What is AI regulation in Somalia?

How it works

Somalia does not yet have a dedicated AI act

In the official Somali material reviewed, no dedicated AI statute and no published national AI strategy in force were identified. The clearest sign of state level AI interest is the Somalia National AI Center, founded in October 2024 as a government affiliated institution. Its published remit is research, education, industry adoption and advice on ethical AI policy formulation and implementation. That is important, but it is not the same thing as binding regulation. For now, Somalia should be understood as a jurisdiction with emerging AI governance capacity, not a jurisdiction with a comprehensive AI code.

The binding baseline is general data and digital law

For most real world AI use, the key legal anchor is the Data Protection Act 2023. It applies where the controller is domiciled, resident or operating in Somalia, where processing occurs in Somalia, or where the processing relates to monitoring behaviour in Somalia or targeting goods or services to people in Somalia. That makes the Act relevant not only to local deployers, but in some cases to offshore providers serving Somali users.

The broader digital framework also matters. The National Communications Law establishes the National Communications Authority as Somalia's communications regulator and gives it licensing, rule making, consumer protection and confidentiality functions. In January 2026, Parliament also approved a Cybersecurity Law establishing a national framework for cybersecurity, including responsibilities for the Ministry of Communications, the technical role of the NCA, duties for critical infrastructure operators, incident reporting, response structures and SOM-CIRT. None of this is AI specific, but it can govern the infrastructure and security layer on which AI services run.

The Data Protection Act contains the most AI relevant rules

The Act is not called an AI law, but several of its rules are directly relevant to AI systems.

First, it sets the usual processing principles and lawful bases. Personal data must be processed fairly and transparently. Processing needs a lawful basis such as consent, contract, legal obligation, vital interests, public interest or a legitimate interest basis. Personal data must be collected for specific purposes, limited to what is necessary, kept no longer than needed, and kept accurate.

Second, the Act is especially important where AI uses sensitive data. Somali law expressly treats biometric data, health status, political opinions or affiliations, race, clan or ethnic origin, and certain other categories as sensitive personal data. That has obvious relevance for face recognition, voice tools, risk scoring, identity systems and many public sector or high consequence uses.

Third, the Act contains a specific restriction on solely automated decision making. A data subject has the right not to be subject to a decision based solely on automated processing, including profiling, where the decision produces legal effects or similarly significant effects. Narrow exceptions exist, mainly where the decision is necessary for a contract, expressly authorised by written law with suitable safeguards, or authorised by the person's consent.

Fourth, transparency duties are broader than a simple privacy notice. Before collection, the controller must tell the person the legal basis, the purposes, data sharing, complaint rights and any automated decision making, including profiling, together with the significance and likely consequences for the person. That is highly relevant for AI systems used to rank, score, filter or personalise.

Fifth, high risk processing triggers extra obligations. A data controller of major importance must carry out a data protection impact assessment before processing likely to create high risk to rights and freedoms, submit the report to the Authority before the processing, and consult the Authority if high risk remains. For many consequential AI deployments, this is the closest Somali law currently comes to a risk based AI review.

Cross border data use is already regulated

Because many AI systems depend on foreign hosting, external model providers or regional data sharing, the Act's transfer rules matter in practice. A controller cannot transfer personal data outside Somalia unless an adequate protection condition is met, the recipient has suitable legal or contractual safeguards, or one of the listed derogations applies. Those derogations include informed consent, contractual necessity and a narrow compelling legitimate interest route with safeguards and Authority notification.

This means the practical governance question is not only "are we using AI?" It is also "where is the training, inference or support data going, and on what legal basis?" For many deployers, especially those using foreign cloud or platform providers, transfer analysis will be one of the first serious compliance steps.

The institutional picture is starting to take shape

The Data Protection Authority is the main institution with the strongest direct relevance to AI uses involving personal data. The Act establishes it as an independent agency with supervisory and enforcement functions. Its public website shows it is operational and already offering registration and licensing services, complaints and investigations, data breach notification, guidance and advisory opinions, and training. It also states that the Council of Ministries approved Data Protection Act Regulations on 5 January 2026.

The DPA's enforcement powers are significant on paper. After investigation it can order a controller to stop unlawful processing, remedy the breach, pay compensation, account for profits and pay an administrative penalty of up to US$1 million or the Somali currency equivalent. Failure to comply can create a further offence, which the Act states can carry a fine of up to US$1 million and imprisonment for up to two years. Orders can be challenged by way of judicial review in the Supreme Court.

The Ministry of Communications and Technology remains the main policy ministry for the digital sector. Under the National Communications Law it prepares general communications policy and supervises the NCA, while the NCA operates as an independent regulator for communications and related digital services. The NCA's current public materials also point to a cybersecurity role and link to the Somalia National AI Center as a connected initiative.

SNAIC matters institutionally, but in a different way. It appears to be a capacity, research and policy support institution, not a regulator. Its public materials say it aims to advise on ethical AI policy, train talent, support research and work with public bodies and universities. That suggests Somalia is building internal capability for future AI governance even though the binding legal core still sits elsewhere.

Regional and international instruments matter, but mainly as soft law and policy direction

Somalia's future AI framework is likely to be shaped by African Union and UNESCO instruments more than by an immediate domestic AI act. The African Union Executive Council endorsed the Continental Artificial Intelligence Strategy in July 2024. That Strategy is not directly binding domestic legislation in Somalia, but it is the main continental reference point for Africa centred, development focused, responsible AI governance. It encourages states to build national strategies, governance structures, capacity and rights based safeguards.

Somalia is also part of UNESCO's global AI ethics architecture. UNESCO's Recommendation on the Ethics of Artificial Intelligence applies to UNESCO member states, and UNESCO's Global AI Ethics Observatory lists Somalia as a country where the AI Readiness Assessment Methodology is underway. UNESCO also published a 2025 call for a lead national expert for Somalia to develop a country report based on that readiness work. Taken together, this suggests Somalia is in a diagnostic and institution building phase rather than a legislative end state.

One notable regional point is what Somalia has not yet done. According to the African Union treaty status list dated 2 February 2026, Somalia had neither signed nor ratified the Malabo Convention on Cyber Security and Personal Data Protection. That does not prevent Somalia from using domestic law or softer AU instruments, but it does mean Somalia is not yet tying its digital governance framework to that treaty route.

The near term position is a patchwork, not a vacuum

It would be wrong to say Somalia has "no AI regulation". The more accurate view is that Somalia currently regulates AI through a patchwork of data protection law, communications law, cybersecurity law, constitutional protections and emerging policy institutions. It would also be wrong to say Somalia already has a settled AI governance code. The legal architecture is still developing, AI specific public rulebooks are not yet in force, and some of the detail that practitioners will want, such as stable public text for the new DPA regulations or a published national AI strategy, remains incomplete.

For now, Somalia fits best into the category of sectoral and horizontal regulation by existing law, with soft law and institution building pointing toward a more explicit AI governance model later.