What is AI regulation in Lesotho?
AI regulation: countries and regions
Lesotho has no dedicated artificial intelligence law. As of mid-2026, AI is governed indirectly through the Data Protection Act 2011 (gazetted as Act No. 5 of 2012), sector rules made by the Lesotho Communications Authority under the Communications Act 2012, and a national AI Policy and Implementation Plan that remains in draft. The Data Protection Commission created by the 2011 Act has never been appointed, so any enforcement currently depends on the courts.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
There is no AI statute, no AI regulator and no AI bill before Parliament in Lesotho. What exists is a data protection law from the early 2010s, a communications regulator with sector powers, and a set of draft digital and AI policies developed for the Ministry of Information, Communications, Science, Technology and Innovation (MICSTI) by the consultancy NRD Companies, with support from the United Nations Development Programme. Those policy documents set direction; they are not binding law.
The Data Protection Act 2011 is the closest binding instrument that touches AI. It sets principles for processing personal information and restricts decisions taken solely on the basis of automated processing. The Lesotho Communications Authority (LCA) regulates telecommunications, broadcasting and postal services and can issue rules, codes and guidelines, but it has no AI-specific mandate.
The draft AI Policy and Implementation Plan proposes a three-tier governance model and risk controls for higher-risk systems, but it is not yet enacted or, on the best available evidence, formally adopted by Cabinet. Treat it as a statement of intended direction rather than a rulebook you can be held to.
Why it matters
Organisations deploying AI in Lesotho cannot point to a single AI rulebook. Their duties come from the Data Protection Act 2011, sector licensing conditions set by the LCA, contract, and general law. This matters most where AI touches personal data: profiling, automated credit or eligibility decisions, biometric identity, and marketing.
A common and dangerous assumption is that the law is dormant because the regulator does not exist. It is not. The Data Protection Act has been in force since publication in 2012 and applies to anyone who collects, stores or processes personal information in Lesotho. Courts retain jurisdiction to hear claims, award damages and impose penalties, so the practical exposure is real even without an active Commission. Acting early also positions a business well for the day the Commission is constituted, because enforcement in peer African jurisdictions has tended to begin quickly and to look back at historic conduct.
How it works
No dedicated AI law exists yet
Lesotho has not enacted any AI-specific statute, and no AI bill is before Parliament. The government itself records this gap: per the OECD.AI policy database entry for Lesotho's Artificial Intelligence Policy and Implementation Plan, the strategy "addresses Lesotho's recognition that artificial intelligence is advancing rapidly worldwide while the country does not yet have AI-specific legislation or a coordinated governance framework." The honest position for any reader is that AI in Lesotho is governed by adjacent laws and by policy, not by a bespoke regime.
The Data Protection Act 2011
The Act was published in the Government Gazette on 22 February 2012 as Act No. 5 of 2012 and came into operation on the date of publication. It sets data protection principles familiar from other regimes: lawful and fair processing, purpose specification, minimality, retention limits, information security and quality. It establishes a Data Protection Commission consisting of a chairperson with legal expertise and five members with expertise across the social sector, business, information technology, finance and statistics.
The provision most relevant to AI is section 51 on automated decision making. It provides that a person may not be subjected to a decision that has legal effect on them, or that affects them significantly, based solely on the automated processing of personal information intended to profile aspects of their personality or habits, subject to exceptions for contracts and for decisions governed by law or code where appropriate safeguards exist. The Act also restricts processing of sensitive information and cross-border transfers, and it requires data controllers to notify the Commission. On penalties, section 55 provides that an offender "is liable, on conviction to a fine not exceeding M50 000.00 or to imprisonment for a period not exceeding 5 years or to both and if the offender is the juristic person the sentence shall be served by the Chief Executive Officer."
The Commission that does not exist in practice
The Data Protection Commission has never been appointed. Under the Act, members are appointed by the Prime Minister on the advice of the Minister, after a public call for candidates. The body remains legally established but not operational. This has two consequences. First, per ConsentStack's Lesotho Data Protection Act profile, "the Commission has never been appointed ... Penalties include fines of M50,000 and up to 5 years imprisonment, but enforcement requires court action as the Commission cannot impose fines directly." Second, day-to-day functions such as issuing guidance, approving codes of conduct, registering controllers and approving cross-border transfer mechanisms are not being performed, which leaves controllers without an authoritative interpreter of the Act.
The communications regulator
The Lesotho Communications Authority is a statutory body established in 2000 and operating under the Communications Act 2012 (Act No. 4 of 2012, in force from 27 April 2012). The Act states that the Authority shall be independent in performing its functions. It regulates telecommunications, broadcasting and postal services; it licenses operators, manages spectrum, approves tariffs, and can make rules, codes, directives, decisions and advisory guidelines and conduct competitive market analysis and regulatory impact assessment. The LCA has no dedicated AI mandate, but its rule-making, licensing and consumer-protection powers reach AI systems used within the communications sector, for example in network management, content moderation on licensed broadcast services, or SIM registration data handling.
National digital and AI policy
Lesotho has a National Digital Policy 2024 and a National Digital Transformation Strategy 2024 to 2030, both led by MICSTI, whose Minister was designated Government Chief Digital Officer by Cabinet in May 2023. The AI Policy and Implementation Plan was developed by NRD Companies for MICSTI as one of three linked frameworks (the others being a Data Management Policy and a Broadband and Shared Infrastructure Policy) and was validated at a three-day stakeholder workshop concluded in January 2025. The draft proposes a three-tier governance model: an AI policymaker, an independent AI regulator and a Data and AI Committee operating as a multi-stakeholder advisory platform. It contemplates AI ethics guidelines, bias mitigation, safety and risk-management protocols for high-risk AI systems, audit and reporting requirements, and a monitoring and evaluation framework from 2025 to 2030. Critically, these bodies are proposed, not created: no independent AI regulator exists as a legal entity, and the policy itself remains, on the best available public evidence, a draft awaiting formal adoption.
Regional and continental context
Lesotho's approach sits inside a Southern African and continental frame. The SADC Model Law on Data Protection 2013, produced under the ITU and European Union HIPSSA project, shaped Lesotho's data law and its cross-border transfer rules, which distinguish transfers to states that have transposed the SADC requirements from those that have not. At continental level, the AU Strategy on Artificial Intelligence "was adopted by the AU Executive Council during its 45th Ordinary Session held on ... 18th to 19th July 2024, in Accra, The Republic of Ghana." It includes a phased implementation plan from 2025 to 2030, beginning with preparatory activities in 2024, with Phase I (2025 to 2026) focused on creating governance frameworks, national AI strategies, resource mobilisation and capacity building. Lesotho also engages with the AU Convention on Cyber Security and Personal Data Protection (the Malabo Convention); see the caveats below on its ratification status.
Examples
A lender or fintech using automated credit scoring on Basotho customers must work within section 51 of the Data Protection Act. Where a decision has legal or significant effect and is based solely on automated profiling, the controller should rely on a recognised exception and give the affected person enough information to make representations about the decision.
A telecommunications licensee deploying AI for fraud detection, traffic management or chat-based customer service answers to the Lesotho Communications Authority through its licence conditions and the Authority's rules and guidelines, in addition to the Data Protection Act for any personal data involved. The LCA can issue directives and conduct adjudicatory hearings on consumer complaints.
A government ministry piloting AI in agriculture, health or revenue administration operates within the National Digital Transformation Strategy and the draft AI Policy. Because those instruments are policy rather than law, the binding constraints on such a pilot remain the Data Protection Act, public-law duties and any sector legislation, not the AI Policy itself.
Common misunderstandings
"Lesotho has an AI law." It does not. There is no AI statute and no AI bill before Parliament; AI is governed indirectly.
"The Data Protection Act is unenforceable because no Commission exists." The Act is in force, applies to all processing of personal data in Lesotho, and is justiciable in the courts, which can award damages and impose penalties.
"The AI Policy is binding." It is a draft policy framework, not legislation, and proposes institutions that have not been created.
"The Lesotho Communications Authority regulates AI." Its mandate covers telecommunications, broadcasting and postal services. It can reach AI used within those sectors, but it is not a general AI regulator.
"Once the Commission is appointed it will issue fines like a European authority." Under the Act as drafted, the Commission cannot impose administrative fines directly; sanctions run through the courts, and commentators consider its enforcement powers comparatively weak.
Risks and boundaries
This article describes Lesotho's governance landscape; it is not legal advice. Several elements are unsettled and could change.
The AI Policy and Implementation Plan is not law and, on the best public evidence, was not yet formally adopted by Cabinet or gazetted as of April 2026. A February 2026 government news item attributed to an ICT official said the Ministry had "successfully approved" the policy, but that is a ministerial-level statement framed as a step towards adoption, it cites no Cabinet decision or gazette number, and the OECD.AI database still classified the policy as under development in late April 2026. Treat formal adoption as unconfirmed.
The Computer Crime and Cyber Security Bill (variously dated 2021, 2022, 2023 and a 2024 National Assembly version) has been debated for years amid civil-society concern about free-expression clauses, but has not been enacted into a cyber law as of this writing. The Data Protection Commission is not operational, and the Act predates cloud, mobile money at scale, pervasive biometrics and AI-driven profiling, so it lacks explicit rights around algorithmic transparency.
Sources conflict on the Malabo Convention. Some accounts list Lesotho among the 15 states whose ratifications brought the Convention into force on 8 June 2023; another well-sourced analysis records Lesotho as having signed on 30 November 2023 but not yet ratified per an AU status list updated 8 July 2024. The AU's own latest status list cited in 2023 did not include Lesotho among ratifying states. What is confirmed is that Lesotho has at least signed and engaged with the Convention; its formal ratification status should be verified against the current AU depositary list before being relied on.
What to do next
Treat the Data Protection Act 2011 as binding now, not later. Map where your AI systems process personal data and build that mapping into a register.
Run an AI impact assessment for any system that profiles people or makes or supports decisions with legal or significant effects, and document a section 51 basis (contract, law or code) plus a route for individuals to make representations.
Apply data minimisation, purpose limitation, security and retention controls, and put written contracts in place with any processor or agent, including overseas vendors, addressing cross-border transfer rules.
Track three triggers that would change your obligations: formal adoption or enactment of the AI Policy and any AI-specific legislation; passage of the Computer Crime and Cyber Security Bill; and the appointment of the Data Protection Commission and any guidance it issues.
Align voluntarily with durable reference points: the AU Continental AI Strategy, SADC data norms, and recognised risk-based and impact-assessment practice, so that you are ready when binding rules arrive.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Lesotho have a dedicated AI law?
No. There is no AI statute and no AI bill before Parliament. AI is governed indirectly through data protection law, sector rules and policy.
What law applies most directly to AI in Lesotho?
The Data Protection Act 2011 (Act No. 5 of 2012), especially its principles and the section 51 restriction on decisions based solely on automated processing.
Is there an AI regulator?
No. The draft AI Policy proposes an independent AI regulator within a three-tier model, but that body has not been created in law.
Is the Data Protection Commission operational?
No. It is established on paper by the 2011 Act but has never been appointed, so enforcement currently runs through the courts.
How does the law treat automated decisions and profiling?
Section 51 prohibits decisions with legal or significant effect based solely on automated profiling, unless an exception applies, such as a contract or a law or code with appropriate safeguards.
Who regulates communications and could that reach AI?
The Lesotho Communications Authority, under the Communications Act 2012. It regulates telecommunications, broadcasting and postal services and can make rules and guidelines, but it is not a general AI regulator.
Has Lesotho adopted the African Union AI Strategy?
Lesotho aligns its draft policy with the AU Continental Artificial Intelligence Strategy, which the AU Executive Council adopted in July 2024 in Accra, Ghana.
Has Lesotho ratified the Malabo Convention?
This is uncertain. Sources differ on whether Lesotho has ratified or only signed; verify against the current AU status list.