A regulatory framework built for national resilience
With Presidential Decree 25-321 of 30 December 2025, Algeria formally adopted the National Cybersecurity Strategy 2025-2029, the country’s most ambitious attempt to codify what it means to protect a national digital perimeter. Two weeks later, Decree 26-07 of 7 January 2026 translated that strategy into operational rules: every public institution must now create a dedicated cybersecurity unit — separate from IT management — reporting directly to the organization’s head.
The strategy is structured around five pillars, but the part that matters most to CISOs sits inside pillar three: sector-specific cybersecurity regulations for banking, healthcare, and energy. That phrase, short as it is, signals a break with Algeria’s earlier one-size-fits-all approach. Sectoral regulators — the Bank of Algeria for banks, ARPCE for telecom, and the Ministry of Health for hospitals and clinics — are now expected to issue tailored rulebooks that build on the national baseline set by ASSI (the Information Systems Security Agency operating under the Ministry of National Defence).
Who must comply, and when
The decrees define a clear hierarchy of obligation. At the top sit Critical Information Infrastructure (CII) operators — organizations whose compromise would disrupt essential services. Six sectors are explicitly named: energy, telecommunications, water, transportation, financial services, and government services. Healthcare is being folded in through sector-specific guidance being drafted in 2026.
For banks — both public (BNA, CPA, BADR, BEA, BDL, CNEP) and private (Société Générale Algérie, AGB, Trust Bank, Natixis Algérie and others) — the Bank of Algeria acts as the sectoral regulator. Mandatory security audits are expected to roll out across 2026 and 2027, with the heaviest obligations falling on institutions that operate card-switching (GIE Monétique, SATIM) or hold systemic importance.
For healthcare, the strategy targets both public CHUs and private clinics that handle electronic patient records. With the rollout of Algeria’s national health-record program and hospital-level digital transformation, clinics that previously ignored cyber obligations now find themselves inside the CII perimeter.
For energy, Sonatrach and Sonelgaz — plus their subsidiaries and ICS vendors — are already operating under classified defense-adjacent rules. The 2025-2029 strategy formalizes what was previously handled as a national-security exception, bringing operational technology security into civilian regulatory scope.
Timelines vary. Public institutions are already bound by Decree 26-07 (published in the Official Gazette on 21 January 2026) and had a 90-day window to designate a CISO. Private CII operators are being onboarded through sectoral circulars expected throughout 2026.
Advertisement
The CISO mandate — and the talent gap
One thread runs through every decree: the Chief Information Security Officer is no longer a nice-to-have. Decree 20-05 originally established the CISO function for state information systems; Decree 26-07 has now clarified the role’s authority, reporting lines and minimum competency requirements. Decree 26-07 is explicit that the CISO must have demonstrable cybersecurity expertise — not a repurposed IT manager with a new title.
That is a significant practical challenge. Algeria’s pipeline of qualified cybersecurity professionals is growing, but demand is now outpacing supply by a wide margin. The strategy’s answer is to align the rollout with 285,000 new vocational training places across IT and cybersecurity disciplines over the strategy window — a number that deliberately mirrors the compliance curve. Universities (USTHB, ESI, ENSIA), vocational institutes and private training providers such as EKSec are already expanding curricula around the new decrees.
What CISOs should do in the next 180 days
The regulatory environment is moving fast, but the concrete actions for a well-run Algerian CISO office are increasingly clear:
- Confirm your CII classification. If your institution sits in banking, healthcare, energy, water, transport or telecom, assume you are in scope. Engage your sectoral regulator early rather than waiting for an audit letter.
- Stand up the cybersecurity unit, independent of IT. Decree 26-07 is unambiguous: the cyber function reports to the head of the organization, not to the CIO. Governance diagrams must reflect that.
- Map your assets against the ASSI baseline. ASSI’s operational center (CNOSSI) is the technical reference. Aligning asset inventories, logging, and incident-response playbooks to its expectations now will pay off when audits begin.
- Prepare for mandatory audits. Sector-specific audit programs are rolling out through 2027. Identify qualified external auditors (the list is being curated by ASSI) and schedule a self-assessment before the official one arrives.
- Invest in the human pipeline. Work with universities and vocational centers to secure future CISO candidates. The 285,000 training places are the national plan — your institution needs its own feeder pipeline tied to it.
The bigger picture
Algeria is building a regulatory framework that, while stricter than what most private-sector CISOs are used to, aligns the country with the direction of travel in the EU (NIS2), the GCC, and most G20 economies. For Algerian executives, the window to treat cybersecurity as an IT line item has closed. What comes next is a national capability — banking-grade audits, healthcare data governance, energy-sector resilience — and the CISOs who move first will define what compliance looks like for the rest of the decade.
Frequently Asked Questions
Which Algerian organizations are now classified as Critical Information Infrastructure (CII) operators?
The National Cybersecurity Strategy 2025-2029 explicitly names six sectors — energy, telecommunications, water, transportation, financial services and government services — with healthcare being folded in through sectoral guidance drafted in 2026. Public and private banks, SATIM, GIE Monétique, Sonatrach, Sonelgaz, Algérie Télécom, large CHUs and private clinics handling electronic patient records all fall inside the perimeter.
When must a CISO be appointed under Decree 26-07?
Decree 26-07 was published in the Official Gazette on 21 January 2026 and gave public institutions a 90-day window to designate a CISO who reports directly to the head of the organization — separate from IT management. Private CII operators are being onboarded through sectoral circulars rolling out across 2026.
What should a CISO prioritize in the next 180 days?
Confirm CII scope with the sectoral regulator, restructure governance so the cybersecurity unit reports to the executive head rather than the CIO, map assets against the ASSI/CNOSSI baseline, schedule a pre-audit gap assessment with an independent firm, and lock in a feeder pipeline tied to the 285,000 national vocational training places being rolled out through 2029.
Sources & Further Reading
- Algeria Charts Its Digital Sovereignty: Ministry of National Defence Unveils 2025-2029 National Cybersecurity Strategy — DzairTube
- Algeria Strengthens Cybersecurity Framework to Protect National Infrastructure — TechAfrica News
- Cybersecurity at the Core of Algeria’s Digital Sovereignty Strategy: ASSI Leads National Efforts — DzairTube
- Data Protection and Cybersecurity Laws in Algeria — CMS Expert Guide
- An Overview of Cybersecurity Regulations in Algeria: Compliance, Reporting, and Penalties — Generis Online
