What is AI regulation in Seychelles?
AI regulation: countries and regions
Seychelles does not currently have a dedicated AI law or a published national AI strategy. Instead, AI is governed through existing horizontal and sector rules, especially the Data Protection Act 2023, cybercrime law, communications law, constitutional privacy and access principles, and ordinary public sector governance. The main institutions are the Information Commission, the Vice President's ICT and digital transformation portfolios, the communications regulator, and newer science and innovation bodies. Government has signalled future AI and data governance frameworks, but these are not yet a standalone binding AI regime.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
AI regulation in Seychelles currently means governing AI through laws that were not written as a single AI code. That includes rules on personal data, cybersecurity, electronic communications, public administration and sector specific controls. So the right question is not "Where is the AI Act?" but "Which existing duties apply to this AI use case?"
That matters because many AI systems already fit inside existing legal categories. If a tool profiles people, handles health or student data, supports public decisions, or is connected to communications infrastructure, ordinary Seychelles law can already apply. In practice, Seychelles is using a mixed model: general law first, sector oversight where relevant, and policy development in parallel.
Regionally, Seychelles sits inside the African Union policy environment, including the African Union Continental AI Strategy. But I did not find an official Seychelles source showing that the country has yet converted that regional direction into a published national AI statute or formal national AI strategy.
Why it matters
For organisations deploying or buying AI in Seychelles, the absence of a dedicated AI Act does not mean a free-for-all. It means teams have to do more synthesis. They need to work out whether the system uses personal data, whether it makes or informs significant decisions, whether it operates in a regulated sector, whether it sends data abroad, and whether it sits inside a public body that may be asked to explain what it is doing. This affects procurement, product design, contracts, governance, security, record keeping and incident response.
The practical stakes are highest where AI touches minors, health data, financial services, law enforcement, public benefits, education, employment, fraud detection or any process that could substantially affect rights, access, prices, eligibility or reputation. In those settings, Seychelles already has enough law and institutional authority to require care, documentation, oversight and, in some cases, prior assessment before deployment.
How it works
No dedicated AI statute yet
Seychelles does not yet have a standalone AI Act, a published AI rulebook equivalent to a comprehensive cross economy regime, or an officially published national AI strategy. Official discussion has moved in that direction, but the clearest government statements still point to an evolving framework rather than a finished one. A 2024 National Assembly seminar recorded the Department of Information Communications Technology saying there was a current lack of national policy guiding the use of AI. Budget 2026 then moved the position forward by stating that government would develop clear AI and data governance frameworks and use AI responsibly across public administration. That is an important policy signal, but it is not the same thing as a binding AI code.
The Data Protection Act is the main law that already touches AI
For most practical AI deployments, the Data Protection Act 2023 is the centre of gravity. The Act applies to automatic and semi automatic processing, which means many machine learning, analytics and decision support systems will fall within it when they process personal data in Seychelles. It gives the Information Commission enforcement powers and includes several AI relevant controls.
Most importantly, the Act requires privacy by design, records of processing activities, security measures, breach notification, controls on processors, and limits on cross border transfers. It also requires a data protection officer in cases involving large scale systematic monitoring or large scale special category processing. A data protection impact assessment is required before high risk processing, including systematic and extensive evaluation based on automated processing, including profiling, where decisions produce legal effects or similarly significant effects on an individual. If the residual risk remains high, the controller must consult the Commission before processing.
The Act goes further than a basic privacy law in two AI relevant ways. First, the Commission may examine proposals for automated decision making or data linkage that could adversely affect privacy. Second, the Act allows future regulations to add safeguards for qualifying significant decisions based solely on automated processing. I did not find a separate Seychelles regulation that has yet built out those automated decision safeguards into a dedicated AI rule set.
The Act also contains real enforcement architecture. The Commission can investigate, audit, issue enforcement notices, order corrective action and impose administrative fines. Pre existing controllers and processors were given an 18 month transition period to conform, so this is no longer a transition only issue.
Other existing law matters too
AI in Seychelles is not governed by privacy law alone. The Cybercrimes and Other Related Crimes Act 2021, as amended in 2025, covers conduct such as unauthorised access, interception, interference, electronic fraud, harassment and related misuse of computer systems. That does not regulate model design or fairness directly, but it does matter for AI enabled abuse, security incidents, data theft and criminal misuse of digital systems.
The Communications Act 2023 also matters where AI products sit inside electronic communications services, networks, broadcasting or related infrastructure. It establishes the Seychelles Communications Regulatory Authority, gives the Minister and Authority powers over communications policy, technical standards, confidentiality, consumer protection and privacy in the communications sector, and adopts a technologically neutral posture. That still is not an AI safety law, but it means AI delivered through communications environments can trigger existing regulatory duties.
For public bodies, access to information law and ordinary administrative law are also relevant. Seychelles already has a statutory access to information regime administered by the Information Commission. That does not create AI specific transparency duties, but it does increase the likelihood that procurement records, policies, manuals, data handling practices and justifications for public sector AI use may face scrutiny.
There is no single AI regulator
Seychelles does not appear to have one cross economy AI regulator. Instead, responsibility is spread across existing institutions.
The Information Commission is the key authority where AI uses involve personal data, automated processing, access rights, complaints, audits and corrective powers. On the executive side, the current centre of gravity for digital policy sits with the Vice President's portfolios for information communication technology and digital transformation. That matters because AI policy, if formalised, is likely to emerge from that part of government rather than from a specialised stand alone AI agency.
A newer institution also matters. The National Institute of Science, Technology and Innovation Act 2025 gives the institute objectives and functions that include devising strategies and promoting the use of artificial intelligence, other emerging technologies and digitisation, and coordinating research, technology transfer and innovation. That is a promotion and coordination role, not a general licensing or enforcement role over all AI use in the country, but it is a clear sign that AI is now part of formal science and innovation policy machinery.
Sector bodies continue to matter in their own domains. Health has an AI and digital health function within its system performance and analytics structure. Education has publicly piloted AI related classroom initiatives. In those sectors, AI governance will often be a blend of the Data Protection Act, sector policy, procurement controls, professional rules and general public law obligations.
Public sector policy is moving faster than legislation
Official sources show a visible policy trajectory even without a finished AI law. The National Development Strategy 2024 to 2028 describes AI as both an opportunity and a risk, and says Seychelles needs to understand AI's local implications, including implications for labour. Budget 2026 goes further by linking AI to digital resilience, public service delivery and national competitiveness, and by promising AI and data governance frameworks, a government cloud and responsible use of emerging technologies in revenue administration, social protection, health and public safety.
This is best understood as a soft law and administrative build out phase. The government is signalling direction, building institutions, discussing safeguards and piloting uses. But the country has not yet published a consolidated AI compliance code with fixed risk categories, prohibited practices, conformity assessments or licensing requirements.
Regional and international alignment is real, but indirect
At continental level, the African Union's Continental Artificial Intelligence Strategy gives Seychelles a clear regional reference point. The strategy encourages Africa centred, responsible and development focused AI governance and expects member states to build national approaches around that agenda. Seychelles is therefore operating inside an AU policy environment that now treats AI as a strategic governance issue.
That said, AU strategy does not automatically become domestic law. I did not find an official Seychelles instrument that transposes the AU strategy into a published national AI strategy or statute. On related digital governance instruments, there is also a limit to how far alignment has yet gone. The African Union's treaty status list dated February 2026 shows Seychelles had not signed or ratified the Malabo Convention on Cyber Security and Personal Data Protection. So while Seychelles is clearly part of the continental AI conversation, its domestic AI governance architecture remains largely home grown and still in formation.
What this means in practice
The most accurate description of Seychelles today is this: no dedicated AI law, but meaningful regulation already applies. If your AI system uses personal data, relies on automated evaluation, affects rights or important interests, operates in a regulated sector, or is procured by government, there is already enough law in place to require a serious governance process. What is missing is not all regulation. What is missing is a single, AI specific framework that brings those rules together in one place.
Examples
The first clear example is public administration. Budget 2026 says Seychelles intends to use AI and data driven tools in areas such as revenue administration, social protection, health and public safety, while also developing AI and data governance frameworks. In practice, that means a ministry or agency cannot treat AI as only an IT purchase. It has to document purpose, data flows, security, processor arrangements, and where relevant the need for an impact assessment and possible prior consultation with the Information Commission.
A second example is education. The Ministry of Education has publicly described smart classrooms that integrate digital technologies and AI driven learning platforms, and the 2026 State of the Nation Address announced AI pilots in primary schools and in three named secondary schools. Because those systems touch children, they sit in one of the most sensitive parts of the current framework. Even without an AI Act, ordinary duties around minors' data, procurement, security, governance and staff oversight become central.
A third example is national policy formation itself. In the 2024 National Assembly seminar on AI, participants discussed legislation, deepfakes, human rights and government use. DICT said there was no national policy yet guiding AI. That is a good example of where Seychelles is today: the country is actively debating AI governance, building institutional capability and creating policy direction, but has not yet finished the move from discussion and administrative planning to a dedicated AI rulebook.
Common misunderstandings
"AI is unregulated in Seychelles." Not quite. There is no dedicated AI Act, but data protection, cybercrime, communications, access to information and sector rules can already apply.
"The Data Protection Act is only about privacy, so it is separate from AI governance." Incorrect. The Act directly touches automated processing, profiling, impact assessments, cross border transfers, security, and oversight of proposals for automated decision making.
"NISTI is the national AI regulator." No. NISTI has a promotion, coordination and strategy role in science, technology and innovation. That is not the same as being a single economy wide AI enforcement authority.
"The AU Continental AI Strategy already gives Seychelles a domestic AI code." No. It is a regional strategic instrument. Seychelles still has to translate that direction into national law, policy or guidance.
"No AI law means public bodies do not need to explain their systems." That goes too far. Public bodies remain subject to access to information, procurement records, ordinary public law standards and, where personal data is involved, the Data Protection Act.
Risks and boundaries
The main boundary is simple: Seychelles has not yet published a complete AI specific regime. So a lot depends on interpretation of existing law, sector practice and the maturity of individual institutions. That creates uncertainty for organisations that want a clear answer on questions such as risk classes, compulsory human review, testing standards, public registers, prohibited AI uses or certification paths. None of those features currently appears in a single Seychelles AI statute.
There are also doctrinal limits. The Data Protection Act is powerful, but it is not a full AI law. It mainly governs AI where personal data is involved. An AI system trained or deployed on non personal data may still raise fairness, competition, procurement, professional ethics or public law issues, but the legal path is less direct. Likewise, cybercrime law addresses misuse and offences, not the whole life cycle of responsible AI design.
The policy direction is clearer than the binding detail. Budget 2026 promises AI and data governance frameworks, but I did not find an officially published consolidated framework in force as of 8 June 2026. So readers should treat future facing statements as signals of likely direction, not as already operative compliance text.
On international alignment, Seychelles is clearly engaged in African and wider digital governance debates, but formal treaty alignment is incomplete. The AU status list shows Seychelles had not signed or ratified the Malabo Convention as of February 2026. And although Seychelles was invited in 2025 to accede to the Budapest Convention on Cybercrime, that invitation is not the same thing as accession.
What to do next
Treat Seychelles as a jurisdiction where AI governance must be assembled from existing law. Start by mapping every AI use case against five questions: does it use personal data, does it profile or rank people, could it materially affect a person's rights or access, does it involve cross border data transfer, and is it in a regulated or public sector setting.
Use the Data Protection Act 2023 as the immediate baseline for most deployments. Build privacy by design into procurement and development; keep records of processing; assess whether a data protection officer is required; screen for high risk automated evaluation and profiling; run a data protection impact assessment where needed; and prepare for the possibility of prior consultation with the Information Commission.
If you are a public body or a supplier to one, maintain an access to information ready file. That should include the business purpose, governance structure, datasets, contracts, human oversight points, security controls, and an explanation of what the system is allowed and not allowed to do. This is especially important in education, health, social protection and enforcement contexts.
Do not wait for a future AI Act before strengthening internal governance. Put named ownership in place now, set decision rights, define escalation paths, limit automation in high stakes processes, and monitor emerging Seychelles policy releases from the Information Commission, the Vice President's digital portfolios, NISTI and relevant sector bodies.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Seychelles have a dedicated AI law?
No. Official sources do not show a standalone AI Act in force.
Does Seychelles have a national AI strategy?
I did not find a published national AI strategy in official sources. Government has instead signalled future AI and data governance frameworks in Budget 2026.
What law matters most today for AI in Seychelles?
The Data Protection Act 2023 is the most important general law where AI uses personal data, especially for automated processing, profiling, impact assessments, security and cross border transfers.
Who regulates AI in Seychelles?
There is no single AI regulator. The Information Commission is central for personal data and access rights; the Vice President's ICT and digital transformation portfolios lead digital policy; the communications regulator handles communications sector duties; and sector bodies remain important in their own areas.
Is Seychelles following the African Union AI strategy?
Seychelles sits within that AU policy environment, but the AU strategy does not itself create a Seychelles domestic AI code. National implementation still needs to be done through local law, policy or guidance.
Can public bodies in Seychelles already use AI?
Yes, and some are piloting or planning uses. But they still need to work within existing law on data, security, procurement, transparency and sector governance.
Does the Data Protection Act deal with automated decisions?
Yes, indirectly and in important ways. It covers automated processing, profiling, impact assessments, prior consultation in high risk cases, and future safeguards for qualifying significant decisions based solely on automated processing.
What is still missing from the Seychelles framework?
A dedicated AI rulebook covering issues such as system classification, prohibited practices, testing obligations, explicit transparency duties, and a single published national strategy.