What is AI regulation in Mauritania?
AI regulation: countries and regions
Mauritania has no dedicated artificial intelligence law, regulator or binding AI rules. AI is instead governed by general instruments: Law No. 2017-020 on the protection of personal data, enforced by the Autorite de Protection des Donnees a Caractere Personnel (APD); the multi-sector regulator (Autorite de Regulation, ARE); and a National Artificial Intelligence Strategy for 2024 to 2029, which remains a policy document rather than enforceable law. Mauritania also sits within African Union and Arab regional frameworks.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
There is no statute in Mauritania that regulates artificial intelligence as such. If you build, buy or deploy an AI system in Mauritania, the rules that actually bind you are the general ones: the data protection law of 2017, the cybercrime and electronic transactions laws, sector regulation, and the constitutional protection of private life. These were written before the current wave of AI, but they apply to AI the same way they apply to any other technology that processes personal data or runs over telecoms networks.
On top of that general law sits a policy layer. The Ministry of Digital Transformation, Innovation and Modernization of Administration (MTNIMA) produced a National Artificial Intelligence Strategy covering 2024 to 2029. It sets priorities such as skills, research, data governance, ethical AI and sectoral projects. It is a strategy, not a binding regulation: it does not create offences, licences or penalties, and it does not establish an AI regulator.
Mauritania is also part of wider regional efforts. It is a member of the African Union, which adopted a Continental Artificial Intelligence Strategy in July 2024, and it is an Arab state engaged with regional and Arab League digital work. None of these continental instruments is directly binding domestic AI law, but they shape the direction Mauritania is expected to travel.
Why it matters
For organisations, the practical point is that AI compliance in Mauritania runs through data protection, not through any AI-specific code. If your system processes personal data, Law 2017-020 governs lawful basis, purpose limitation, security, cross-border transfers and the rights of individuals, and the APD is the authority that can review and sanction you. Telecoms-based services touch the ARE. Knowing that there is no AI statute prevents two errors: assuming there is a bespoke AI licence to obtain (there is not), and assuming AI is unregulated (it is not, because general law still applies).
How it works
No dedicated AI statute
As of mid-2026, Mauritania has not enacted any law, decree or bill that regulates artificial intelligence specifically. There is no AI Act, no AI regulator and no risk-tiering of AI systems. The governing material is general law plus policy. This is the single most important fact for anyone assessing the jurisdiction.
Data protection: Law No. 2017-020
The central instrument is Law No. 2017-020 of 22 July 2017 on the protection of personal data. It sets principles familiar from European-style frameworks: lawful, fair processing; collection for explicit, legitimate purposes; data minimisation; retention limits; and individual rights including information, access, rectification, objection and erasure. It restricts transfers of personal data abroad unless the destination offers an adequate level of protection or other conditions are met, with the APD maintaining the list of adequate countries. Controllers must complete prior formalities (declaration, authorisation, or processing subject to the APD's opinion) depending on the sensitivity of the processing.
The data protection authority (APD)
Article 64 of the law creates the Autorite de Protection des Donnees a Caractere Personnel (APD), a public-law body that is independent, has legal personality and financial and management autonomy, and is attached to the Prime Minister. After a delay, the implementing decree on the APD's composition, organisation and functioning was adopted in February 2022 (Decret No. 2022-013 PM), the President and members took their oath before the Supreme Court on 4 June 2023, and the Authority is now operational under President Mohamed Lemine Ould Sidi, holding documented monthly meetings and issuing deliberations that authorise data processing.
The multi-sector regulator (ARE)
The Autorite de Regulation (ARE) was established by Law No. 2001-018 of 25 January 2001 as an independent multi-sector regulator covering telecommunications, post, water and electricity, attached to the Prime Minister. The ARE licenses and supervises telecoms operators, manages spectrum and enforces quality of service; in November 2024 it fined the country's three mobile operators and shortened parts of their licences for quality-of-service failures. It is not an AI regulator, but because AI services often ride on regulated electronic communications, the ARE is part of the institutional landscape.
The National AI Strategy 2024 to 2029
MTNIMA produced a National Artificial Intelligence Strategy for 2024 to 2029. Per the OECD.AI Policy Observatory, the April 2024 draft is organised around five strategic priorities, twelve objectives and thirty measures: building human capacity in AI and data science; research and innovation; regional and international cooperation; data governance for AI; and ethical AI. It names priority sectors including healthcare, education, agriculture, fishing, transport, energy and defence. Importantly, the document remains a draft and consultation strategy: the version on the ministry's own server is labelled "Draft April-2024", and no Council of Ministers adoption instrument or decree giving it legal force has been published.
Adjacent digital and cyber law
Mauritania has built a digital legal base over the past decade: the 2016 framework law on the Mauritanian Information Society, Cybercrime Law No. 2016-007, and a 2018 law on electronic transactions. It also adopted an Agenda National de Transformation Numerique 2022-2025 and a Strategie Nationale de Securite Numerique 2022-2025. These shape how AI is deployed in practice even though none targets AI specifically.
Regional and continental context
Mauritania ratified the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention) on 9 May 2023, becoming the fifteenth ratifying state and triggering the Convention's entry into force on 8 June 2023. It is a member of the African Union, whose Executive Council adopted the Continental Artificial Intelligence Strategy at its 45th Ordinary Session on 18 to 19 July 2024 in Accra, Ghana. As the Future of Privacy Forum summarises, that strategy emphasises five focus areas (harnessing AI's benefits, building AI capabilities, minimising risks, stimulating investment, and fostering cooperation), which give rise to fifteen action points, with an implementation timeline from 2025 to 2030 and a preparatory phase in 2024. Mauritania is also an Arab state and an ESCWA member engaged in regional digital cooperation. It left the Economic Community of West African States in 2000, so West African community law does not bind it in the way it binds ECOWAS members.
Examples
1. A fintech deploying an AI credit-scoring model in Nouakchott has no AI licence to obtain, but it must comply with Law 2017-020: identify a lawful basis, complete the relevant prior formality with the APD, secure the data, honour individuals' rights, and observe transfer restrictions if model training or hosting is abroad.
2. A health provider piloting an AI diagnostic tool is processing sensitive data. Under the data protection law this falls into the stricter formalities, likely requiring authorisation or the APD's prior opinion, plus strong security and clear retention rules. The AI Strategy flags healthcare as a priority sector but adds no separate compliance step.
3. A telecoms operator using AI for network optimisation or fraud detection answers to the ARE for its licence and quality-of-service obligations and to the APD for any personal data involved. Neither regulator applies an AI-specific rulebook; each applies its existing mandate.
Common misunderstandings
Misconception: Mauritania has an AI law or AI Act. It does not. There is no dedicated AI statute, no AI regulator and no risk-based AI tiering as of mid-2026.
Misconception: The National AI Strategy is binding regulation. It is a policy and planning document. It sets priorities and measures but creates no offences, licences or penalties, and it has not been adopted by decree.
Misconception: Because there is no AI law, AI is unregulated. General law still applies, especially data protection, cybercrime and electronic transactions law, plus sector rules.
Misconception: The data protection law never came into force. Although implementation was delayed for years, the implementing decree was adopted in 2022 and the APD became operational in 2023.
Misconception: The ARE regulates AI. The ARE is a multi-sector regulator for telecoms, post, water and electricity; it has no AI-specific mandate.
Risks and boundaries
The clearest boundary is that nothing in Mauritania currently regulates AI as a distinct category. Organisations cannot rely on an AI-specific safe harbour or licence because none exists. The National AI Strategy's legal status is limited: it is a draft and planning instrument, and figures differ across versions. A later draft catalogued by the Digital Watch Observatory as "Draft 3" for 2025 to 2029 references six core priorities rather than the five in the April 2024 draft, which signals the strategy is still evolving and has not been finalised in law. The data protection regime, while now operational, is younger in practice than its 2017 date suggests, and detailed enforcement precedent is thin. Anyone needing certainty on a specific obligation should check the Journal Officiel and the APD directly rather than rely on the strategy. Treat any claim of a Mauritanian AI statute or AI regulator with caution; the sources do not support one.
What to do next
Map your AI use to data protection first: identify personal data, lawful basis, prior formalities with the APD, security and transfer arrangements. Build an AI impact or data protection assessment into deployment even though it is not separately mandated, because it is the most defensible posture under Law 2017-020. Watch the MTNIMA and APD sites for any move from strategy to binding rule. Track the African Union Continental AI Strategy and the Malabo Convention, since Mauritania is committed to both and future domestic rules are likely to align. Document governance now so that you are ready if a dedicated framework arrives.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Mauritania have a law specifically regulating AI?
No. As of mid-2026 there is no dedicated AI law, AI regulator or risk-based AI framework in Mauritania.
What law governs AI that processes personal data?
Law No. 2017-020 of 22 July 2017 on the protection of personal data, enforced by the APD.
Is there a national AI strategy?
Yes. MTNIMA produced a National Artificial Intelligence Strategy for 2024 to 2029, but it is a policy document, not binding law, and has not been adopted by decree.
Who is the data protection regulator?
The Autorite de Protection des Donnees a Caractere Personnel (APD), created by Article 64 of Law 2017-020 and operational since 2023.
Does the telecoms regulator ARE handle AI?
No. The ARE regulates telecoms, post, water and electricity. It has no AI-specific mandate, though AI services may touch its sectors.
Is Mauritania bound by the African Union Continental AI Strategy?
The AU adopted the Continental AI Strategy in July 2024 as guidance, not binding law. Mauritania is an AU member and engages with it, but it does not directly create domestic AI obligations.
Did Mauritania ratify the Malabo Convention?
Yes. Mauritania ratified it on 9 May 2023, becoming the fifteenth state and triggering its entry into force on 8 June 2023.
What should a company deploying AI in Mauritania do?
Treat it as a data protection and cybersecurity compliance task, complete APD formalities, and monitor for new AI-specific rules.