ARPCE Cloud Directives: A Compliance Map for Algerian SaaS and Hosting Providers

Why ARPCE Matters to Cloud Startups

The Regulatory Authority of Post and Electronic Communications (ARPCE) is the body that authorises electronic communications operators in Algeria, including cloud hosting and data storage providers. Under the framework established by Law No. 22-39 of January 10, 2022, ARPCE certifies cloud providers and monitors their compliance with hosting rules.

According to ARPCE’s cloud service portal and tracking by state-of-algeria.dev, ARPCE has authorised leading local data centre operators — including ISAAL, AYRADE, eBS, and ADEX Cloud — to provide web hosting and cloud services. This is the regulated universe in which Algerian SaaS and hosting founders operate.

This article is a practical compliance map for founders, CTOs, and infrastructure architects who plan to operate from Algeria, sell SaaS to Algerian customers, or partner with an ARPCE-certified host. It explains the obligations, not the politics.

The CIA Triad, Translated Into ARPCE Expectations

At the heart of ARPCE’s approach is a familiar security triad — confidentiality, integrity, availability — layered on top of electronic communications law and aligned with the personal data protection framework (Law 18-07 as amended by Law 25-11).

Confidentiality

Operators in the electronic communications sector must ensure the confidentiality of the data they handle and cooperate with competent authorities. Law No. 18-04 on electronic communications requires providers to safeguard data confidentiality and prevent unauthorised interception. For a SaaS stack, this translates into:

• Encryption at rest for tenant data (database-level or application-level).
• TLS 1.2+ for all external traffic, mutual TLS for critical back-end links.
• Role-based access control with a defined segregation of duties between developers, ops, and customer support.
• Key management with audit trails, ideally using a hardware-backed vault when hosting sensitive workloads.

Integrity

Integrity covers both data and the systems that process it. Providers should demonstrate that data cannot be silently altered in storage or in transit, and that system changes go through a documented process. Practical controls:

• Database-level integrity constraints and cryptographic checksums for high-value objects.
• Change management with peer review, versioning, and rollback capability.
• Infrastructure-as-code for reproducible environments.
• Backup integrity tests (restoration drills) performed at least quarterly.

Availability

Availability is where ARPCE overlaps most clearly with consumer protection. A hosting provider that regularly drops service fails its customers, but also fails the regulator. Expected controls include:

• Documented SLAs and service credits aligned with actual monitoring data.
• Redundant architecture across failure domains (power, network, storage).
• Tested disaster-recovery plans with defined RPO and RTO.
• Capacity planning that stays ahead of growth rather than chasing it.

Licensing and the Ecosystem

A cloud hosting or data storage operator in Algeria must be authorised by ARPCE. The file-management fee for a cloud computing licence is set at 28,000 DZD excluding tax, per ARPCE’s published schedule. Actually landing authorisation requires showing that the operator can deliver on the hosting rules — not just pay the fee.

For a SaaS startup that does not want to operate its own hosting stack, the pragmatic path is to sit on top of an ARPCE-authorised provider:

• ISAAL, AYRADE, eBS, ADEX Cloud — four local providers listed in ARPCE’s ecosystem. AYRADE DC 1 in Rahmania, Algiers is among Algeria’s most established private data centres, hosting more than 1,000 companies.
• Contracts with these providers should include the security and availability controls above as contract schedules, not verbal commitments.
• SaaS founders remain responsible for the application layer, even when infrastructure is subcontracted — regulators will still look at the end-to-end customer experience.

Integrating ARPCE Expectations With Data Protection

The amended personal data protection framework (Law 18-07 as amended by Law 25-11) works on top of the ARPCE layer. As summarised in the CMS Expert Guide on Algeria and CookieYes’ Algeria guide, a compliant SaaS or hosting provider must combine both regimes:

• Map hosting controls to ARPCE expectations (CIA triad, licensing).
• Map processing activities to Law 25-11 obligations (records, DPO, DPIA, breach notification).
• Align contracts with customers: a hosting contract must name the processor, specify the processing purposes, and include a breach notification clause.
• For cross-border data transfers, document the legal basis and apply safeguards — ARPCE’s hosting framework and data residency discussions make local hosting the simpler path for Algerian customer data in most cases.

A Founder’s Compliance Checklist

For an Algerian SaaS founder or a cloud hosting operator preparing for 2026, the concrete actions are:

• [ ] Decide whether to hold an ARPCE authorisation directly or build on an authorised provider (ISAAL, AYRADE, eBS, ADEX Cloud, etc.).
• [ ] Document the CIA controls the product implements and the controls inherited from the underlying provider.
• [ ] Put in place a DPO (or shared external DPO) and a Record of Processing Activities aligned with Law 25-11.
• [ ] Implement encrypted storage, TLS by default, and least-privilege access across all environments.
• [ ] Run at least one disaster-recovery drill each year, with documented RPO/RTO targets.
• [ ] Include ARPCE-relevant clauses (confidentiality, cooperation with authorities, data handling) in every customer and subprocessor contract.
• [ ] Track cross-border data flows and document the legal basis for each.
• [ ] Join industry associations and monitor ARPCE and ANPDP publications — many rules are refined through guidance rather than new laws.

Frequently Asked Questions

Do I need an ARPCE licence to sell SaaS in Algeria?

If your SaaS runs on infrastructure you operate as a hosting or data storage activity, you likely need to hold or partner with a holder of an ARPCE authorisation. If you only provide application functionality on top of an already-authorised hosting provider, the hosting licence rests with the provider, but your SaaS still needs to comply with data protection obligations under Law 25-11.

Which Algerian cloud providers are ARPCE-certified?

ARPCE has authorised several local data centre operators — including ISAAL, AYRADE, eBS, and ADEX Cloud — to offer hosting and cloud services. The list can evolve, so check the current ARPCE publication before committing to a provider.

How do ARPCE cloud directives interact with Algeria’s personal data protection law?

ARPCE focuses on the security and availability of hosting and electronic communications services, while Law 18-07 (as amended by Law 25-11) governs how personal data is processed. When a SaaS or hosting provider handles personal data, both frameworks apply simultaneously: ARPCE-aligned controls plus the accountability, DPO, DPIA, and breach notification obligations of Law 25-11.

Frequently Asked Questions

Sources & Further Reading

• CMS Expert Guide — Data Protection and Cyber Security Laws in Algeria
• CookieYes — Guide on Algeria Data Protection Law 18-07 and its Amendments
• DataGuidance — Algeria Jurisdiction Overview
• Cookie-Script — Algeria Data Protection Law 18-07 and Amendments
• ARPCE — Hosting and Storage in Cloud Computing