulatory texts expected to supplement the Digital Code, since both will sharpen enforcement and detail. Build governance on durable principles (lawful processing, transparency, accountability, security) so you are ready when AI-specific guidance lands. Track the national AI strategy's adoption and align voluntarily with its stated direction (responsible, inclusive, ethical AI), and read it alongside the AU Continental AI Strategy for the regional trajectory. For anything consequential, confirm current legal status directly with the relevant ministry, ARMD or the CNDP rather than relying on secondary summaries.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Djibouti have a dedicated AI law?
No. There is no AI-specific statute. AI is governed indirectly through data protection, telecoms and cybersecurity rules, mainly the Digital Code passed in June 2025.
Is there an AI regulator in Djibouti?
No. The Digital Code designates the CNDP for personal data, and ARMD regulates telecoms, ICT and energy, but neither is an AI-specific regulator.
What is the Digital Code?
It is consolidated digital legislation approved by the National Assembly on 30 June 2025, covering electronic communications, electronic transactions, electronic commerce, personal data protection, and cybersecurity, with further regulatory texts to follow.
Who enforces data protection in Djibouti?
The Digital Code names the National Commission for the Protection of Personal Data (CNDP) as the supervisory authority, though reporting indicates it was not yet operationally established.
Does Djibouti have a national AI strategy?
A national AI strategy was in draft as of January 2026, developed with United Nations support and awaiting official adoption. It was not yet a binding framework at that point.
How does the African Union strategy affect Djibouti?
As an AU member, Djibouti sits within the AU Continental AI Strategy adopted in July 2024, which guides member states but is not directly enforceable domestic law.
What should businesses deploying AI in Djibouti focus on now?
Data protection compliance under the Digital Code, sound security and accountability practices, and monitoring the CNDP's operationalisation and the strategy's adoption.
Is the legal position likely to change?
Yes. The Digital Code is recent and to be supplemented by regulatory texts, the CNDP is still being established, and the AI strategy is pending adoption, so the framework is evolving.