What is AI regulation in Guinea-Bissau?
AI regulation: countries and regions
Guinea-Bissau has no dedicated artificial intelligence law, no AI regulator and, as of mid-2026, no published national AI strategy. It also has no general data protection statute and no data protection authority. AI is governed only indirectly, through the 2010 Basic Information and Communication Technology Law, the telecoms regulator ARN, constitutional privacy rights, and regional and continental commitments such as the ECOWAS data protection framework and the African Union Continental AI Strategy.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
Guinea-Bissau is a small Portuguese-speaking country in West Africa. It should not be confused with neighbouring Guinea (capital Conakry) or with Equatorial Guinea; all three are separate states with different legal systems. Guinea-Bissau is a member of the Economic Community of West African States (ECOWAS) and of the African Union (AU).
There is no statute in Guinea-Bissau that names or governs artificial intelligence, and there is no agency tasked with overseeing it. The country also lacks a general personal data protection law, which is the building block most other jurisdictions use to regulate automated decision making and large-scale data processing. What exists instead is a thin layer of older information and communication technology (ICT) law, a sector telecoms regulator, constitutional protection for privacy and correspondence, and a set of regional and continental instruments that Guinea-Bissau has joined politically but has largely not yet turned into binding national law.
In practice this means anyone deploying AI in Guinea-Bissau is operating in a setting with very little specific legal architecture. The direction of travel is towards more digital regulation, driven by a national digital transformation push and by ECOWAS and AU frameworks, but the durable position today is that the dedicated rules simply do not exist yet.
Why it matters
For founders, operators, advisers and buyers, the absence of a dedicated framework is itself the key planning fact. There is no AI register, no licensing regime, no statutory AI impact assessment duty and no regulator issuing AI guidance. There is also no general data protection law to fall back on, so the usual compliance anchors that exist in most ECOWAS neighbours are missing.
That does not make AI deployment risk free. Constitutional privacy protections apply, sector rules administered by the telecoms regulator apply to communications and connectivity, and contracts, consumer expectations and reputational exposure all still bite. Organisations that handle the personal data of people in Guinea-Bissau as part of a wider African or global operation will usually be caught by stronger laws elsewhere, such as data protection statutes in other ECOWAS states or the European Union General Data Protection Regulation, and those external regimes often end up being the practical standard. Planning to the higher external standard is generally the safer course.
How it works
No dedicated AI law or AI regulator
As of mid-2026 there is no Guinea-Bissau statute, decree or bill that specifically regulates artificial intelligence, and no public body charged with supervising AI. Claims that the country has an AI rulebook are not supported by any official source. The honest position is that AI is unregulated as a named category.
No general data protection law and no data protection authority
Guinea-Bissau has not enacted a general personal data protection statute and has not established a data protection authority. The Data Protection Africa fact sheet maintained by ALT Advisory records plainly that Guinea-Bissau has no data protection legislation, nor related legislation such as cybercrimes or electronic transactions legislation, that personal data is not defined, and that there are no laws restricting cross-border transfer. This is unusual within ECOWAS: Guinea-Bissau is one of only a small group of member states without a data protection law, alongside Togo, the Gambia, Sierra Leone and Liberia on the most widely cited regional surveys. Personal data is therefore not defined in national law, there are no statutory rules on lawful processing, and there are no statutory restrictions on cross-border data transfers.
The 2010 Basic ICT Law and the telecoms regulator (ARN)
The main domestic instrument is Law No. 5/2010 of 27 May 2010, the Basic Information and Communication Technology Law (Lei de Base das Tecnologias de Informacao e Comunicacao). It covers the telecommunications sector and internet governance but contains no specific provisions on cybercrime or data protection. It established the national regulator, the Autoridade Reguladora Nacional das Tecnologias de Informacao e Comunicacao (ARN), which licenses and supervises telecoms operators, manages spectrum and numbering, runs the .gw country domain, and handles type approval of ICT equipment. ARN regulates connectivity and communications; it is not an AI or data protection regulator. ARN has recently run a public consultation on a draft Electronic Transactions Law, which would begin to fill some of the gaps around digital commerce.
The responsible ministry and the national digital strategy
The sector is overseen by the Ministry responsible for transport, telecommunications and the digital economy (Ministerio dos Transportes, Telecomunicacoes e Economia Digital). On 29 January 2025 the government launched a National Digital Transformation Strategy for the period 2025 to 2030, supported by the United Nations Development Programme and the United Nations University, with funding from Japan. The strategy is built on six strategic axes including digital infrastructure, digitisation of public services, the digital economy, institutional capacity, integrated platforms and digital literacy. It is a development strategy, not an AI law, and it does not create AI specific duties or a regulator.
Constitutional and general law
The Constitution of Guinea-Bissau protects privacy and the secrecy of correspondence and communication. These provisions apply generally and can be relevant to data and surveillance questions, but they are high-level rights rather than an operational regulatory regime. The Penal Code dates to 1993 and contains no cybercrime provisions.
The ECOWAS layer
Guinea-Bissau is one of the fifteen ECOWAS member states. ECOWAS adopted Supplementary Act A/SA.1/01/10 on Personal Data Protection within ECOWAS in February 2010, which is binding on member states and requires each to enact data protection laws and establish a data protection authority. ECOWAS also adopted a Directive on Fighting Cybercrime in 2011 and a Regional Cybersecurity and Cybercrime Strategy in 2021. Guinea-Bissau has not yet transposed the data protection Supplementary Act into national law; regional reviews place Guinea-Bissau among the states with no draft data protection or cybercrime legislation in progress. ECOWAS began revising the Supplementary Act in 2024.
The African Union layer: Malabo Convention and Continental AI Strategy
The AU Convention on Cyber Security and Personal Data Protection, known as the Malabo Convention, was adopted in 2014 and entered into force on 8 June 2023, thirty days after Mauritania deposited the fifteenth instrument of ratification on 9 May 2023. According to the African Union official status list dated 8 July 2024, Guinea-Bissau signed the Malabo Convention on 31 January 2015 but has not ratified it and has not deposited an instrument of ratification. This is distinct from Guinea (Conakry), which deposited its instrument on 16 October 2018, and from Equatorial Guinea, which has taken no action. Because Guinea-Bissau has not ratified, the Convention does not bind it as a state party. Some secondary commentaries wrongly list Guinea-Bissau among the fifteen ratifying states; this appears to stem from confusing it with Guinea (Conakry), and the AU official list is the authoritative record.
Separately, the AU Executive Council endorsed the Continental Artificial Intelligence Strategy in July 2024. It is a high-level, development-focused policy framework, not binding law, and it encourages member states to develop national AI strategies and governance structures over the period 2025 to 2030. Guinea-Bissau has not yet published a national AI strategy of its own.
Examples
Consider a fintech that wants to deploy an AI credit-scoring model for mobile money users in Guinea-Bissau. There is no national data protection law setting out lawful bases, no statutory data protection impact assessment requirement and no regulator to register with. The practical controls come from the telecoms and mobile money regulatory environment, contractual terms with mobile network operators such as Orange and Telecel, and any stronger data protection laws that apply because of where the company or its cloud processors are based.
Consider a public sector digitisation project, such as biometric vehicle documents or e-government services rolled out under the National Digital Transformation Strategy. These involve large-scale personal data processing, but they proceed without a dedicated data protection statute or independent oversight body. Governance has to be designed into the project itself through procurement terms and donor requirements, rather than relying on a national legal baseline.
Consider an international NGO or multinational operating in Guinea-Bissau as one of many countries. In practice it will usually apply a single high external standard, such as the EU General Data Protection Regulation or a group privacy policy, across all operations, because the local legal floor in Guinea-Bissau is so low. That external standard becomes the de facto rule on the ground.
Common misunderstandings
Misunderstanding: Guinea-Bissau has an AI law or AI regulator. It does not. There is no dedicated AI statute, bill or supervisory body.
Misunderstanding: Guinea-Bissau is covered by a general data protection law like its ECOWAS neighbours. It is not. There is no general data protection statute and no data protection authority.
Misunderstanding: Guinea-Bissau, Guinea and Equatorial Guinea are interchangeable. They are three separate countries with different legal systems. Sources frequently confuse them, especially on treaty ratification.
Misunderstanding: Because Guinea-Bissau signed the Malabo Convention, it is bound by it. Signature is not ratification. Guinea-Bissau signed in 2015 but has not ratified or deposited an instrument, so it is not a state party.
Misunderstanding: The African Union Continental AI Strategy is binding law that regulates AI in Guinea-Bissau. It is a policy framework, not legislation, and it does not impose enforceable AI duties on organisations.
Risks and boundaries
This article describes the legal architecture as it stands and is not legal advice. The central boundary is that Guinea-Bissau has no dedicated AI framework and no general data protection law, so most of what governs AI elsewhere is simply absent here.
Several things are uncertain or in motion. A draft Electronic Transactions Law has been put out for public consultation by ARN but is not yet enacted. The ECOWAS Supplementary Act on data protection is binding in principle but has not been transposed into Guinea-Bissau national law, and ECOWAS is revising it. The Malabo Convention has been signed but not ratified, so its status could change if Guinea-Bissau ratifies in future. The National Digital Transformation Strategy runs to 2030 and could lead to new laws, and the AU Continental AI Strategy encourages national AI strategies, but none of this is binding AI regulation today. Treat any future-facing commitment as a plan, not a duty.
What to do next
Do not assume a local compliance baseline exists. Map your AI and data processing against the strongest law that actually reaches you, which will usually be an external regime such as the EU General Data Protection Regulation, a group policy, or a data protection law in another ECOWAS state where you operate or host data.
Build governance into contracts and project design. With no statutory data protection impact assessment duty and no regulator, use procurement terms, vendor due diligence, internal AI governance and a voluntary impact assessment to create the controls the law does not yet supply.
Watch four specific developments: enactment of the draft Electronic Transactions Law; any national data protection bill or authority; transposition of the ECOWAS data protection Supplementary Act; and publication of a national AI strategy under the AU Continental AI Strategy timeline. Any of these would change the baseline and should trigger a compliance review.
Keep clear records distinguishing Guinea-Bissau from Guinea and Equatorial Guinea in your own compliance documentation, because vendor and adviser materials frequently conflate them.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Guinea-Bissau have an AI law?
No. As of mid-2026 there is no dedicated artificial intelligence statute, bill or regulator in Guinea-Bissau.
Does Guinea-Bissau have a data protection law?
No. There is no general personal data protection statute and no data protection authority. This is unusual within ECOWAS, where most members have such laws.
Who regulates technology and communications in Guinea-Bissau?
The telecoms regulator ARN (Autoridade Reguladora Nacional das Tecnologias de Informacao e Comunicacao), under the Ministry responsible for transport, telecommunications and the digital economy. ARN regulates telecoms, not AI or data protection.
Has Guinea-Bissau ratified the Malabo Convention?
No. According to the African Union status list dated 8 July 2024, Guinea-Bissau signed on 31 January 2015 but has not ratified or deposited an instrument, so it is not bound as a state party.
Is Guinea-Bissau the same as Guinea or Equatorial Guinea?
No. They are three separate countries. Guinea-Bissau is Lusophone with capital Bissau; Guinea has capital Conakry; Equatorial Guinea is a separate state. Their legal frameworks differ.
Does the African Union Continental AI Strategy regulate AI in Guinea-Bissau?
No. It is a policy framework adopted in July 2024, not binding law. It encourages member states to develop national AI strategies between 2025 and 2030.
What law applies to ICT in Guinea-Bissau?
Mainly Law No. 5/2010, the Basic Information and Communication Technology Law, which covers telecommunications and internet governance but not cybercrime or data protection.
Is there a national digital strategy?
Yes. The National Digital Transformation Strategy 2025 to 2030 was launched in January 2025 with UN support, but it is a development strategy, not AI legislation.