What is AI regulation in Togo?
AI regulation: countries and regions
Togo does not yet have a dedicated AI law, and no adopted national AI strategy was identified in the official sources checked as of 8 June 2026. In practice, AI is governed through existing horizontal and sectoral rules, especially the 2019 personal data protection law, cybersecurity law, biometric ID framework, and rules for public registries and digital services. The key institutions are the data protection authority, the ministry responsible for digital transformation, and specialist agencies on cybersecurity, digital delivery and identification.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
Togo's current model is best understood as sectoral and horizontal, not AI-specific. That means there is no single Togolese "AI Act" setting one rulebook for all AI systems. Instead, whether an AI use is allowed, restricted or needs prior approval depends on the type of data involved, the sector, the institution using it, and whether the system affects public services, biometrics, critical infrastructure or cross-border data flows.
So the practical question in Togo is usually not "Is AI legal?" It is "Which existing laws already apply to this AI use?" If a system uses personal data, the centre of gravity is the data protection law and the authority that enforces it. If it sits inside public administration, biometric identity, social assistance, or connected infrastructure, additional public-sector, identification and cybersecurity rules also matter.
Why it matters
This matters because organisations cannot wait for a future AI statute before building controls. A product team, buyer, ministry, bank, telecom operator, hospital, school or vendor working in Togo already has compliance exposure if an AI system handles personal data, profiles people, relies on biometric matching, shares data across borders, or plugs into a public registry or essential service.
In practice, the current Togolese framework affects vendor contracts, data mapping, procurement, retention periods, security controls, public-sector approvals, and the use of local or foreign data-processing infrastructure. It also affects timelines. Some uses can proceed after declaration, others may need prior authorisation, and certain public-sector automated processing must be backed by a regulatory act after a reasoned opinion from the data protection authority. For leaders, that means AI governance in Togo is already an operational issue, even before any dedicated AI law arrives.
How it works
No dedicated AI law, but a national policy direction is emerging
Togo has publicly signalled interest in AI, but the official material checked does not show a standalone AI statute or a formally adopted national AI strategy now in force. Instead, official communications point to AI as part of a broader digital transformation agenda. Government statements in 2025 said Togo was actively preparing a national AI strategy, an international Data Lab and a "Maison de l'Intelligence Artificielle". Official presidential messaging at the Global AI Summit on Africa in Kigali also framed the country's approach as selective, strategic and pragmatic, with priority sectors including health, education and agriculture.
That matters because it shows the direction of travel. Togo is not treating AI as an isolated question. It is treating it as part of a wider national project around digital government, data use, connectivity, innovation capability and public-sector modernisation. The binding rules, however, still come mainly from existing hard law rather than a new AI-only framework.
The main binding layer is the personal data protection law
For most real AI deployments, the most important Togolese legal instrument is Law No. 2019-014 of 29 October 2019 on the protection of personal data. Its scope is broad. It covers collection, processing, transmission, storage and use of personal data by both public and private actors. It also has a form of territorial reach where processing uses means located on Togolese territory, apart from mere transit.
For AI governance, the most relevant features of that law are practical rather than rhetorical. It requires a lawful basis for processing, sets principles of fairness, purpose limitation, relevance, confidentiality, security and retention, and gives individuals rights that matter directly for AI systems, including access, rectification, opposition and erasure, including a right to digital forgetting. It also requires controllers to choose processors that offer sufficient guarantees and to bind them through written terms. That is immediately relevant for organisations that buy or integrate third-party AI services.
The law does not regulate "AI" as a category. But where an AI system processes personal data, it effectively becomes the default governance framework. In other words, Togo already regulates many concrete AI practices by regulating the underlying data processing and the responsibilities of the controller and processor.
Some AI uses trigger prior formalities or stronger controls
A key feature of the 2019 law is that it does not treat every data use the same way. It creates different prior-formality routes.
Ordinary processing generally falls into a declaration regime. The authority receives the declaration and issues a receipt, after which implementation can proceed. The law also allows the authority to publish simplified norms for common, lower-risk processing and to exempt some categories from declaration.
More sensitive uses move into prior authorisation. The law expressly places this stronger regime on processing involving genetic data, health research, criminal offences or penalties, interconnection of files, a national identification number or another general identifier, biometric data, and certain public-interest processing such as historical, statistical or scientific uses.
This architecture matters for AI because many higher-impact AI systems rely on exactly those categories. Facial recognition, voice identification, biometric attendance, fraud detection tied to national identifiers, health analytics and joined-up public databases can all move beyond routine compliance and into a stricter approval path.
The law also contains a separate rule for automated processing carried out for the State, a public institution, a local authority, or a private body running a public service. In those cases, the automated processing is to be created by regulatory act after a reasoned opinion from the data protection authority. For public-sector AI, this is one of the most important current legal hooks in Togo.
Institutions share the work rather than one AI regulator doing everything
Togo does not currently have a single cross-economy AI regulator. Governance is split across several institutions.
The Instance de Protection des Donnees a Caractere Personnel, usually referred to as the IPDCP, is the central authority where AI uses involve personal data. Its official missions include receiving prior formalities, handling complaints and petitions, informing people and controllers of their rights and duties, carrying out checks, issuing opinions, sanctioning controllers, authorising cross-border transfers, and cooperating internationally.
The IPDCP is especially important because it turns the 2019 law into a live compliance system rather than a paper rulebook. Its recent activity shows that process capacity is becoming more practical and visible. In 2026 it launched an online declaration platform for video surveillance and videoprotection systems and began issuing the first receipts and regulatory pictograms through that route. That does not create AI-specific law, but it shows institution-building around digital compliance.
Alongside the IPDCP, the ministry in charge of digital transformation drives policy and programme design. The Agence Togo Digital supports digitalisation of administrative procedures and public-service processes. The Agence Nationale de la Cybersecurite, or ANCy, leads on cybersecurity policy, rules, audits for essential service operators, and national incident response. The Agence Nationale d'Identification, or ANID, manages the biometric identification framework. In practice, an AI system can therefore touch several authorities at once.
Sector rules are important where AI is embedded in state systems
Because Togo has not yet enacted an AI-only framework, sector law does a lot of the work.
Biometric identity is a clear example. Togo's e-ID framework and the texts establishing ANID create a dedicated legal architecture for identification systems. Official implementation texts also say ANID works in accordance with the rules on personal data protection. So if AI is used inside identity verification, deduplication, fraud detection or biometric matching, the analysis does not start with a future AI law. It starts with the existing biometric ID and data protection framework.
Another example is social protection and public registries. In September 2024, Togo adopted an order on the conditions for access to and sharing of data from the Social Registry of Persons and Households. That text expressly links the registry to the cyber law, the personal data law, the biometric identification framework and the decree creating the registry itself. It sets a legal path for data access and sharing for public aid programmes and adds principles such as integrity to the handling of registry data.
This is a good illustration of the Togolese model. Where AI is used inside a government system, governance often comes from the combination of horizontal law plus sector-specific implementing texts. That makes the regime narrower and more practical than a broad AI principles document, but also more fragmented.
Cybersecurity and operational resilience also matter
The cyberspace layer should not be ignored. Togo's cyber law and the work of ANCy are not AI laws, but they matter whenever AI is deployed in connected public services, essential operators, or digital infrastructure. ANCy's published mission includes setting cybersecurity rules, auditing essential service operators, running the national CERT and SOC through delegated structures, and issuing approvals in the cybersecurity ecosystem. ANCy also published a National Cybersecurity Strategy for 2024 to 2028.
For AI governance, the practical lesson is straightforward. A model that is lawful from a data perspective can still be weak from a cyber perspective. Public and critical-sector AI therefore needs both data governance and cyber resilience, especially where systems are used for public services, identity, surveillance, or essential digital infrastructure.
Regional instruments shape the direction of future lawmaking
At the regional level, Togo is not operating in a vacuum. The African Union Executive Council endorsed the Continental Artificial Intelligence Strategy in July 2024. That strategy promotes an Africa-centric, development-oriented approach built around ethics, inclusion, rights, equity and institutional capacity. It does not automatically become domestic law in Togo, but it gives policymakers a clear continental frame for how future AI strategy, governance and standards may be built.
Togo has also ratified the African Union Convention on Cyber Security and Personal Data Protection, often called the Malabo Convention. That matters because it places Togo inside a continent-level treaty framework on cyber and personal data protection, which are the two legal areas already doing most of the current work around AI governance inside the country.
So the current Togolese picture is this: hard law is mainly found in data protection, cyber and sector rules; soft law and policy direction are increasingly visible through AU strategy work and national policy statements; and a dedicated AI law remains a future possibility rather than the present architecture.
Examples
The first example is public-sector targeting and analytics. Togo's official material on the Togo Data Lab says the lab is meant to build lasting state capacity to use new data sources and data science in policymaking. The same official material links the lab back to the Novissi experience, where call detail records, satellite images and machine learning were used during the Covid period to extend support to vulnerable people. Under today's framework, any similar programme would sit inside the existing data protection regime, and if it were operated for the State on named individuals it would also raise the rules for public-sector automated processing and, where relevant, the social registry rules.
The second example is biometric identity. Togo's biometric identification framework and the texts governing ANID create a sector-specific legal base for the national e-ID system, while also tying its operation back to personal data protection law. If AI is used for identity matching, deduplication or anomaly detection in that environment, the stricter rules on biometric data and general identifiers are already relevant even without a dedicated AI statute.
The third example is smart surveillance. In March and April 2026, the IPDCP launched and started operating an online declaration system for video surveillance and videoprotection, and issued the first receipts and regulatory pictograms. That means an organisation using camera systems in Togo already has a live compliance route. If such a system later adds AI analytics, that does not remove the baseline obligations. It can increase them, especially where the system starts identifying individuals or handling biometrics.
Common misunderstandings
"AI is not regulated in Togo because there is no AI law." That is wrong. Many AI uses are already governed through personal data, cybersecurity, biometric ID and sector rules.
"Togo is waiting for a future AI strategy before compliance starts." Also wrong. The current framework already affects deployment, procurement, vendor management and public-sector design choices.
"The data authority only matters after something goes wrong." Not quite. The law includes prior formalities, opinions, authorisations and transfer controls, so the authority can matter before launch.
"Public-sector AI can be rolled out as a normal software upgrade." Not safely. Automated public-sector processing on named individuals can trigger additional legal steps and should not be treated as an ordinary IT refresh.
"An AI strategy and an AI law are the same thing." They are not. A strategy sets direction and priorities. A law creates enforceable duties, powers and sanctions.
Risks and boundaries
The biggest boundary is that Togo's framework is still incomplete if you are looking for a modern, single-text AI regime. There is no identified national AI act with prohibited-use lists, model-tier duties, system-risk classifications, conformity assessments or dedicated general-purpose AI rules. That means some governance questions, such as explainability thresholds, testing expectations, procurement benchmarks or model documentation, are not answered in one place.
A second boundary is institutional maturity. The IPDCP is now visibly operational and has begun digitising compliance channels, but the public record still suggests a system that is being built out rather than a long-established AI enforcement ecosystem. Organisations should therefore avoid two opposite mistakes: assuming there is no enforcement risk, or assuming Togo already operates a full EU-style AI supervision model.
A third boundary is legal uncertainty around future policy. Official government communications say a national AI strategy is being prepared, but no adopted strategy text was identified in the official sources checked. That means the architecture can change. Teams should treat current law as the immediate baseline and monitor new official publications rather than relying on conference signals alone.
Finally, this area is easy to misapply. The current framework does not mean every AI use needs separate AI approval. Equally, the absence of an AI-specific law does not mean any AI use is acceptable. The legal answer depends on the use case, the data, the sector and the institution involved.
What to do next
Start by classifying each AI use case, not by the model name, but by what it actually does in Togo. Ask four questions early: does it process personal data, does it involve biometrics or a general identifier, is it being used for a public service or inside a regulated state dataset, and will data move across borders? Those answers will usually tell you which Togolese rules matter first.
Then build a practical control set around the current framework. Map the data, define the lawful basis and purpose, check retention, set human accountability, review vendor terms, document security measures, and decide whether the use belongs in the declaration, authorisation or public-sector opinion track. If the deployment touches digital identity, social registries, surveillance or critical systems, involve the relevant authority early rather than trying to retrofit compliance after launch.
Finally, keep watching policy development. Togo is clearly building AI capacity and signalling strategy work. Leaders who monitor official publications from the digital ministry, IPDCP, ANCy, ANID and the African Union will be better placed to adapt when the country moves from AI-ready governance to more explicit AI-specific rules.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Togo already have an AI law?
No dedicated AI law was identified in the official sources checked as of 8 June 2026. AI is currently governed mainly through data protection, cybersecurity, biometric ID and sector-specific rules.
Is there a national AI strategy in force in Togo?
Official government communications say a national AI strategy is being prepared, but no adopted strategy text was identified in the official materials checked.
Which authority matters most for AI compliance?
If the AI system uses personal data, the IPDCP is the central authority. Depending on the use case, the digital ministry, ANCy, ANID and other sector bodies may also matter.
Do biometric or facial recognition systems face stricter rules?
Yes. Togolese law places biometric processing and processing involving national identifiers into a stricter authorisation track, rather than treating them as routine data processing.
How does public-sector AI differ from private-sector AI in Togo?
Public-sector automated processing on named individuals is subject to a special rule under the data protection law. It must be created by regulatory act after a reasoned opinion from the data protection authority.
Do cross-border AI vendors need to pay attention to Togolese law?
Yes, potentially. The personal data law has territorial reach where processing uses means on Togolese territory, and cross-border transfers are subject to adequacy or authority approval rules.
What role does the African Union play?
The AU provides the main regional policy direction. The Continental AI Strategy gives a continental governance frame, and Togo has also ratified the Malabo Convention on cyber security and personal data protection.
What is the most practical first step for an organisation deploying AI in Togo?
Treat the project first as a data, sector and institution question. Map the data, identify whether biometrics or public-service functions are involved, and check whether declaration, authorisation or other formal steps are needed before launch.