What is AI regulation in Africa?
AI regulation: countries and regions
As at June 2026, Africa has almost no binding AI-specific law. Governance runs on two tracks: a non-binding continental layer, led by the African Union Continental AI Strategy adopted in July 2024, and a growing set of national AI strategies (16 of 54 countries by July 2025), led by Mauritius, Egypt, Rwanda, Kenya, Nigeria and others. The dominant enforceable regime is data protection, now in force across most of the continent. Strategy before law is the pattern.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
There is no single African approach to AI, and no continent-wide AI law. What exists is a layered picture. At the top sits the African Union, which endorsed a Continental Artificial Intelligence Strategy in 2024 to give member states a shared direction. That strategy is guidance, not binding law. Below it, individual countries are publishing their own national AI strategies, most of them written in the past three years.
For now, the rules that actually bite are not AI rules at all. They are data protection laws, which most African countries now have, plus cybersecurity, consumer protection and sector regulation. These laws govern how personal data is collected and processed, which is where a lot of AI risk sits in practice. The African Union also has a binding treaty on data protection and cybersecurity, the Malabo Convention, which finally came into force in 2023.
So if you are trying to understand AI rules in any given African country, the honest starting point is usually this: check whether it has a national AI strategy (often yes, on paper), check whether that strategy has become enforceable law (almost always no), and check the data protection law and regulator (increasingly yes, and increasingly active). This hub orients you to the regional picture and links down to the individual country articles where the detail lives.
Why it matters
Africa is the world's youngest and fastest-growing region by population, and AI is being deployed in agriculture, health, finance and public services even where rules lag behind. For anyone building, buying or deploying AI on the continent, the gap between ambition and enforceable law is the central practical fact. Strategies signal direction and create commercial opportunity, but they do not yet impose binding obligations in most places. The real compliance burden today comes from data protection law, which differs country by country. Understanding which track applies, and where each country sits between strategy and binding law, is what keeps a deployment lawful and a strategy realistic.
How it works
The continental layer: the African Union Continental AI Strategy
The anchor document is the African Union Continental Artificial Intelligence Strategy, endorsed by the AU Executive Council at its 45th Ordinary Session in Accra, Ghana, on 18 to 19 July 2024. It is development-focused and explicitly non-binding: it guides member states rather than imposing obligations. It is built around five focus areas: harnessing AI's benefits, building AI capabilities, minimising AI risks, stimulating investment, and fostering cooperation. These give rise to fifteen action points. Implementation is phased from 2025 to 2030, with a preparatory phase in 2024 and an early emphasis on helping states create their own national AI strategies and governance structures.
The strategy treats data governance as the foundation of responsible AI, and points to existing data protection laws as the building blocks for AI rules. It also signals further work, including the development of an African Charter on Trustworthy AI to set out responsible AI principles tailored to the African context. That charter is in progress and is one of the clearest things to watch. Smart Africa, a separate government-backed alliance, published an earlier AI for Africa Blueprint in 2021, which fed into national strategy thinking but is also non-binding.
The binding floor: data protection and the Malabo Convention
The most developed enforceable regime across Africa is data protection. According to Yellow Card's report The State of Data Protection Laws in Africa: 2024 and Beyond, 39 of 55 African countries had enacted data protection laws by 2024 and 34 of those had established data protection authorities. The trend has accelerated since: Digital Policy Alert's roundup The Year of the Teeth records that by the end of 2025 at least 44 countries had data protection laws, representing 80 per cent of AU member states, and at least 38 had fully established data protection authorities. These laws, and the regulators that enforce them, are where AI-related risk is most likely to be policed today, especially around biometric data, automated decision-making and cross-border data flows. Coordination runs through the Network of African Data Protection Authorities (NADPA, also known by its French acronym RAPDP).
At treaty level, the African Union Convention on Cyber Security and Personal Data Protection, the Malabo Convention, was adopted in 2014 and finally entered into force on 8 June 2023, thirty days after Mauritania became the fifteenth state to ratify. It is the only binding regional data protection treaty outside Europe. Ratification remains thin: 16 of 55 member states as at mid-2024, with major economies such as Nigeria, South Africa, Egypt, Algeria, Kenya and Morocco not yet ratified. The Convention covers data protection, cybersecurity and cybercrime, and electronic transactions.
The most developed national positions
A cluster of countries leads on national AI strategy. Mauritius was first in Africa, publishing its national AI strategy in 2018. Egypt launched its first National AI Strategy in 2021 and a second edition for 2025 to 2030 in January 2025, overseen by its National Council for Artificial Intelligence; its governance pillar explicitly contemplates a future binding AI law. Rwanda's National AI Policy, approved by Cabinet in April 2023, is widely described as the first comprehensive national AI policy adopted by an African country. Kenya launched its National AI Strategy 2025 to 2030 on 27 March 2025. Nigeria published a draft National AI Strategy in August 2024, which remains a draft. South Africa moved from a 2023 discussion document to a National AI Policy Framework in August 2024, with a draft national AI policy gazetted for comment in 2026 and full implementation expected around 2027 to 2028.
Across North and West Africa the list lengthens: Tunisia, Senegal (2023), Algeria, Morocco, Ghana, Benin and others have strategies or active processes. As of July 2025, Intelpoint (Techpoint Africa) counted 16 of 54 African countries as having launched a national AI strategy, with over 30 remaining at an early or inactive stage with no clear roadmap; the Carnegie Endowment's tracker similarly recorded fifteen national and two continental AI strategies and policies published to date in September 2025. The common thread is that these are strategies and policies, not binding statutes.
West and Central Africa: francophone movers and early-stage states
Several francophone states have moved early on strategy. Benin adopted its National Strategy for Artificial Intelligence and Big Data (SNIAM) by the Council of Ministers in January 2023. Cote d'Ivoire published its Stratégie Nationale de l'Intelligence Artificielle (SNIA 2030) in 2024, built on investment, inclusion and governance pillars. Cameroon unveiled its National AI Strategy (SNIA) in July 2025, targeting AI-hub status by 2040, and separately enacted Law No. 2024/017 on personal data protection in December 2024, with an 18-month compliance window running to 23 June 2026. These countries typically pair an AI strategy with a data protection law and a regulator, but without binding AI-specific rules.
Others are genuinely at an early stage. The Republic of Congo (Congo-Brazzaville) has no adopted national AI strategy yet, though it hosts the African research centre on AI (CARIA) near Brazzaville and ratified the Malabo Convention in 2020; its 2019 data protection law exists but the authority is not yet established. Djibouti has no dedicated national AI law and relies on its participation in AU initiatives and its data protection provisions. Equatorial Guinea, despite hosting the 2014 summit that gave the Malabo Convention its name, has no dedicated AI framework and never ratified the Convention; it has a 2016 data protection law whose authority is not yet operational. These are cases where the honest answer is that AI-specific governance does not yet exist.
From strategy to binding law: where it is starting to happen
The defining feature of African AI governance is that strategy has substituted for legislation. Almost no country has yet turned an AI strategy into a binding AI law. The exceptions are early movers toward AI legislation: Tech Hive Advisory's 2024 roundup names Egypt, Kenya, Morocco and Nigeria as progressing draft AI-specific laws, and by May 2026 Code for Africa described Nigeria as poised to become one of the first African countries to pass formal AI legislation, alongside Ethiopia's reported drafting work. Where binding obligations exist today, they flow from data protection law, not AI law. Egypt and Kenya have signalled future AI laws within their strategies, and several countries envisage regulatory sandboxes and AI impact assessments. The direction of travel is toward harder rules, but the timeline is uncertain and fast-moving.
Examples
The Malabo Convention's slow path to force is the clearest example of the continent's pattern. Adopted in 2014, it needed fifteen ratifications and did not enter into force until 8 June 2023, nine years later, when Mauritania became the fifteenth ratifying state. It is now the only binding regional data protection treaty outside Europe, yet most large African economies have still not ratified it.
Data protection authorities, not AI regulators, are doing the live enforcement. In Kenya, the Office of the Data Protection Commissioner scrutinised the biometric data practices of Worldcoin, the iris-scanning project operated by US-based Tools for Humanity, applying Kenya's Data Protection Act 2019. The regulator found that Worldcoin had failed to conduct a data protection impact assessment and had transferred iris-scan data abroad; the High Court ordered deletion in 2025, and the data's destruction in Germany was supervised later that year. The case shows where AI risk is actually policed today, in the absence of any AI-specific law.
Kenya's National AI Strategy 2025 to 2030, launched in March 2025, illustrates the strategy-first model in action: it sets an ambitious vision built on AI infrastructure, data and research pillars, explicitly notes that Kenya currently lacks a comprehensive AI regulatory framework, and points to future legislation rather than itself being binding.
Common misunderstandings
"Africa has an AI law." It does not, at continental level. The African Union Continental AI Strategy is guidance, not binding law, and almost no member state has enacted a binding AI-specific statute.
"The African Union can enforce AI rules across the continent." The AU sets strategy and develops treaties, but enforcement sits with member states. Even the binding Malabo Convention has been ratified by only a minority of states.
"A national AI strategy means binding obligations." Usually not. Most national documents are strategies or policies that set direction and propose institutions; they generally do not create enforceable duties on their own.
"There are no rules, so anything goes." Wrong in practice. Data protection, cybercrime, consumer protection and sector laws already apply to AI systems, and data protection authorities are increasingly active.
"All African countries are at the same stage." They are not. The spread runs from countries with multiple strategy editions and active regulators to countries with no dedicated AI framework at all.
Risks and boundaries
This is a fast-dating area, and the position stated here is current as at June 2026. Strategies are being launched, redrafted and superseded quickly, and figures such as the number of national strategies or ratifications change frequently.
Be honest about the maturity gap. Many African jurisdictions have no dedicated AI framework whatsoever, and some that have a strategy on paper lack the institutions, funding or skills to implement it. Several data protection authorities exist in law but are not yet operational, including those in Equatorial Guinea and the Republic of Congo. Capacity constraints, including infrastructure, compute and skills, are the binding limit on much of the continent's AI ambition, not the absence of strategy documents.
Treat continental announcements with care. High-profile commitments, including large continental AI funds and new councils, are political declarations whose delivery depends on financing and member-state follow-through that may not materialise. Do not read an aspiration as an enforceable rule. For any specific compliance question, the operative law is the relevant national data protection statute and sector regulation, not the continental strategy.
What to do next
Start with the country, not the continent. For each market, establish three things: whether a national AI strategy exists and its status, whether it has become binding law (usually no), and what the data protection law and regulator require (usually the real obligation).
Build compliance on the enforceable floor. Treat data protection law, cybersecurity rules and sector regulation as the live requirements today, with particular attention to biometric data, automated decision-making and cross-border transfers. Map your data flows against each relevant national regime rather than assuming continental harmonisation.
Track the trigger points that would change the picture: adoption of the African Charter on Trustworthy AI, any move from strategy to a binding national AI law (watch Nigeria, Morocco, Ethiopia, Egypt and Kenya), further Malabo Convention ratifications by major economies, and new or newly operational data protection authorities. Treat any of these as a signal to revisit your compliance position. Engage early with regulators and use sandboxes where offered.
Explore individual entries: AI regulation in Algeria, AI regulation in Angola, AI regulation in Benin, AI regulation in Botswana, AI regulation in Burkina Faso, AI regulation in Burundi, AI regulation in Cameroon, AI regulation in Cape Verde, AI regulation in the Central African Republic, AI regulation in Chad, AI regulation in the Comoros, AI regulation in Cote d'Ivoire, AI regulation in the Democratic Republic of the Congo, AI regulation in Djibouti, AI regulation in Egypt, AI regulation in Equatorial Guinea, AI regulation in Eritrea, AI regulation in Eswatini, AI regulation in Ethiopia, AI regulation in Gabon, AI regulation in the Gambia, AI regulation in Ghana, AI regulation in Guinea, AI regulation in Guinea-Bissau, AI regulation in Kenya, AI regulation in Lesotho, AI regulation in Liberia, AI regulation in Libya, AI regulation in Madagascar, AI regulation in Malawi, AI regulation in Mali, AI regulation in Mauritania, AI regulation in Mauritius, AI regulation in Morocco, AI regulation in Mozambique, AI regulation in Namibia, AI regulation in Niger, AI regulation in Nigeria, AI regulation in the Republic of the Congo, AI regulation in Rwanda, AI regulation in Sao Tome and Principe, AI regulation in Senegal, AI regulation in Seychelles, AI regulation in Sierra Leone, AI regulation in Somalia, AI regulation in South Africa, AI regulation in South Sudan, AI regulation in Sudan, AI regulation in Tanzania, AI regulation in Togo, AI regulation in Tunisia, AI regulation in Uganda, AI regulation in Zambia, AI regulation in Zimbabwe.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Is there a single AI law for Africa?
No. There is a non-binding continental strategy from the African Union and a growing set of national strategies, but no continent-wide binding AI law, and almost no binding national AI statutes yet.
What is the African Union Continental AI Strategy?
It is a development-focused framework endorsed by the AU Executive Council in July 2024, built around five focus areas. It guides member states and is explicitly non-binding.
What is the Malabo Convention?
It is the African Union Convention on Cyber Security and Personal Data Protection, adopted in 2014 and in force since 8 June 2023. It is the only binding regional data protection treaty outside Europe, but only a minority of states have ratified it.
Which African countries are furthest ahead on AI strategy?
Mauritius (first, in 2018), Egypt, Rwanda, Kenya, Nigeria and South Africa are among the most developed, with Senegal, Tunisia, Ghana, Benin and others also active.
Does my AI deployment have to follow any rules right now?
Very likely yes, but through data protection, cybersecurity, consumer protection and sector laws rather than AI-specific law. Data protection authorities are increasingly enforcing these against new technologies.
How many African countries have data protection laws?
Yellow Card reported 39 of 55 with data protection laws and 34 with authorities by 2024; Digital Policy Alert recorded at least 44 with laws and 38 with operational authorities by the end of 2025.
Is any African country moving from strategy to binding AI law?
A few are reported to be drafting binding instruments, with Nigeria, Morocco and Ethiopia among the most cited, and Egypt and Kenya signalling future AI laws within their strategies. Most have not.
Why does this article say the position may change?
Because AI governance in Africa is fast-moving. Strategies, ratifications and regulator activity are changing quickly, so specific figures and statuses should be checked against current sources.