What Changed in January 2026
Presidential Decree 26-07, published January 21, 2026, is the most consequential cybersecurity instrument Algeria has produced since the institutionalisation of the public-sector CISO role under Decree 20-05. It mandates that every Algerian ministry, public agency, and state enterprise create a dedicated cybersecurity unit — separate from the IT department, reporting directly to the institution’s head, and aligned with the Agency for the Security of Information Systems (ASSI) under the Ministry of National Defense.
The decree arrived alongside the unveiling of the 2025-2029 National Information Systems Security Strategy on March 4, 2026. The strategy frames cyber-resilience around three pillars — prevention, detection, and response — and commits Algeria to “fortifying digital sovereignty,” equipping the state with qualified human resources, and creating an appropriate regulatory environment. A draft cybersecurity law in preparation will introduce mandatory cybersecurity requirements with enforcement teeth that today’s decree alone does not provide.
Six months after publication, the headline question for Algerian public-body CIOs is no longer “must we comply” but “how do we operationalise this without a templated playbook.” The decree describes the destination; it does not specify org charts, hiring ladders, or KPIs. Each institution is now writing its own.
The Operational Gap Decree 26-07 Did Not Fill
Three operational design choices are unresolved across the Algerian public sector in April 2026:
First, the reporting line. The decree says “reporting to the institution head” but most ministries already have a Secretary General or Cabinet Director acting as a single executive funnel. Some institutions have placed the cybersecurity unit chief at the SG-1 level (peer to the IT director); others have placed it at SG-2 (under a risk or compliance directorate). Both are defensible. The choice that maps cleanly to ASSI’s coordination model is SG-1, because the unit chief becomes an authorised peer when DZ-CERT escalates a national-level incident.
Second, the boundary with the IT department. Algerian IT directors have historically owned everything network-, server-, and identity-related. The cybersecurity unit’s mandate now overlaps with all three. Without an explicit RACI matrix, the most likely failure mode is the cybersecurity unit becoming a paperwork team that issues policies the IT department ignores. The fix is a written split: cybersecurity owns policy, threat detection, incident command, and supplier risk; IT owns operations, patching execution, and identity provisioning. Both teams co-author the response runbooks.
Third, the headcount problem. Algeria’s own published assessment cites severe cybersecurity talent shortage — well-documented in the published-folder article on Decree 26-07 from March 2026. With over 100 ministerial-level public bodies plus hundreds of state enterprises, the demand wave from Decree 26-07 alone could exceed 800-1,200 roles. The 2025-2029 strategy points at the 285,000 vocational training seats announced under the broader skills programme as one supply lever, but the Cybersecurity Operations Analyst track inside that envelope is small relative to demand.
Advertisement
What This Means for Algerian Public-Sector CIOs
1. Adopt a Three-Role Minimum Viable Unit Before Year-End 2026
A defensible starting structure is three roles: a unit chief (the institutional CISO equivalent), a security operations analyst (handling SIEM alerts, vulnerability management, incident triage), and a compliance and audit officer (tracking ASSI reporting obligations, internal policy, and supplier risk). Below three roles the unit cannot run a 24/5 alert rotation or absorb a real incident. Above three roles you are committing to a build-out timeline that current Algerian hiring channels cannot deliver in 2026. Public-body CIOs who try to start with a single “cybersecurity referent” — common in early 2026 implementations — will discover during their first ASSI tabletop that the structure is too thin to respond.
2. Negotiate a Partnership Letter with DZ-CERT in the First 90 Days
DZ-CERT is the operational counterpart to ASSI for incident handling, and it is the only Algerian body with the threat-intelligence feed and forensic capacity to support a real incident response in 2026. Public-body cybersecurity units that wait for an incident to introduce themselves to DZ-CERT will lose 24-48 hours of containment time. Within the first 90 days of the unit’s existence, the unit chief should sign a written escalation protocol with DZ-CERT specifying: 24/7 contact roster, classification thresholds for mandatory reporting, evidence-handling chain of custody, and joint-exercise commitments. This is operational hygiene that the decree does not require but every mature CISO function does.
3. Build a Hiring Ladder That Pulls from the 285,000 Vocational Training Seats
The 2025-2029 strategy positions vocational training as the dominant supply channel for cybersecurity talent. Public-body CIOs should design a junior-analyst entry path explicitly aligned to vocational graduates — a 12-month structured rotation through SOC alert triage, vulnerability scanning, and audit support, paired with a single internal mentor. The published reference article on Algeria’s vocational AI/cloud/cybersecurity tracks already documents the structure of these training programmes; pull that material into your job descriptions. Public bodies that compete with the private sector for the small pool of experienced senior analysts will lose the auction; the ones that build a pipeline from vocational graduates and grow them in-house will staff their units sustainably.
4. Set Three KPIs That ASSI and the Institution Head Both Recognise
Resist the temptation to publish a dashboard with twenty KPIs. The three that matter to both ASSI and the institution head in 2026 are: (a) mean time to acknowledge a DZ-CERT alert (target: under 1 hour business hours, under 4 hours after-hours), (b) percentage of high-severity vulnerabilities patched within 14 days of disclosure (target: 95%+), and (c) percentage of staff completing the institution’s annual cybersecurity awareness module (target: 90%+). These are auditable, externally verifiable, and map to the decree’s prevention-detection-response pillars. Add complexity in 2027 once the unit has 12 months of baseline data.
5. Run Your First Tabletop Exercise in Q3 2026, Not 2027
A cybersecurity unit that has not rehearsed an incident is a paperwork unit. Schedule the first internal tabletop in Q3 2026, with three scenarios drawn from active 2025-2026 threats: ransomware in a state-enterprise ERP, credential theft via phishing of a senior official, and supply-chain compromise of a software vendor. Invite a DZ-CERT observer. Document the gaps the exercise exposes — almost certainly: unclear decision authority, missing out-of-hours contact, undefined customer-communication template — and assign owners with 30-day fix dates. The published article on SME ransomware tabletops can be adapted directly for the public-sector context.
Working with ASSI and the Compliance Calendar
The 12-month compliance calendar for an Algerian public body in 2026 should anchor on three fixed points. By end of Q2, the unit must exist on the org chart with a named chief and at least one analyst role filled. By end of Q3, the partnership letter with DZ-CERT must be signed and the first tabletop must have run. By end of Q4, the institution must have published its first internal cybersecurity policy, completed a baseline asset inventory, and reported its three KPIs to the institution head and ASSI. Institutions that hit these three milestones will be ready when the draft cybersecurity law lands with formal enforcement powers — likely in 2027 — and will have built the operational muscle that the decree intends. Institutions that defer the build-out will be playing catch-up while ASSI inspections begin and DZ-CERT is already routing incidents through their peers’ faster channels.
Frequently Asked Questions
What does Presidential Decree 26-07 actually require?
Decree 26-07, published January 21, 2026, requires every Algerian public body — ministries, public agencies, and state enterprises — to create a dedicated cybersecurity unit reporting directly to the institution’s head and aligned with ASSI under the Ministry of National Defense. The decree does not specify org-chart structure, headcount, or KPIs; it leaves operational design to each institution.
How does Decree 26-07 relate to the older Decree 20-05 CISO requirement?
Decree 20-05 institutionalised the CISO role inside state information systems. Decree 26-07 goes further by requiring an entire dedicated unit, not just an individual role, with explicit separation from the IT department and a reporting line outside the IT chain. The two instruments are complementary: Decree 20-05 created the role, Decree 26-07 builds the team and operating structure around it.
Where will Algerian public bodies find cybersecurity staff for these new units?
The 2025-2029 National Information Systems Security Strategy points to the 285,000 vocational training seats announced under Algeria’s skills programme as a primary supply channel, with cybersecurity being one of the priority tracks. Public bodies will likely build hiring ladders that bring in vocational graduates as junior analysts and grow them in-house through SOC rotation and mentorship, rather than compete in the small senior-analyst market.
Sources & Further Reading
- Algeria Strengthens Cybersecurity Framework to Protect National Infrastructure — Tech Africa News
- 2025-2029 National Information Systems Security Strategy Unveiled — African News DZ
- Algeria Public-Sector Cybersecurity Update — SAMENA Council
- CMS Expert Guide to Data Protection and Cyber Security Laws — Algeria
