What is AI regulation in Mauritius?
AI regulation: countries and regions
Mauritius does not yet have a dedicated AI law. Today, AI governance mainly comes from the Data Protection Act 2017, enforced by the Data Protection Office, plus policy material such as the early Mauritius Artificial Intelligence Strategy and the 2026 "AI for Mauritius" strategy with FAIR guidelines. In practice, organisations using AI should focus on lawful data use, data protection impact assessments, cross-border transfer rules and limits on solely automated decisions.
What this means
Mauritius is still in an early stage of AI governance. The country now has national AI strategy material and official AI institutions, but it does not yet have a standalone AI Act or a single dedicated AI regulator. That means the current framework is a mix of hard law and policy guidance.
The hard law is the Data Protection Act 2017. If an AI system uses personal data, especially for profiling, scoring, ranking, monitoring, or other significant decisions, that Act is the main legal reference point. It covers automated processing, gives people rights over their data, and can require impact assessments, prior consultation and safeguards for overseas transfers.
Alongside that, Mauritius is trying to build a wider AI and digital economy posture. Official strategy documents present AI as part of a broader plan to modernise public services, grow the digital economy and position Mauritius as a trusted regional digital and AI hub. That policy direction matters, but it should not be confused with binding AI-specific legislation.
Why it matters
For founders, operators, buyers and governance leads, the practical point is simple: you cannot wait for a future AI Act before doing governance work. If your system handles customer records, employee data, application data, health data, financial data, or public-sector records, current Mauritian law already creates duties around fairness, transparency, security, documentation and human review.
This matters most in higher-friction use cases such as credit scoring, hiring, fraud monitoring, customer support automation, public service assistants and any deployment that sends personal data to overseas vendors or model providers. Mauritius is also presenting itself as a trusted digital jurisdiction, so organisations that can show disciplined data handling and responsible AI controls will be in a stronger position commercially and operationally.
How it works
No dedicated AI statute
Mauritius has moved from early strategy work to a more formal national policy framework, but not yet to a dedicated AI Act. An early Mauritius Artificial Intelligence Strategy argued that AI needed a stronger regulatory, ethics and data protection environment. Official 2025 policy documents then described a new national AI strategy as forthcoming. In February 2026, Cabinet agreed to adopt "AI for Mauritius" as the national guiding policy framework, supported by FAIR guidance, and expressly said those guidelines will evolve into AI regulations as the ecosystem matures. That is the key status point: Mauritius now has an official national AI policy framework, but not yet a dedicated AI law.
Data protection is the binding core
The Data Protection Act 2017 is the main binding law that applies to AI uses involving personal data. It came into force on 15 January 2018. The Act applies to personal data processing by automated means and also to non-automated processing in filing systems. It requires personal data to be processed lawfully, fairly and transparently, collected for specific purposes, minimised, kept accurate, retained only as long as necessary, and handled in line with data subject rights. The Act also places accountability duties on controllers and processors, including registration subject to statutory exceptions, records of processing, security measures, data protection impact assessments, prior authorisation or consultation in some cases, and designation of an officer responsible for data protection compliance issues.
High-risk AI uses attract extra controls
Mauritius already has a risk trigger for certain kinds of AI use, even without a dedicated AI law. Where processing is likely to present a high risk to rights and freedoms, the Act requires a data protection impact assessment before processing starts. The Act specifically points to systematic and extensive evaluation based on automated processing, including profiling, when decisions produce legal effects or significantly affect the person. It also covers large-scale processing of special categories of personal data and systematic monitoring of publicly accessible areas on a large scale. Where the Office considers the intended processing non-compliant, especially because risks are not properly identified or mitigated, it may prohibit the intended processing and propose corrective steps.
Automated decisions and overseas transfers already have rules
The Act gives data subjects a specific protection against decisions based solely on automated processing, including profiling, where the decision produces legal effects or significantly affects them. That does not make all automation unlawful, but it does mean organisations need to look closely at exceptions, notice, human review and practical safeguards. The Act also regulates transfers of personal data outside Mauritius. A transfer can occur where appropriate safeguards are shown to the Commissioner, or where another permitted ground applies, such as explicit consent after the data subject is informed of the risks. Where suitable safeguards are missing, prior authorisation by the Office is required. For many AI procurements, especially cloud-based tools, transfer analysis is therefore a core part of governance rather than an afterthought.
The Data Protection Office is the key authority for privacy-linked AI use
Mauritius does not currently have a single all-purpose AI regulator. The most important existing authority for AI governance questions is the Data Protection Office, because many real AI deployments rely on personal data. The Office is established by statute and is meant to act independently. Its functions include ensuring compliance with the Act, maintaining the register of controllers and processors, controlling processing operations, investigating complaints, monitoring developments in data processing, and examining proposals for automated decision making that may adversely affect privacy. The Commissioner can investigate complaints, require information, issue enforcement notices, carry out compliance audits, and have decisions reviewed on appeal by the Tribunal. So while Mauritius has no general AI watchdog, it does already have a functioning authority for privacy-linked AI controls.
Mauritius is building AI institutions and a regional posture
Official material now shows a clear state-building effort around AI. The AI Unit under the Ministry of Information Technology, Communication and Innovation presents a framework based on FAIR principles and risk-proportionate oversight. The same official platform says Mauritius wants to shape trusted AI governance, transform public services, build an AI ecosystem, enable data and AI infrastructure and position the country on the global AI stage. Mauritius's broader digital strategy has for years framed the country as an African ICT leader and a regional digital hub. More recent official material describes Mauritius as a trustworthy jurisdiction for data handling, links AI to digital transformation and public services, and presents Mauritius as a trusted regional AI leader with international collaboration ambitions. The African Union's Continental Artificial Intelligence Strategy adds wider regional context, but it does not itself create Mauritian domestic rules.
Examples
A bank or lender using AI for credit scoring in Mauritius should not treat this as unregulated experimentation. Official AI strategy material expressly identified credit rating and loan management as a target use case. If the tool relies on profiling or other automated evaluation that could significantly affect an applicant, the Data Protection Act can require a DPIA, transparency about the processing, and a route away from unlawful solely automated decisions.
A hotel, bank or government body rolling out a chatbot or automated customer support tool should treat it as more than an efficiency project. Mauritius's early AI strategy listed chatbots and automated customer support as likely applications for banks, hotels and governmental institutions. Once those systems process personal data, the controller must meet the Act's principles on fairness, purpose limitation, minimisation, security, records and data subject rights. If the service depends on an overseas provider, transfer-related checks also become part of the compliance work.
A ministry or public body building an AI-enabled service assistant sits inside a growing policy layer, not a bespoke AI statute. The National Data Strategy describes DIVA, the Digital Interactive Virtual Assistant, as a key part of digital transformation and says public-sector AI should follow a lifecycle and risk-based governance framework. In practice, that means a public deployment would be expected to fit the FAIR-based national policy direction while still complying with the Data Protection Act whenever personal data is involved.
Common misunderstandings
Misunderstanding: "Mauritius already has an AI Act." Correction: it does not. The current framework is mainly data protection law plus strategy and guideline material.
Misunderstanding: "The Data Protection Office is a full AI regulator." Correction: it is the key authority for privacy and personal-data questions, not a single regulator for every AI risk.
Misunderstanding: "FAIR guidance is already binding legislation." Correction: the guidance is policy material. Cabinet said it is intended to evolve into AI regulations later.
Misunderstanding: "If a human is somewhere in the loop, data protection law drops away." Correction: duties around lawful processing, records, security, impact assessment and transparency can still apply.
Misunderstanding: "Using a foreign AI vendor takes the issue outside Mauritian law." Correction: a Mauritian controller still has duties under the Data Protection Act, including transfer-related duties.
Risks and boundaries
Mauritius's present framework has real limits. It does not yet provide a dedicated AI statute covering general-purpose AI, model safety, frontier-system controls, sector-wide algorithmic accountability, or a single AI liability regime. Many current compliance duties bite only when personal data is involved, or when another body of law such as contract, procurement, cyber, telecoms, consumer or sector rules applies.
The legal position is also still moving. Official 2025 documents described the national AI strategy and AI Unit as future measures, while Cabinet confirmed adoption of the national AI strategy in February 2026. Official policy materials now speak openly about future AI regulations, but the exact timing and legal form remain uncertain. The National Data Strategy also points to future modernisation of data protection law, yet that does not change the current statute until formal legal amendments are made.
Finally, regional context should not be overstated. The African Union's Continental Artificial Intelligence Strategy is relevant background for Mauritius's policy direction, but it is not automatically part of domestic Mauritian law.
What to do next
Treat AI governance in Mauritius as a live combination of law and policy, not as a blank space.
Map every AI use case that touches personal data, special-category data, children, public records or overseas processing.
Build a DPIA trigger into procurement and product change control, especially for profiling, scoring, ranking, surveillance and other systems that could significantly affect a person.
Put human review, complaint handling and clear notices around any system that could materially affect access to work, credit, insurance, services or public benefits.
Review vendor contracts, security measures, retention settings and transfer safeguards before sending any personal data to external AI providers.
Keep watching official updates from the Data Protection Office, the AI Unit and Cabinet, because Mauritius is clearly moving toward a more detailed AI framework even though no dedicated AI law is in force yet.
FAQs
Does Mauritius have a dedicated AI law?
No. Mauritius currently relies on the Data Protection Act 2017 and national AI policy material rather than a standalone AI Act.
What is the main binding law for AI in Mauritius?
The main binding law is the Data Protection Act 2017, especially where AI systems process personal data or use profiling.
Is there a dedicated AI regulator in Mauritius?
Not yet. The Data Protection Office is the main existing authority for privacy-linked AI use, but Mauritius does not currently have a single all-purpose AI regulator.
When is a data protection impact assessment likely to be required?
A DPIA is likely to be required where processing presents a high risk to rights and freedoms, including systematic and extensive profiling that has legal or similarly significant effects.
Are solely automated decisions allowed?
The Act gives people the right not to be subject to decisions based solely on automated processing, including profiling, where those decisions have legal or significant effects, subject to limited exceptions.
Can personal data be sent abroad for AI processing?
Yes, but only under the Act's transfer rules, for example where appropriate safeguards are shown or another permitted ground applies. The Commissioner can also prohibit, suspend or condition transfers.
Are the FAIR Guidelines already legally binding?
Not as a dedicated AI statute. They are policy guidance supporting the national strategy, and Cabinet has said they are meant to evolve into AI regulations later.
Does the African Union's AI strategy apply directly in Mauritius?
No. It is an important regional policy reference point, but it does not automatically become Mauritian domestic law.