What is AI regulation in Sierra Leone?
AI regulation: countries and regions
Sierra Leone does not yet have a dedicated AI law in force. As at June 2026, it is developing its first National AI Strategy, while AI is mainly governed through existing constitutional rights, the Cyber Security and Crime Act 2021, the National Communications Authority Act 2022 for communications services, the Right to Access Information Act 2013, and broader digital and data policy. A first national data protection framework has been approved at Cabinet level, but final enactment is still pending.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
In Sierra Leone, AI regulation currently means working out which existing laws and public institutions apply to AI use, because there is still no stand alone AI Act. The legal picture is therefore mixed. Some rules are already binding, especially in cybersecurity, communications and public sector information access. Other parts are still policy direction rather than enacted law.
That means organisations cannot assume AI is unregulated just because there is no AI statute. If an AI system handles communications data, supports a public authority, touches critical systems, or relies on cross border cloud processing, existing duties can still apply. At the same time, the government is clearly moving toward a more deliberate AI governance model through a first National AI Strategy and a planned national data protection framework.
The practical position is transitional. Sierra Leone has real legal controls already, but they are sectoral and fragmented. Hard law is still thin at the AI specific level, while strategy and data governance policy are doing a lot of the organising work.
Why it matters
This matters because AI projects in Sierra Leone can create legal and governance exposure even before a dedicated AI Act arrives. A telecom operator using AI for customer interaction, fraud detection or network management may already face personal data, subscriber information, complaints and consumer protection duties under communications law. A ministry or agency using AI in service delivery can trigger access to information, record keeping and public accountability concerns. Any organisation handling sensitive data or critical systems must also factor in the cybersecurity framework, incident readiness and cross border cooperation rules.
It also matters because the rules are still moving. Sierra Leone is building its first AI strategy, and the government has approved a first national data protection policy with a plan for a combined data protection and access to information law. Leaders who wait for a final AI Act may miss current obligations and may also be caught unprepared when the next layer of governance appears.
How it works
Current position
As at June 2026, Sierra Leone is still an early stage AI regulation jurisdiction. The official materials reviewed did not show an enacted AI specific statute, a general AI regulator, or a national AI conformity regime. What is clear is that the Ministry of Communication, Technology and Innovation is developing Sierra Leone's first National AI Strategy with support from the World Bank Group. The strategy work is being framed through a draft AI readiness diagnostic and consultations with media, civil society, government and private sector participants, with express attention to local languages and culture.
At the same time, Cabinet has approved Sierra Leone's first National Data Protection Policy and authorised work on a new combined Data Protection and Right to Access Information Act. The official statements describe a unified authority with responsibility for both personal data protection and access to information. However, the official sources reviewed do not yet confirm that this combined law is fully enacted and in force.
What governs AI now
In the absence of a dedicated AI Act, AI is governed through a patchwork of existing law. At the constitutional level, Sierra Leone protects fundamental rights that are directly relevant to AI governance, especially respect for private and family life, freedom of expression, protection of law and related public interest limits. Those rights do not by themselves create a full AI code, but they shape how later legislation, administrative action and judicial review can treat AI systems.
The Cyber Security and Crime Act 2021 is one of the main hard law instruments that now matters for AI systems connected to networks, data processing, digital services or critical infrastructure. It creates a national framework for cybercrime, cybersecurity, electronic evidence, protection of critical national information infrastructure and international cooperation. It also gives Sierra Leone an institutional cybersecurity architecture and recognises privacy rights within the cyber framework.
The National Communications Authority Act 2022 is another major binding instrument, but it is sectoral rather than economy wide. For communications service providers and other authorised communications businesses, it contains rules on subscriber information, personal data, lawful and specific purpose limitation, consent or other legal basis, privacy, consumer protection, complaint handling, sanctions and restrictions on transfer of personal data outside Sierra Leone unless the receiving jurisdiction has adequate protection. If an AI system sits inside telecoms, mobile money infrastructure tied to communications services, customer analytics, or automated subscriber engagement, this Act can already matter a great deal.
For public authorities, the Right to Access Information Act 2013 remains important. It is not an AI law, but it does shape how digital government tools are used. It imposes access to information duties, proactive publication duties, public information officer requirements, complaints and review mechanisms, and exemptions for personal matters, security and commercial interests. If a public body uses AI to support decisions, triage requests or manage records, this framework remains relevant even before Sierra Leone adopts AI specific transparency rules.
Institutions and who does what
The Ministry of Communication, Technology and Innovation currently sits at the centre of Sierra Leone's AI and digital governance agenda. It is leading development of the first National AI Strategy and is also the core policy ministry for digital development. The Directorate of Science, Technology and Innovation plays a practical role in technical adoption, innovation work and government capacity building. The Attorney General and Parliament remain central to turning policy into enacted law.
The National Cybersecurity Coordination Centre, usually referred to as NC3, is the lead agency for coordinating national cybersecurity efforts. Under the cyber law and official institutional material, it helps formulate and implement cybersecurity policy and strategy, supports law enforcement and judiciary functions in cyber matters, regulates designated critical infrastructure compliance, oversees forensics capability and acts as a coordination point for international cyber cooperation. The National Cybersecurity Advisory Council, chaired by the Vice President, provides higher level oversight and is tasked with keeping Sierra Leone's cybercrime laws aligned with regional and international standards.
The National Communications Authority, NatCA, is the key regulator where AI use intersects with communications services. It has powers over licensing, complaints, enforcement, sanctions, consumer protection and communications data obligations. The Right to Access Information Commission, RAIC, remains the key institution for public information access. Official government statements indicate that RAIC may be expanded or folded into a future unified authority once the proposed combined data protection and access to information law is enacted.
Policy documents also point to a broader institutional architecture for data governance, including a proposed Data Protection Agency and coordinating digital development bodies. Those proposals are important signals of direction, but they should be treated as policy architecture, not as proof that a full AI governance authority is already established by law.
How obligations appear in practice
The practical effect is that organisations need to classify the use case before they classify the technology. Sierra Leone does not yet divide AI into formal risk tiers in binding national law. Instead, the first question is usually where the system is being deployed and what it does with data, services and public functions.
If the system is used by a communications provider, the NatCA Act can already require lawful collection and use of personal data, privacy protection, consumer redress pathways and careful treatment of transfers outside Sierra Leone. If the system is used by a public authority, the Right to Access Information regime can shape disclosure, publication and records practices. If the system touches critical services, digital infrastructure, or creates cyber risk, the Cyber Security and Crime Act and NC3 framework become relevant.
This means Sierra Leone currently operates more like a sectoral and horizontal hybrid than a pure AI regime. There is no single AI super rule. Instead, legal duties come from the function of the system, the sector, the type of data involved, and whether the user is a public authority, a communications operator or part of a critical digital environment.
Regional and international alignment
Even without an AI Act, Sierra Leone is not building from scratch. Its digital policy and data strategy materials explicitly point outward to continental and regional frameworks. The National Data Strategy calls for enactment of data protection law, development of a data protection authority, consideration of regulatory sandboxes, support for cross border data flows, and domestication of the African Union Convention on Cyber Security and Personal Data Protection, usually called the Malabo Convention. It also links cross border data issues to the ECOWAS personal data protection framework.
At the African Union level, the Continental AI Strategy, endorsed in 2024, gives Sierra Leone a strong reference point. It promotes national AI strategies, ethics, human rights, accountability, inclusive governance, risk based regulation, regulatory sandboxes, impact assessment, public procurement standards and stronger institutional capacity. Sierra Leone's current work on a national AI strategy fits cleanly within that continental direction.
One important legal detail is status. The official African Union treaty status material reviewed shows Sierra Leone signed the Malabo Convention in 2016, but it did not confirm ratification. That matters because signature and ratification are not the same thing. So Sierra Leone is aligned in policy language, but some regional commitments still need full domestic legal effect or treaty completion before they operate as a firmer legal anchor.
Examples
In May 2026, the Ministry of Communication, Technology and Innovation opened a three day process around the Draft Sierra Leone AI Readiness Diagnostic Report while developing the country's first National AI Strategy. The ministry said the exercise was designed to bring together media organisations, civil society, government and the private sector so that the strategy reflects Sierra Leone's priorities, voices, local languages and culture. That is a real example of AI governance being built through policy design before statute.
In March 2026, MoCTI, the Directorate of Science, Technology and Innovation, NC3 and Qhala ran high level leadership training for civil servants on cybersecurity, artificial intelligence and emerging technologies. More than 50 senior officials took part. The stated aim was to help decision makers understand AI risks, rewards and data foundations, and to support sound policy choices in the public interest. That is a concrete example of capability building as part of state AI governance.
In March 2025, RAIC trained pilot ministries, departments and agencies on a digital access to information platform built to support requests, acknowledgements, responses and complaints under the Right to Access Information Act 2013 and the 2022 Regulations. This is not AI specific, but it is a clear example of Sierra Leone already imposing governance duties on digitised public administration, which would still matter if later automation or AI tools are added to the same workflows.
Common misunderstandings
Sierra Leone already has an AI Act. Incorrect. The official sources reviewed did not confirm an enacted AI specific statute.
No AI Act means AI is unregulated. Incorrect. Existing constitutional, cybersecurity, communications and access to information rules can already apply.
Sierra Leone already has a settled national data protection regime. Incorrect. Cabinet has approved a first data protection policy and proposed legislation, but the final legislative status is still not confirmed in the official sources reviewed.
AI governance in Sierra Leone belongs only to one ministry. Incorrect. MoCTI leads strategy, but NC3, NatCA, RAIC, the Attorney General, Parliament and other sector bodies also matter.
The AU AI Strategy automatically becomes Sierra Leone law. Incorrect. It is an influential continental framework, but it does not replace national legislation.
Risks and boundaries
The main boundary is that Sierra Leone is still in transition. It is important to separate enacted law from draft policy and from political announcements. The Cyber Security and Crime Act 2021, the National Communications Authority Act 2022 and the Right to Access Information Act 2013 are in force. By contrast, the first National AI Strategy is still being developed, and the planned combined data protection and access to information law was not yet confirmed as enacted in the official materials reviewed.
A second boundary is scope. The NatCA Act gives meaningful personal data and consumer protections, but only within the communications sector. It is not a whole economy AI law. The Right to Access Information Act creates transparency duties for public authorities, but it is not a general AI transparency regime. The cyber law helps with infrastructure, offences, evidence and cooperation, but it does not answer every question about bias, explainability, model governance or general purpose AI.
There is also some uncertainty in the policy trail. Older policy documents refer to earlier draft data protection bills and proposed institutions such as a Data Protection Agency and broader digital coordination bodies. Newer official statements point to a merged Data Protection and Right to Access Information framework and a unified authority. That tells you the direction of travel, but also shows that names, mandates and timelines can still change.
Finally, foreign suppliers should not assume distance removes risk. Sierra Leone does not yet have a mature general extraterritorial AI regime, but local contracts, public sector requirements, communications law, cyber law and cross border data rules can still draw offshore providers into the compliance picture.
What to do next
Treat Sierra Leone as a jurisdiction with limited AI specific hard law, but real present day obligations. Start by classifying your use case rather than just the model type. Ask whether the system is being used by a public authority, a communications provider, a critical infrastructure operator, or a general enterprise function.
Build a basic governance file now. Map the data used by the system, the purpose for which it is used, the legal basis relied on, retention periods, access controls, complaint routes, vendor dependencies, and any transfers outside Sierra Leone. If your system sits in the communications sector, check it directly against NatCA duties on subscriber information, personal data and consumer protection.
If you work with government, design for disclosure, record keeping and human accountability from the start. Public sector AI projects should be able to explain the role of the tool, preserve relevant records and fit within access to information processes. If your system touches critical services or public infrastructure, align cyber controls and incident handling with NC3 expectations.
Then monitor the two moving pieces most likely to change the landscape in the near term: Sierra Leone's first National AI Strategy and the proposed Data Protection and Right to Access Information Act. Those two items are likely to shape the next generation of governance more than any single headline about AI.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Sierra Leone have a dedicated AI law?
No. As at June 2026, the official sources reviewed did not confirm an enacted AI specific statute.
Is Sierra Leone adopting a national AI strategy?
Yes. The Ministry of Communication, Technology and Innovation is developing the country's first National AI Strategy, using a draft AI readiness diagnostic and stakeholder consultations.
What laws govern AI in Sierra Leone today?
Mainly existing law, especially constitutional rights, the Cyber Security and Crime Act 2021, the National Communications Authority Act 2022 for communications services, and the Right to Access Information Act 2013 for public authorities.
Does Sierra Leone already have a general data protection law in force?
A first national data protection policy has been approved by Cabinet, and the government has announced a combined data protection and access to information bill. But the official materials reviewed did not yet confirm final enactment.
Which institutions matter most for AI governance?
MoCTI leads strategy and digital policy. DSTI supports technical and innovation work. NC3 leads cybersecurity coordination. NatCA regulates communications services. RAIC handles access to information. The Attorney General and Parliament matter for legislation.
Does Sierra Leone already use a risk based AI model?
Not in binding national AI law. Risk based governance appears more clearly in the African Union Continental AI Strategy and in Sierra Leone policy material than in enacted Sierra Leone AI legislation.
Do AU and regional instruments matter if Sierra Leone has no AI Act?
Yes. They matter as policy benchmarks and future direction. Sierra Leone policy documents point to the AU Malabo Convention, ECOWAS data rules and broader regional alignment. But those frameworks do not remove the need for domestic legislation.
Can a foreign AI provider ignore Sierra Leone because it is offshore?
No. If the provider serves Sierra Leone public bodies, communications users, critical infrastructure or local data processing chains, local sector law, contract terms, cyber rules and data governance requirements can still become relevant.