What is AI regulation in Sao Tome and Principe?
AI regulation: countries and regions
As of June 2026, Sao Tome and Principe does not have a dedicated AI law or a formally adopted national AI strategy. AI is regulated mainly through existing law on privacy, personal data, cybercrime and digital public administration, especially the 2016 personal data protection law and the national data protection authority. Government and UNESCO work has produced an AI readiness report and reform roadmap, while African Union instruments supply the main regional direction.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
AI regulation in Sao Tome and Principe currently means the rules that already govern personal data, automated decision-making, cross-border transfers, cybersecurity and the digitisation of public services. It does not yet mean a standalone AI act with its own risk tiers, prohibited practices, or central AI licensing regime.
The most important practical instrument is the personal data protection law. If an AI tool processes personal data, profiles people, supports hiring or credit decisions, uses biometric or surveillance data, or sends information abroad, the existing framework already starts to bite. Around that hard-law layer, there is a softer policy layer: the 2025 UNESCO readiness report, a discussion draft data-governance strategy and the African Union's continental AI strategy.
So the country is not unregulated. It is better described as an early-stage jurisdiction: some real legal duties exist now, and a more explicit AI regime is being prepared but is not yet in force.
Why it matters
For organisations, the absence of an AI-specific act does not remove compliance work. The key question is whether your AI use touches personal data, significant individual decisions, government datasets, cross-border processing or critical digital infrastructure. If it does, Sao Tome and Principe's existing laws and institutions can already require notification, authorisation, security controls, human review, contractual safeguards and engagement with the data protection authority.
This matters most for employers, lenders, telecom operators, public authorities, education and health bodies, and any business using offshore AI vendors. The country is also in a policy-building phase. Teams that document data sources, decision points, oversight and transfer paths now will be better placed if a dedicated national AI strategy or new legislation arrives later.
How it works
The current model is framework-based, not AI-specific
As of June 2026, the official materials reviewed do not show a dedicated AI statute in force, a formally adopted national AI strategy in force, or a national AI ethics commission. The main AI-specific public document is the UNESCO readiness assessment hosted on the INIC portal. That report describes Sao Tome and Principe as being at an early and mainly "consumption" stage of AI, rather than a jurisdiction with a mature domestic AI development sector.
That puts the country closer to a horizontal governance model than to a classic risk-based AI act. In practice, AI is governed through existing personal-data law, digital-government architecture, cybersecurity and ordinary sector law where relevant. The hard-law layer is already real. The AI-specific layer remains mostly a roadmap.
Existing law already reaches many AI uses
The centre of gravity today is the 2016 personal data protection law. It applies to personal-data processing carried out in Sao Tome and Principe, to processing by entities established there even if some activity happens elsewhere, and to certain processing outside the country when local means or locally situated hosting are used. In that last situation, the foreign controller must appoint a representative established in Sao Tome and Principe.
This matters because many AI tools are built on partly or fully automated processing. Under the law, controllers or their representatives must notify the ANPDP in writing eight days before starting a total or partially automated processing operation, unless an exemption or simplification applies. Some categories need prior authorisation, especially sensitive data, credit and solvency data, interconnection of datasets, and uses of data for purposes not determinative of collection. Those categories are directly relevant to AI systems used for profiling, scoring, fraud checks, hiring, lending and public-sector data matching.
The law also gives individuals practical rights that are highly relevant to AI governance. They include rights of information and access, correction and blocking, and the right to know the logic or reasons underlying automated processing that concerns them. Most importantly, a person has a right not to be subject to a decision that significantly affects them and is taken exclusively on the basis of automated processing that evaluates aspects such as professional capacity, creditworthiness, trustworthiness or behaviour, unless a contract or a law supplies safeguards.
Cross-border transfer rules matter too. Personal data may be transferred abroad only where the destination offers adequate protection, or where a derogation applies, or where the ANPDP authorises the transfer on the basis of sufficient safeguards such as contractual protections. For teams using foreign cloud or AI providers, that makes data mapping and contract review part of AI governance, not an optional extra.
The enforcement layer is not purely symbolic. The law provides for administrative fines, empowers the ANPDP to apply them, and creates criminal offences for conduct such as intentional failure to notify or seek authorisation, unlawful interconnection, unlawful access, data destruction, refusal to comply with regulator directions and breach of secrecy obligations. So even without an AI act, there are already penalties around the data-processing side of AI.
The institutions that matter today
The main regulator for present-day AI governance is the ANPDP, the Agencia Nacional de Proteccao de Dados Pessoais. Its 2017 founding law makes it an independent administrative authority operating alongside the National Assembly. It has powers of investigation and inquiry, can access data relevant to its control functions, can order blocking, deletion or destruction of data, can prohibit processing temporarily or permanently, can authorise or register processing where the law requires it, can authorise cross-border transfers in the required cases, can hear complaints and can apply fines.
That means ANPDP is not just an advisory body. It is the institution organisations should expect to matter first when AI processing involves personal data, automated decisions, international transfers or data interconnection.
The second key institution is INIC, the Instituto de Inovacao e Conhecimento, which sits at the centre of the state's digital-governance machinery. Under the digital-governance framework, INIC functions as the public body's ICT implementation and coordination arm and serves as the consultative body to the Committee for Digital Governance. The UNESCO readiness report treats INIC as the natural home for implementing any future national AI strategy, especially on capacity, ethics, public awareness and coordination.
There are adjacent institutions too. The Committee for Digital Governance, created by Resolution No. 35/2020, monitors and guarantees execution of the national digital-governance strategy, sets priorities across public administration and issues binding deliberations for the administration. AGER matters on the telecom side, and the national cybersecurity architecture matters where AI deployments depend on resilient networks, public-sector hosting or critical information infrastructure.
Public-sector AI projects already sit inside digital-governance rules
For public authorities, AI governance is not starting from zero. Resolution No. 35/2020 approved the national digital-governance strategy and created the Committee for Digital Governance. The strategy is broad rather than AI-specific, but it is important because it treats data-sharing, digital identity, interoperability, public digital services and supporting legislation as state priorities. In other words, it creates the administrative plumbing into which public-sector AI would have to fit.
That plumbing became more concrete with Law No. 01/2024 on the National Interoperability Framework. The law applies across public institutions and creates a coordination and management committee and a technical interoperability committee. It sets a common framework of policies and technical specifications for e-government interoperability and states that mandatory items must be adopted in new government IT products and projects. An AI system used inside public administration, especially one connected to state databases or service portals, would therefore have to fit this interoperability architecture even before any AI-specific law appears.
The implication is practical. Government bodies that want to deploy AI into citizen-facing services, case-management systems, identity workflows or data-sharing environments should not view that work as a standalone experiment. It already sits inside broader state rules on digital governance, interoperability, privacy and cybersecurity.
Regional and international instruments shape the direction of travel
Sao Tome and Principe's AI policy direction is heavily shaped by African Union and UNESCO frameworks. At continental level, the AU adopted the Continental Artificial Intelligence Strategy in July 2024. The strategy calls on member states to domesticate the continental approach through national strategies and governance frameworks, with an implementation period running from 2025 to 2030. For smaller and less digitally mature states, this matters because it creates a regional template even where domestic AI law is still thin.
Sao Tome and Principe has also signed, ratified and deposited the AU Convention on Cyber Security and Personal Data Protection, often called the Malabo Convention. That does not itself create a domestic AI code, but it does reinforce the country's place inside a continental legal setting built around data protection, cybersecurity and digital trust.
At global level, UNESCO's Recommendation on the Ethics of Artificial Intelligence is a strong policy anchor. The readiness report states that implementation of the UNESCO Recommendation is on the government's agenda, even though the report also records that concrete domestic measures had not yet been finalised at the time of assessment. In practice, that means current governance combines domestic law with soft-law guidance on ethics, rights, inclusion, accountability and capacity-building.
What is proposed next, and what is still pending
The UNESCO readiness report sets out a fairly clear reform path. It recommends updating the ANPDP law so that the authority can supervise the full AI lifecycle and ethical impact, updating the INIC framework so it can implement a future AI strategy, updating the digital-governance strategy so AI is expressly covered, strengthening the national statistics institute, and embedding AI and ethics more clearly into education, awareness and telecom development.
The report then goes further and recommends adoption of a national AI strategy by law. Its own roadmap places that later than the first institutional reforms, pointing to a phased build rather than immediate enactment. This sequencing is important: the report suggests Sao Tome and Principe should first strengthen institutions and data governance, then legislate more directly for AI.
The official INIC portal also hosts a July 2025 "version for discussion" of a data-governance strategy and implementation roadmap. That draft says openly that the advent of AI requires a legal framework that enables better use of AI without undermining data protection and privacy. It also identifies silos, weak coordination, weak data skills and missing interoperability and security rules as practical barriers. But the draft remains just that, a discussion document, not enacted law.
The near-term picture is therefore clear enough. Reform direction exists. The institutional candidates are visible. The regional and international frameworks are in place. What is still missing is the final domestic shift from recommendation and draft strategy into binding AI-specific law or formally adopted national AI policy.
Examples
Using AI for hiring or credit scoring. If an employer, bank or microfinance provider uses a model to rank people and trigger decisions that significantly affect them, the data-protection law becomes central. A person has protection against being subject to a decision taken exclusively by automated processing where that decision significantly affects their legal sphere. If the system uses credit or solvency data, prior ANPDP authorisation is also part of the legal picture.
Sending customer or citizen data to an overseas AI provider. If personal data is exported from Sao Tome and Principe to a foreign cloud or AI service, the transfer rules apply. The destination must offer adequate protection, or another lawful route and regulator-facing safeguards may be needed. This is where vendor due diligence, transfer mapping and contract control become part of AI governance rather than routine procurement paperwork.
Adding AI into a government digital service. A ministry that wants to use AI in a public portal, case-handling flow or data-sharing environment does not wait for a future AI act before doing governance work. The project already sits inside the personal-data law, the ANPDP's powers, the digital-governance system, the interoperability law and the national cybersecurity framework. In practical terms, the team needs legal review, technical alignment, human oversight and a clear basis for any data sharing.
Common misunderstandings
Misunderstanding: "No AI act means no AI regulation." Correction: Existing law on personal data, automated decisions, cross-border transfers, cybersecurity and public digital administration already governs many AI uses.
Misunderstanding: "Only local companies need to care." Correction: The data-protection law has territorial hooks that can reach foreign actors using local means or local hosting, and it restricts exports of personal data abroad.
Misunderstanding: "ANPDP is only an advisory office." Correction: It is an independent authority with investigative, authorisation and sanctioning powers.
Misunderstanding: "AU or UNESCO texts are the same as domestic statute." Correction: They shape policy direction and reform design, but current enforceable duties still come mainly from Sao Tome and Principe's own laws.
Misunderstanding: "Consent alone makes any AI scoring lawful." Correction: Significant individual decisions taken solely by automation still face specific restrictions and safeguard requirements.
Risks and boundaries
The present framework has clear limits. There is no single statutory definition of AI for all sectors, no national list of prohibited AI practices, no high-risk classification system, no AI-specific model-documentation duty, no dedicated AI conformity-assessment regime and no stand-alone AI regulator. If you expect an EU-style AI Act, Sao Tome and Principe is not there yet.
The official source base is also relatively thin. Several important texts are policy or draft instruments rather than enacted law, including the July 2025 data-governance strategy draft and much of the UNESCO reform roadmap. That means the policy direction is visible, but the sequencing and timing remain open. Sector-specific duties may also apply in areas such as finance, telecoms, elections, education, health or procurement, but no AI-specific sector rule was identified in the official material reviewed for this article.
The boundary to keep in mind is simple: not every AI issue is a data-protection issue, but many of the most important operational AI issues in Sao Tome and Principe currently pass through the data-protection framework because that is where the country's strongest hard-law controls already exist.
What to do next
Start with an inventory of AI use cases, data sources and decision points. Flag any system that uses personal data, profiles people, touches credit, hiring, children, biometric or surveillance material, or exports data abroad. Build ANPDP notification and, where relevant, prior authorisation into the project plan rather than treating them as last-minute checks.
For public bodies, align AI work early with INIC, the digital-governance committee and the interoperability framework before procurement or integration. For private operators, tighten contracts with offshore AI suppliers, document transfer safeguards, keep a human-review path for significant decisions and monitor whether the UNESCO roadmap turns into statute or a formal national AI strategy. In this jurisdiction, disciplined governance matters more than waiting passively for a future AI act.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Sao Tome and Principe have an AI Act?
No. The official materials reviewed up to June 2026 do not show a dedicated AI statute in force.
Is there a national AI strategy in force?
Not yet. The main public AI-specific document is the 2025 readiness report, which recommends a future strategy and legal package, but it is not the same thing as an adopted national strategy with binding force.
Which authority matters most today for AI?
For most AI uses involving personal data, the ANPDP is the key authority. INIC and the Committee for Digital Governance matter for public-sector digital architecture, and ordinary sector regulators keep their normal powers.
Can organisations use generative AI now?
Yes, there is no general ban. But personal data, confidentiality, cybersecurity, automated decision-making and data-export questions still need checking before deployment.
Are solely automated decisions allowed?
Only within limits. The data-protection law protects people against decisions with legal or similarly significant effects taken exclusively by automated processing, unless a contract or a law provides safeguards.
Do overseas AI providers fall outside the picture?
No. The data-protection law contains territorial hooks, and foreign transfers of personal data are restricted unless adequate protection or another lawful basis exists.
What is the most likely next policy step?
The official reform direction points to stronger data governance, updates to the ANPDP and INIC frameworks, and eventually a national AI strategy adopted in a more formal legal instrument.