What is AI regulation in Malawi?
AI regulation: countries and regions
Malawi has no dedicated artificial intelligence law or adopted national AI strategy as of mid-2026. AI is governed indirectly, mainly through the Data Protection Act 2024, which is administered by the Malawi Communications Regulatory Authority (MACRA) acting as the designated Data Protection Authority. A draft National Artificial Intelligence Strategy and a draft National Digital Transformation Strategy were under validation in early 2026 but had not been formally adopted.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
Malawi does not regulate AI as a distinct subject. There is no statute that defines an AI system, classifies AI by risk, or creates an AI regulator. Instead, anyone building or deploying AI in Malawi is governed by general laws that happen to apply, above all the Data Protection Act 2024, which controls how personal data is processed, including by automated means.
The Data Protection Act came into operation on 3 June 2024 and designates MACRA, the communications regulator, as the Data Protection Authority. The Act gives people rights over their personal data, places duties on organisations, and contains provisions directly relevant to AI: a right not to be subject to certain solely automated decisions, and a duty to carry out data protection impact assessments for high-risk processing that includes automated processing and profiling.
At the policy level, Malawi has signalled intent rather than enacted rules. The National Digitalisation Policy 2023 to 2028 sets the digital direction, and the government has been developing a draft National Artificial Intelligence Strategy with United Nations support. Until that strategy is finalised and any AI-specific legislation is passed, the durable architecture for AI governance in Malawi rests on data protection, communications and cybercrime law.
Why it matters
For organisations, the absence of a dedicated AI law does not mean an absence of obligations. If your AI system processes personal data about people in Malawi, the Data Protection Act applies regardless of where your organisation is based. That brings concrete duties: lawful bases for processing, transparency, data minimisation, breach notification to MACRA within 72 hours, restrictions on transferring data outside Malawi, and the appointment of a data protection officer where you carry out large-scale or sensitive processing.
Two duties matter most for AI builders. First, high-risk processing, expressly including the use of automated processing systems and profiling on a large scale, triggers a mandatory data protection impact assessment that must be submitted to MACRA before processing begins. Second, individuals have a right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Get these wrong and you face regulatory action and reputational damage; treat them as your compliance baseline and you are aligned with where Malawi, and the wider African Union direction, is heading.
How it works
No dedicated AI statute or AI regulator
There is no Malawian AI Act, AI bill or AI authority. This is the honest starting point. AI is regulated only to the extent that general laws reach it. The most important of these is data protection law, supported by communications law and cybercrime law. Statements that Malawi has an AI regulatory regime overstate the position: what exists is a data protection regime that captures many AI use cases plus policy work that is still in draft.
The Data Protection Act 2024 and MACRA
The Data Protection Act 2024 (Act No. 3 of 2024) was passed by Parliament and came into operation on 3 June 2024 by commencement notice. It designates the Malawi Communications Regulatory Authority, established under the Communications Act, as the Data Protection Authority responsible for implementation and enforcement. The Act replaced Part IV of the Electronic Transactions and Cyber Security Act as the primary data protection regulation and gives effect to the right to privacy in the Constitution.
The Act sets out processing principles (lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, and integrity and confidentiality) and lawful bases for processing. It grants data subjects rights including access, rectification, erasure, restriction, portability, objection, and a right concerning automated decision-making. It imposes duties on controllers and processors: keeping records of processing activities, conducting data protection impact assessments for high-risk processing, appointing a data protection officer in defined cases, notifying breaches to MACRA within 72 hours, and registering with MACRA where they are controllers or processors of significant importance (those processing the data of more than 10,000 subjects in Malawi, or data of significance to the economy, society or security of Malawi).
The provisions that bite on AI
Two provisions are the practical core of AI governance in Malawi today. The automated decision-making provision gives individuals a right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects, subject to exceptions. The data protection impact assessment duty applies where processing is likely to result in high risk, and the Act lists triggers that read like a description of AI: using automated processing systems, profiling, large-scale processing of sensitive data or criminal-conviction data, and large-scale monitoring of publicly accessible areas. Such assessments must be submitted to MACRA before processing.
Transition periods
The Act phases in compliance. Controllers and processors of significant importance were given six months from commencement to comply. Ordinary controllers and processors were given a longer window of 24 months from commencement. Organisations should treat these transition windows as expired or close to expiry and operate as if full compliance is expected.
Communications and cybercrime law
MACRA's core mandate comes from the Communications Act 2016, which makes it the regulator of electronic communications, broadcasting and postal services, with powers to licence providers, protect consumers and set standards. Separately, the Electronic Transactions and Cyber Security Act 2016 (Act No. 33 of 2016) governs electronic transactions and electronic evidence, establishes the Malawi Computer Emergency Response Team, and criminalises a range of computer-related offences. None of these laws regulates AI as such, but they form the legal environment in which AI services operate, for example where an AI product is delivered as an electronic communications service or processes data that becomes electronic evidence.
Policy and strategy: still in draft
The National Digitalisation Policy 2023 to 2028 replaced the National ICT Policy of 2013 and is the current digital policy framework, aligned with the long-term vision Malawi 2063 and its First 10-year Implementation Plan, and with the African Union Digital Transformation Strategy for Africa 2020 to 2030. Building on this, the Ministry of Information and Digitalisation, through its Department of e-Government and in partnership with the United Nations Development Programme, has been developing a draft National Artificial Intelligence Strategy alongside a draft National Digital Transformation Strategy. These were in validation in early 2026 and had not been formally adopted. Malawi has also taken part in UNESCO's AI Readiness Assessment Methodology work in Southern Africa, with Malawi among the first pilot countries.
Regional and continental context
Malawi sits within several overlapping frameworks. The African Union adopted its Continental Artificial Intelligence Strategy at the 45th Ordinary Session of its Executive Council, held on 18 and 19 July 2024 in Accra, Ghana; it is a non-binding guidance framework that encourages member states to develop national strategies and to strengthen data governance as a prerequisite for responsible AI, with a preparatory phase in 2024 and an implementation horizon of 2025 to 2030. At the Southern African Development Community level, a SADC Model Law on Data Protection was produced under the ITU and European Commission HIPSSA project to encourage harmonised data protection across the region. The African Union Convention on Cyber Security and Personal Data Protection, known as the Malabo Convention (adopted on 27 June 2014 in Malabo), entered into force on 8 June 2023 after the fifteenth ratification, but Malawi is not among the ratifying states.
Examples
A fintech lender in Lilongwe wants to use a machine-learning model to approve or decline loans automatically. Because the model processes personal data and may make decisions based solely on automated processing with significant effects, the lender must consider the automated decision-making right, build in human review or another lawful basis, and carry out a data protection impact assessment that is submitted to MACRA before going live.
A health programme deploys an AI triage tool that processes patients' health data at scale. Health data is sensitive data under the Act, so large-scale processing triggers the high-risk assessment duty and likely requires appointing a data protection officer. The programme must also be ready to notify MACRA within 72 hours of any breach affecting that data.
A retailer based outside Malawi runs an AI recommendation engine that targets shoppers in Malawi. Because the Act applies to processing that targets individuals in Malawi regardless of where the organisation sits, the retailer must meet the Act's principles, honour data-subject rights, and ensure any transfer of personal data out of Malawi relies on an approved safeguard.
Common misunderstandings
"Malawi has an AI law." It does not. There is no AI statute and no AI regulator. AI is governed indirectly through data protection, communications and cybercrime law.
"There is nothing to comply with yet." Wrong. The Data Protection Act 2024 is in force and its automated decision-making and impact-assessment provisions apply directly to many AI systems now.
"A data protection authority separate from the telecoms regulator runs this." The communications regulator, MACRA, is the designated Data Protection Authority. There is no separate, independent AI or privacy commission with its own statute.
"The national AI strategy is already law." A National Artificial Intelligence Strategy was in draft and under validation in early 2026; a strategy is policy, not legislation, and it had not been adopted.
"Malawi is bound by the African Union and SADC AI rules." The Continental AI Strategy is non-binding guidance, the SADC instrument is a model law, and Malawi has not ratified the Malabo Convention.
Risks and boundaries
This article describes a fast-moving but immature framework. What is confirmed: the Data Protection Act 2024 is in force, MACRA is the Data Protection Authority, and the Act contains automated decision-making and impact-assessment provisions that reach AI. What is pending or uncertain: the National Artificial Intelligence Strategy and the National Digital Transformation Strategy were drafts under validation in early 2026 and may change in content, name or timing before adoption; reviews of communications and cyber legislation have been signalled but should be verified against the gazette before reliance. What this is not: it is not a dedicated AI regulatory regime, and it is not legal advice. Practical enforcement capacity is still developing, and the precise status of MACRA's registration process and guidance should be checked directly with MACRA. Where a date or institutional detail matters to a decision, verify it against the Act, the commencement notice and MACRA's own publications rather than secondary summaries.
What to do next
Treat the Data Protection Act 2024 as your operative AI rulebook in Malawi. Map where your AI systems process personal data of people in Malawi, and confirm a lawful basis for each use.
Run a data protection impact assessment for any AI involving automated processing, profiling, sensitive data at scale or public-space monitoring, and be prepared to submit it to MACRA before processing.
Build human review into any system that makes significant decisions about people solely by automated means, so you can honour the automated decision-making right.
Check whether you are a controller or processor of significant importance (for example, processing data on more than 10,000 people in Malawi) and, if so, complete registration with MACRA and appoint a data protection officer.
Stand up breach detection and a 72-hour notification process, and document cross-border transfer safeguards for any data leaving Malawi.
Track the draft National Artificial Intelligence Strategy and any legislative reviews. Use the African Union Continental AI Strategy and recognised impact-assessment practice as your forward-looking benchmark, since Malawi's direction aligns with strengthening data governance as the foundation for AI.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Malawi have a dedicated AI law?
No. As of mid-2026 there is no AI statute and no AI regulator. AI is governed indirectly, principally through the Data Protection Act 2024.
Who regulates data protection in Malawi?
The Malawi Communications Regulatory Authority (MACRA), which is designated as the Data Protection Authority under the Data Protection Act 2024 and also acts as the communications regulator.
When did the Data Protection Act take effect?
It came into operation on 3 June 2024 by a commencement notice, after being passed by Parliament and gazetted.
What does the Act say about automated decisions?
It gives individuals a right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects, subject to exceptions.
When must I do a data protection impact assessment?
When processing is likely to be high risk, which the Act says includes using automated processing systems, profiling, large-scale processing of sensitive or criminal data, and large-scale monitoring of public areas. The assessment goes to MACRA before processing.
Is there a national AI strategy?
A draft National Artificial Intelligence Strategy and a draft National Digital Transformation Strategy were under validation in early 2026, led by the Ministry of Information and Digitalisation with UNDP support, but had not been formally adopted.
Does the law apply to organisations based outside Malawi?
Yes, if you process personal data in Malawi or target individuals in Malawi, the Act applies regardless of where you are based.
Has Malawi ratified the African Union Malabo Convention?
No. The Malabo Convention entered into force on 8 June 2023, but Malawi is not among the states that have ratified it.