What is AI regulation in the Republic of the Congo?
AI regulation: countries and regions
The Republic of the Congo (Congo-Brazzaville) has no dedicated artificial intelligence law. AI is governed indirectly through its 2019 personal data protection law, the telecoms and posts regulator (ARPCE), and policy documents rather than a binding AI statute. A national AI strategy was being drafted in 2026 with United Nations Development Programme support, and a 2026 scientific research law signalled an AI ethics committee, but neither creates enforceable AI-specific duties yet. Do not confuse it with the Democratic Republic of the Congo.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
The Republic of the Congo, also called Congo-Brazzaville after its capital, is a Central African state of about 6.1 million people, a young population with close to half aged under 18. It is a separate country from its much larger neighbour, the Democratic Republic of the Congo (DRC, capital Kinshasa), which has its own distinct laws. This article covers only Congo-Brazzaville.
As of mid 2026, Congo-Brazzaville does not regulate AI through a single dedicated statute. Instead, anyone deploying AI in the country must work with the general legal building blocks that already exist: a personal data protection law passed in 2019, sector rules for electronic communications enforced by the regulator ARPCE, and national digital policy. AI itself is referenced mainly in strategy and policy work that is still being written.
In practice this means the rules that bite hardest on an AI system today are data protection and telecoms rules, not AI-specific ones. The government has publicly committed to building an ethical and regulatory framework for AI, and has created research and policy institutions to support that, but the durable legal architecture is data protection plus digital policy rather than an AI Act.
Why it matters
For founders, operators and buyers, the absence of a dedicated AI law does not mean the absence of legal risk. If your AI system processes personal data about people in Congo-Brazzaville, the 2019 data protection law applies in full: lawful basis, prior formalities, data subject rights, security duties and cross-border transfer limits. Penalties under that law are significant, with fines reaching up to 100 million CFA francs.
It also matters because the picture is moving. A data protection authority was created in law in 2025, a national AI strategy entered drafting in 2026, and a research law referenced AI ethics. The government frames this as catching up: at the May 2026 strategy launch the minister noted that sub-Saharan Africa accounts for under 3 per cent of the world's AI-related patents, positioning a national framework as a way to close that gap. Organisations that build governance around durable principles now, rather than waiting for an AI Act, will adapt more cheaply when binding rules arrive. Finally, the Central African and African Union context shapes direction: Congo has ratified the African Union (Malabo) Convention and sits inside CEMAC and ECCAS, so future rules are likely to track regional and continental templates rather than diverge from them.
How it works
No dedicated AI statute yet
There is no AI Act, no AI bill in force, and no standalone AI regulator in the Republic of the Congo. Governance of AI is assembled from data protection law, electronic communications rules, and national digital and research policy. Where you see AI named in Congolese instruments, it is generally in strategy or framework language rather than in binding, enforceable obligations specific to AI systems.
The data protection law that does the work
The operative law is Law No. 29-2019 of 10 October 2019 on the protection of personal data, published in the Journal Officiel and in force. It follows the Francophone African model: it defines personal data and sensitive data, requires a lawful basis (typically explicit consent, with exceptions), grants rights of access, rectification, erasure and objection, imposes security and confidentiality duties, restricts transfers abroad to countries offering adequate protection, and relies on a prior notification or authorisation system administered by a supervisory Commission. It applies to public and private bodies and reaches foreign entities that process data using means in the country.
The data protection authority: created in law, not yet operational
The 2019 law foresaw a Commission to supervise data processing, but that body was not established for years. The government approved a bill to create it in the Council of Ministers on 3 July 2024, and Law No. 5-2025 of 29 March 2025 formally created the Commission Nationale pour la Protection des Donnees a Caractere Personnel (CNPD). Official sources confirm the law creating the CNPD, but there is no official confirmation that the Commission is staffed, funded and operational. Treat the authority as legally established but not yet verifiably functioning, which means that in practice compliance and disputes currently rest on the statute itself and the general courts.
The telecoms and posts regulator (ARPCE)
The Agence de Regulation des Postes et des Communications Electroniques (ARPCE) is the state regulator for posts and electronic communications, established by Law No. 11-2009 of 25 November 2009 and placed under the ministry responsible for posts, telecommunications and the digital economy. ARPCE is not an AI regulator, but it is the most active digital regulator and it has begun engaging with AI. From 12 to 16 January 2026 it convened a five-day strategic seminar on digital regulation in Brazzaville addressing AI, blockchain, crypto-assets and satellite technologies, framed as preparation for a Congolese vision of digital regulation; its director general, Louis-Marc Sakala, used the event to stress that technology is evolving faster than the capacity to regulate it.
National digital and AI policy
The national digital economy strategy, Vision Congo Digital 2025, was approved by the Council of Ministers in May 2019 and given effect by decree in June 2019; it rests on three pillars, e-citizen, e-government and e-business. On AI specifically, the government launched the technical committee tasked with drafting a national AI strategy on 6 May 2026 in Brazzaville, with technical and financial support from the United Nations Development Programme (UNDP/PNUD). The committee was given six months to produce eleven strategic deliverables, with an estimated budget of 150 to 200 million CFA francs, across three phases (scoping and diagnosis, consultation and benchmarking, then final drafting), with a horizon of 2030. The Republic of the Congo also hosts the Centre Africain de Recherche en Intelligence Artificielle (CARIA), created by Law No. 14-2024 of 23 May 2024, with statutes approved in Council of Ministers in July 2025, based at the Denis Sassou Nguesso University at Kintele and supported by the United Nations Economic Commission for Africa.
An AI ethics signal in the 2026 research law
A bill on the orientation and development of scientific research and technological innovation was approved in the Council of Ministers in January 2026 and adopted by the National Assembly on 8 April 2026. According to the state news agency, the law introduces an ethical framework for AI and creates a national committee to oversee responsible AI use. The official Council of Ministers communique confirms the research bill but does not itself spell out the AI ethics provisions, so the AI-specific detail should be treated as reported rather than confirmed from the gazette.
Regional and continental context
Congo-Brazzaville ratified the African Union Convention on Cyber Security and Personal Data Protection (the Malabo Convention) in 2020; the Convention entered into force across ratifying states on 8 June 2023. At continental level, the African Union adopted its Continental Artificial Intelligence Strategy in July 2024, which encourages member states to build national AI frameworks anchored in data governance. Congo also sits within CEMAC (the Central African Economic and Monetary Community) and ECCAS (the Economic Community of Central African States), which have produced harmonising instruments on electronic communications and personal data, including the 2016 Brazzaville Declaration.
Examples
Example 1: A fintech deploying an AI credit-scoring model for customers in Brazzaville. There is no AI law to comply with, but Law No. 29-2019 governs the personal data the model ingests and produces. The firm needs a lawful basis, must respect data subject rights, must secure the data, and must observe the prior formalities and transfer restrictions in the law. Because the supervisory Commission is not verifiably operational, practical compliance and any disputes currently rest on the statute itself and the general courts.
Example 2: A public body procuring a national digital identity or biometric system. In March 2022 Congo signed a memorandum of understanding with the AI vendor Presight AI for a three-year digital transformation programme covering advanced ICT infrastructure, a national digital ID programme and digital healthcare services. Biometric data is sensitive personal data under the 2019 law, so heightened protections and security duties apply, and cross-border hosting must respect the transfer rules, even though no AI-specific impact assessment is mandated by statute.
Example 3: A research team at CARIA or a university developing AI tools. The work sits inside the national research and digital policy framework, and the 2026 research law signals an AI ethics committee. There is, however, no binding AI conformity regime to certify against; governance here is institutional and ethical rather than a hard-law approval process.
Common misunderstandings
Misconception 1: "Congo-Brazzaville has an AI law." It does not. AI is governed indirectly through data protection law, telecoms rules and policy, not a dedicated AI statute.
Misconception 2: "Republic of the Congo and Democratic Republic of the Congo share the same rules." They are two different countries with separate legal systems. The DRC has its own 2023 Digital Code; that does not apply in Congo-Brazzaville.
Misconception 3: "There is no data protection, so anything goes." A comprehensive data protection law has been in force since 2019, with fines up to 100 million CFA francs. It applies to AI systems that process personal data.
Misconception 4: "There is an active AI regulator." There is not. ARPCE regulates posts and electronic communications and has discussed AI, but it is not an AI authority. The data protection Commission was created in law in 2025 but is not verifiably operational.
Misconception 5: "The national AI strategy is in force." A technical committee began drafting the strategy in 2026; it was not a finished, binding instrument at the time of writing.
Risks and boundaries
This article is general information, not legal advice. The legal status here is genuinely transitional, so be precise about what is confirmed and what is not.
Confirmed: there is no dedicated AI statute; Law No. 29-2019 on personal data protection is in force; ARPCE is the established posts and electronic communications regulator; Congo ratified the Malabo Convention; CARIA exists by statute; a national AI strategy entered drafting in 2026.
Uncertain or pending: the data protection Commission (CNPD) was created in law in 2025 but its operational status is not confirmed by official sources, which weakens day-to-day enforcement of the data law. The AI ethics committee referenced in the 2026 research law is reported by a state news source but is not detailed in the official Council of Ministers communique, and implementing texts may differ. The national AI strategy is unfinished and non-binding. Effective dates and institutional detail can change; verify against the Journal Officiel and government sources before relying on any specific point.
What this is not: it is not a risk-based AI regime, it imposes no AI conformity assessments, and it creates no AI-specific impact assessment obligation. Organisations should not assume a European-style AI Act exists here.
What to do next
Treat data protection as the live regime. If your AI touches personal data about people in Congo-Brazzaville, build compliance around Law No. 29-2019: lawful basis, transparency, data subject rights, security, prior formalities and cross-border transfer controls.
Distinguish the two Congos in every contract, policy and data map. Confirm which country, which regulator and which law applies before signing anything.
Watch three triggers: the operational launch and first guidance of the data protection Commission (CNPD); publication of the national AI strategy; and implementing texts for the 2026 research law and its AI ethics committee. Any of these could change your obligations.
Adopt durable governance now. Even without an AI Act, voluntary practices such as AI impact assessments, documentation, human oversight and vendor due diligence will map onto the data law and the African Union direction of travel, and will reduce rework when binding rules land.
Track the regional layer. Align with the Malabo Convention and the African Union Continental AI Strategy, and watch CEMAC and ECCAS harmonisation, since Congolese rules are likely to follow these templates.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does the Republic of the Congo have an AI law?
No. There is no dedicated AI statute or AI Act in force. AI is governed indirectly through data protection law, electronic communications rules and national policy.
Which law matters most for AI today?
Law No. 29-2019 of 10 October 2019 on the protection of personal data. It applies whenever an AI system processes personal data, with fines up to 100 million CFA francs.
Is there a data protection authority?
Law No. 5-2025 of 29 March 2025 created the Commission Nationale pour la Protection des Donnees a Caractere Personnel, but official sources do not confirm it is yet operational.
Who is ARPCE?
The Agence de Regulation des Postes et des Communications Electroniques, the posts and electronic communications regulator created in 2009. It is not an AI regulator, but it has begun engaging with AI policy.
Is there a national AI strategy?
A technical committee began drafting one on 6 May 2026 with United Nations Development Programme support, targeting a 2030 horizon. It was not yet a finished or binding instrument.
How is this different from the DRC?
The Democratic Republic of the Congo is a separate country with its own laws, including a 2023 Digital Code. Those rules do not apply in Congo-Brazzaville.
Has Congo signed any African data or AI instruments?
Yes. Congo ratified the African Union Malabo Convention in 2020, and the African Union adopted its Continental AI Strategy in July 2024.
What should organisations do now?
Comply with the 2019 data protection law, distinguish the two Congos, monitor the data Commission and AI strategy, and adopt durable AI governance voluntarily.