What is AI regulation in Sudan?
AI regulation: countries and regions
Sudan does not currently appear to have a dedicated AI statute, or a clearly published standalone national AI strategy, in the official public sources reviewed. Instead, AI is governed through a developing mix of digital transformation policy, cybersecurity institutions, electronic transactions law, telecom and cybercrime rules, and sector supervision, especially in banking and public digital services. Since late 2025, Sudan has also begun building AI-focused state institutions, most notably a new data and AI authority.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
In Sudan, AI regulation is still emerging. The country is not yet operating a single, comprehensive AI rulebook of the kind seen in a few other jurisdictions. The official picture is closer to an institutional and sectoral model: digital authorities are being built, cybersecurity has been elevated, and older laws on electronic transactions, telecoms and information crimes still do much of the practical work.
That means organisations using AI in Sudan usually need to ask a narrower question than "what is the AI law?". The better question is "which Sudanese rules apply to this use of AI?". A chatbot in a public service, a fraud model in banking, a digital identity workflow, a cloud-hosted analytics tool, and an AI feature inside a telecom app may each trigger different regulators, approvals, confidentiality duties, security controls or record-keeping expectations.
Sudan's direction of travel is nevertheless clearer than it was a few years ago. Since 2025 the government has publicly linked AI to digital reconstruction, data governance, cybersecurity, education and public service modernisation. So the legal system is not AI blind, but it has not yet consolidated those strands into one dedicated AI regime.
Why it matters
This matters because the absence of a single AI Act does not mean a free-for-all. If you deploy AI in Sudan, the real compliance burden often sits in adjacent rules and institutions: telecom licensing, electronic authentication, information security, public sector data handling, banking supervision, customer protection, and possible localisation or sovereignty expectations around sensitive data.
For founders, vendors and buyers, that creates a practical challenge. The legal risk is less about breaching a named "AI law" and more about missing the sector rules that already apply to the system around the AI. In Sudan, that is especially important for public digital services, digital identity, finance, payments, telecom infrastructure, and any workflow handling sensitive personal or strategic state information.
It also matters for timing. Sudan's public institutions are actively being rebuilt and reorganised. A company entering the market now may find that today's position depends on a mix of existing statutes and rapidly maturing institutions, with more formal AI governance likely to develop later.
How it works
No dedicated AI statute yet
The official public sources reviewed for this article do not show a Sudanese AI Act in force, and they do not clearly publish a standalone national AI strategy equivalent to an economy-wide AI code. That is the starting point. Sudan is not yet using a single horizontal AI statute with defined prohibited practices, risk tiers, conformity assessment duties or market surveillance rules.
What does exist is a policy and governance build-out around digital transformation. In official government material, AI appears as a priority area within wider state modernisation, not yet as a self-contained legal field. That places Sudan, at least for now, closer to a sectoral and institutional model than to a single risk-tier AI code.
An emerging institutional architecture is now visible
The most important recent change is institutional. In November 2025, an official government announcement said the Prime Minister had created three national bodies under the ministry responsible for digital transformation and communications: a Digital Transformation Authority, a Sudanese Data and AI Authority, and a Sudanese Cybersecurity Authority.
That matters because the new data and AI body is described not merely as a technical unit, but as the institution responsible for regulating national data management, strengthening governance, and enabling the state to use AI for decision support and public service development. In other words, Sudan has started to create a formal home for AI governance, even though a dedicated AI law is still absent.
The same official announcement also frames this institutional shift in terms of digital sovereignty, public administration reform, shared national policy, and safer use of data and information. For practical readers, that signals where future Sudanese AI governance is likely to sit: not only in courts and statutes, but also in central administrative bodies that control public infrastructure, state data practices and government digital systems.
Existing digital law still does most of the legal work
Because there is no dedicated AI code, Sudan's existing digital law remains the main legal base.
The Electronic Transactions Act is one of the most important pieces. It gives legal effect to parts of Sudan's digital transaction framework and supports electronic signatures, certification and trusted electronic records. Official Sudanese material linked to the Act also states that signature data, electronic media and information submitted for electronic certification are confidential, and that service providers running data-processing systems must take measures to protect and secure information. For AI governance, that is significant because many AI deployments sit inside digitally signed documents, automated workflows, identity checks or platform transactions rather than in stand-alone AI products.
Sudan also continues to rely on telecom and information-crime rules. The Telecommunications and Post Regulatory Authority says it is the statutory regulator for telecommunications and post services under the 2018 law that replaced the older 2001 telecom law. The authority's public service materials show that Sudan licenses not only classic telecom activities but also internet applications, digital services, digital payment services, data centres, cloud computing services and IoT applications. That makes telecom regulation relevant to many AI deployments that depend on hosting, connectivity, digital distribution or embedded communications features.
Cyber and information-crime law continue to matter too. Public official material shows that Sudan has long maintained an information-crimes framework, and the Ministry of Justice publicly described the 2020 amendment as aimed in part at protecting users' rights and privacy. That is not AI-specific, but it is part of the real compliance environment for AI systems used in online services, communications tools and digital platforms.
Cybersecurity and digital identity are central, not peripheral
Sudan's public sources now place cybersecurity near the centre of digital governance. The Sudanese Cybersecurity Authority describes itself as the highest national reference and sole regulatory body for cybersecurity, with functions that include national frameworks and controls, compliance assessment, licensing and accreditation, incident response, digital forensics, and awareness building.
This matters for AI because many practical governance questions in Sudan are likely to be handled as cybersecurity, authentication or digital trust issues before they are handled as "AI law" questions. If an AI system relies on identity verification, privileged access, public-sector integration or sensitive citizen data, it is likely to sit inside this cyber governance perimeter.
A concrete example is SUDAPASS, the national digital identity platform launched in 2026. Official material presents it as a trust and identity-security project, with personal data protection, multi-factor authentication, biometrics, cryptographic controls and national digital sovereignty all treated as core design features. The Cybersecurity Authority also said in a 2026 press statement that all digital identity data are subject to Sudanese digital sovereignty and national governance, that keys and digital certificates are managed through the National Authority for Electronic Certification, and that the system undergoes recurring security reviews and tests. That is not AI regulation in the narrow sense, but it is exactly the type of governance infrastructure that shapes how AI can be deployed in public services.
Sector regulators can impose the real operating rules
In Sudan, the most concrete duties for many AI systems currently come from sector regulators rather than from a general AI authority.
Banking is the clearest example. In March 2026, the Central Bank of Sudan issued detailed controls for USSD-based financial services. Those controls require prior approval before launch, technical testing, risk and disaster-recovery planning, customer due diligence procedures, clear user notices, masking of sensitive account data, complaint handling, transaction logging, record retention and regulatory access to data and reports. For any AI-enabled payments journey, scoring tool, fraud filter or customer-service layer operating on top of this channel, those rules are part of the real governance baseline.
This is a wider pattern. If your AI use case sits in finance, telecoms, public administration or digital identity, the relevant Sudanese regulator may already have powers over the channel, the infrastructure, the data flow, or the customer relationship. The practical question is therefore not only whether the model is lawful, but whether the surrounding service is licensed, supervised, secure and governable.
Data protection is the least clear part of the public-source picture
The public-source position on a general Sudanese data-protection law is unusually hard to pin down.
Recent official banking documents clearly use the language of a "data protection law". For example, the 2026 Central Bank USSD controls define personal data by reference to such a law. Yet older high-quality regional legal surveys described Sudan as lacking a comprehensive data-protection statute and a dedicated data-protection authority. In the publicly accessible official repositories reviewed for this article, no clearly published, up-to-date economy-wide data-protection law and no obvious dedicated national data-protection authority were easy to verify.
The safest reading is therefore a cautious one. Organisations should not assume that Sudan has no privacy law at all, and they should not assume that a full, economy-wide data-protection regime is clearly settled and easy to evidence from public official sources. For now, the stronger practical position is to treat privacy, confidentiality, information security and data-handling duties as arising from a mix of constitutional principles, electronic transactions rules, cyber and information-crime law, telecom regulation, public-sector information governance and sector supervision, especially in finance.
Regional alignment is stronger than domestic codification
Sudan's clearest AI alignment currently comes from the African Union layer. The AU's Continental AI Strategy, endorsed in July 2024, expects member states to develop and implement national AI strategies and governance frameworks as part of the 2025 to 2030 implementation window. Sudan's recent creation of a data and AI authority and its broader digital reconstruction agenda fit that continental direction, even if domestic codification remains limited.
Sudan has also signed, but not yet ratified, the African Union Convention on Cyber Security and Personal Data Protection, often called the Malabo Convention. As of the AU status list dated February 2026, Sudan had signed the convention on 15 March 2023, with no ratification or deposit recorded. That means the convention is an important regional signal, but not yet a domestic legal shortcut. Signing points to policy intent; it does not itself create a fully operational Sudanese AI or data-protection regime.
For practical readers, the key point is that Sudan's AI governance is likely to develop in conversation with AU norms on AI, cybersecurity and data governance. That does not make AU texts directly self-executing inside Sudan, but it gives a strong indication of the institutional and policy language Sudanese authorities are likely to use.
Examples
A bank, fintech or payment provider that wants to add AI-assisted fraud checks or customer support to a USSD financial service cannot treat the AI layer as legally separate from the service itself. The Central Bank's 2026 USSD controls require approval before launch, technical testing, customer due diligence procedures, masking of sensitive account data, complaint handling, monthly reporting and retention of transaction records. In practice, the AI feature must sit inside that supervised payments framework.
A ministry, court-facing service, registry or private firm that wants to automate document handling can build on Sudan's electronic transaction and certification stack rather than waiting for a new AI law. The Electronic Transactions Act already gives a legal base for electronic signatures and confidentiality obligations, and the Ministry of Justice publicly announced in 2022 that it had launched the first electronic signature deployment in Sudan using the national certification infrastructure.
A public digital service that connects to national identity will face governance questions that are really about sovereign data handling, authentication and cybersecurity. The 2026 SUDAPASS materials show this clearly: identity data are treated as nationally governed, cryptographic keys and certificates are managed through the national certification authority, and the platform is tied to multi-factor and biometric verification. An AI-enabled public service built on that stack would need to respect those trust and security controls from day one.
Common misunderstandings
"Sudan has no AI law, so AI is unregulated." Not correct. Sudan uses existing digital, telecom, cyber, finance and public-sector rules to govern much of the activity around AI.
"Sudan already has an AI Act." Public official sources reviewed for this article do not show one in force.
"The new data and AI authority means Sudan now has a complete AI regime." Not yet. The institutional architecture is emerging faster than the statutory architecture.
"Signing the Malabo Convention means Sudan has fully implemented continental cyber and data rules." No. Signature is a political and diplomatic step. Ratification and domestic implementation are separate.
"If a vendor is based outside Sudan, Sudanese rules are irrelevant." Not necessarily. In regulated sectors such as telecoms, digital identity and finance, local licensing, supervisory access, security controls and contractual localisation expectations can still apply.
Risks and boundaries
Sudan's current position has clear limits. It is not, at present, a mature AI regime with detailed classifications of high-risk systems, foundation models, biometric AI, or prohibited practices. It is also not a regime where one regulator clearly handles every AI issue. Governance is distributed, and sometimes fragmentary.
That creates uncertainty. The institutional picture has become clearer since 2025, but the statutory picture is still thin. Recent official banking materials refer to a "data protection law", yet the public-source legal position on a general national data-protection statute remains difficult to verify cleanly from accessible official repositories. Organisations should therefore treat privacy and data governance as a live verification task, not a settled assumption.
There are operational boundaries too. Much of Sudan's current digital governance is being built in the context of conflict disruption, institutional reconstruction and infrastructure pressure. So the gap between formal architecture and day-to-day implementation may be wider than in more administratively stable jurisdictions.
Finally, no explicit Sudanese AI rule with clear extraterritorial scope was identified in the sources reviewed. Cross-border effect is more likely to arise through sector supervision, public procurement conditions, digital identity integration, cybersecurity controls, and data-handling expectations than through a named AI statute that reaches foreign providers on its own terms.
What to do next
Start by mapping the use case, not the model label. Identify whether your AI deployment touches public services, telecom channels, digital identity, payments, cloud or data-centre infrastructure, or regulated customer data. Then identify the regulator that controls that layer, which may be the digital transformation ministry, the data and AI authority as it matures, the cybersecurity authority, TPRA, the Central Bank, or a public-sector owner.
Build a Sudan-ready governance baseline now. Use human review for material decisions, document model purpose and limits, apply access controls, keep logs, secure identity workflows, and contract for incident reporting and regulatory cooperation. If the system handles sensitive citizen, customer or state data, assume you will need stronger controls than a generic AI policy would suggest.
Do not guess on privacy status. Check the latest official gazette, sector circulars and regulator instructions, and obtain current local legal advice where the public-source position is unclear. In Sudan, the hardest compliance problem today is often not model risk in the abstract, but uncertainty about which surrounding data and digital-service rules are currently in force and how they are being operationalised.
Finally, monitor the institutional build-out. The 2025 creation of a Sudanese data and AI authority is the clearest sign that a more explicit AI governance regime could follow. If Sudan publishes a national AI strategy, a data law, or AI-specific instructions later, early movers with documented governance will be much easier to adapt.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Sudan have an AI Act?
No dedicated Sudanese AI Act was identified in the official public sources reviewed for this article.
Does Sudan have a national AI strategy?
Not a clearly published standalone one. AI appears in broader digital transformation and reconstruction planning, and in the creation of a new data and AI authority.
Which institution is most likely to lead AI policy in Sudan?
The emerging centre of gravity is the Sudanese Data and AI Authority under the ministry responsible for digital transformation and communications, but cybersecurity, telecom, justice and financial regulators also matter.
What laws apply to AI in Sudan today?
Mainly adjacent laws and rules, especially electronic transactions, telecom regulation, information-crime rules, cybersecurity governance, public digital identity controls, and sector supervision such as Central Bank rules for digital finance.
Is Sudan's data-protection position clear?
Not fully. Recent official banking documents refer to a data-protection law, but an up-to-date general statute and a dedicated national authority were not easy to verify in the accessible official repositories reviewed.
Has Sudan adopted the AU's cyber and data convention?
Sudan has signed the Malabo Convention, but the AU status list reviewed for this article did not show ratification or deposit as of February 2026.
Are foreign AI vendors outside Sudan's reach?
Not automatically. If they serve Sudanese regulated sectors, integrate with national digital systems, or handle regulated data flows, local rules can still affect them through licensing, supervision, contracts and security requirements.