Decree 26-07: A 90-Day Cyber Unit Roadmap

Published May 30, 2026 · by ALGERIATECH Editorial

⚡ Key Takeaways

Presidential Decree 26-07, in force since January 21, 2026, requires every Algerian public institution to build a dedicated cybersecurity unit reporting directly to institutional leadership — separate from IT, with risk-mapping, audit, and procurement-gating authority. This 90-day roadmap sequences the rollout: Days 1–30 stand up the unit and lock the reporting line; Days 31–60 deliver the first risk map and signed cybersecurity policy; Days 61–90 wire incident reporting into ASSI and gate every new outsourcing contract through a security clause.

Bottom Line: Treat Decree 26-07 as a 90-day project, not an open-ended compliance file. Appoint a unit lead on Day 1, protect a separate budget line from IT absorption, and build the ASSI working cadence from the start — not at month three.

Read Full Analysis ↓

🧭 Decision Radar

Relevance for Algeria
High
▾

all public entities must comply

Action Timeline
Immediate
▾

decree already in force since January 21, 2026

Key Stakeholders
CISOs, IT directors, ministry DSI teams, ASSI, procurement leads

Decision Type
Tactical
▾

This article offers tactical guidance for near-term implementation decisions.

Priority Level
Critical
▾

Assessment: Critical. Review the full article for detailed context and recommendations.

Quick Take: Algerian public-sector IT teams should treat Decree 26-07 as a 90-day project rather than an open-ended compliance exercise. Days 1–30 stand up the unit and lock the reporting line, days 31–60 deliver the first risk map and signed policy, and days 61–90 wire incident reporting into ASSI and gate the procurement pipeline. Protect the unit’s budget from IT absorption and build the ASSI cadence from day one.

From Decree Text to Project Plan

Presidential Decree No. 26-07, signed on January 7, 2026 and published in the Official Gazette on January 21, equips Algeria’s public sector with a clear mandate to build dedicated cybersecurity units inside every institution. The decree sets the destination — a unit that reports to institutional leadership, runs cybersecurity policy, conducts risk mapping, monitors systems, and coordinates with ASSI on incidents — but leaves the sequencing to each head of institution. That is a feature, not a gap: it lets ministries, wilayas, and public enterprises calibrate the rollout to their own threat surface and staffing reality. The opportunity now is to convert that flexibility into a disciplined, time-boxed project.

The reason a 90-day frame works is that it matches the operating tempo of Algerian public administration. A full fiscal year is too slow to keep momentum and too easy to deprioritise; a 30-day sprint is too fast to honestly run a risk-mapping cycle and a vendor security review. Ninety days — roughly one budget quarter — gives institutional leadership three discrete planning checkpoints (Day 30, Day 60, Day 90), each with its own deliverable, and a defensible reporting cadence to ASSI and to the National Council that validates strategic orientations under the 2025–2029 National Cybersecurity Strategy.

This is also why the roadmap reads as an opportunity rather than a compliance burden. The institutions that move first will be the ones writing the practical playbook every other public entity ends up copying — and the IT teams running those rollouts will build the kind of operational depth (real risk maps, real incident-reporting drills, real procurement controls) that is genuinely scarce in the Algerian public-sector labour market today. Decree 26-07 is the moment when “cybersecurity manager” stops being a job title and starts being a discipline.

What Decree 26-07 Actually Requires

The structural requirement is clean and tightly scoped. According to the Ecofin Agency reporting on the decree, every public institution must establish a dedicated cybersecurity unit that (1) operates separately from the IT technical management department, (2) reports directly to the head of the institution rather than to the CIO or IT director, (3) designs and oversees the institution’s cybersecurity policy, (4) conducts risk mapping and the matching remediation plans, (5) monitors systems and runs regular audits, (6) immediately reports incidents to the relevant authorities, and (7) ensures compliance with the country’s personal data protection legislation. The unit also has to coordinate with the procurement function and internal security bodies whenever the institution outsources any work that touches its information systems.

That last point matters more than it first appears. It pulls the cybersecurity unit into every public IT contract the institution signs after January 2026 — the unit reviews vendor security clauses, sets minimum requirements for subcontractors, and signs off on outsourcing arrangements before the procurement file closes. For institutions that buy heavily from local integrators or sign cloud and hosting contracts, this is the part of the decree with the largest operational footprint.

The decree also complements the existing CISO mandate. Algeria’s national cybersecurity framework has institutionalised the Chief Information Security Officer role across state institutions since 2020, as TechAfrica News documented in its January 2026 review of the framework. Decree 26-07 doesn’t replace the CISO — it gives the CISO an organisational vehicle (the unit) and a direct reporting line into the head of the institution.

Who Must Comply and the Timeline Reality

The scope of the decree is broad: all public institutions and administrations are covered, which in practice means every ministry, every wilaya administration, every public enterprise (EPE/EPIC), every regulatory agency, and every state-owned operator running critical information systems. Universities, hospitals, and large social-security and tax administrations fall inside the same perimeter, even if their threat profiles look quite different.

The decree does not publish an explicit calendar deadline, which makes timing a judgement call by the head of each institution. That said, the broader policy context — Presidential Decree No. 25-321 of December 30, 2025 approving the 2025–2029 National Cybersecurity Strategy, Decree 26-07 one week later, and a documented threat surface of more than 70 million attempted cyberattacks against Algeria in 2024 alone — creates clear top-down momentum. Institutions that are still in planning mode by Q3 2026 will be visibly behind, both to ASSI and to their own auditing bodies.

The practical inference: treat Day 1 of the 90-day plan as the date the institution’s head formally appoints a cybersecurity unit lead. From that decision, 90 days gets the unit to “operating”, not “perfect”. The Day 90 milestone is a unit that has a published policy, a first-pass risk map, an incident-reporting line into ASSI, and a security clause in every new outsourcing contract.

What Public-Sector IT Teams Should Do

1. Days 1–30: Stand up the unit, name a lead, and lock the reporting line

The first 30 days are governance, not technology. The head of the institution issues an internal note designating the cybersecurity unit, names the unit lead (the CISO equivalent under Decree 26-07), and confirms in writing that the lead reports directly to institutional leadership — not through the IT director. This is the single most important structural step in the entire roadmap: if the unit ends up reporting to the IT function it is meant to audit, the decree’s intent is defeated on Day 1.

In parallel, the lead recruits or designates the founding team. A defensible minimum for a small institution is three people: the lead, a security operations analyst, and a security engineer or governance officer. Larger institutions (over 2,000 staff or critical infrastructure operators) should plan for 8–12 people by Day 90, scaled from the same three core role functions. Job descriptions should be written before recruitment starts, and the unit’s seat in the institution’s organigram should be published internally so every other directorate understands where to send incident notifications.

2. Days 31–60: Conduct the first risk map and draft the cybersecurity policy

The risk-mapping cycle is the first major technical deliverable. The unit inventories the institution’s information systems, classifies them by sensitivity (using the personal data protection legislation as one of the classification axes), and runs a structured threat assessment against each. The output is a prioritised risk register — not a 200-page document, but a working list of the 15–30 most material risks with named owners and remediation timelines. Algeria’s threat picture, as reported by Ecofin Agency, is dominated by phishing (13+ million attempts blocked in 2024) and malware-laden email (nearly 750,000 attachments intercepted), which means the risk register should weight email, identity, and endpoint controls heavily on the first pass.

In parallel, the unit drafts the institution’s cybersecurity policy. The policy is the document the head of the institution signs to make the unit’s authority enforceable across every directorate. It should name the unit’s responsibilities verbatim from Decree 26-07, reference the existing CISO mandate, and explicitly cover incident reporting, audit access, and the unit’s veto power on outsourcing security clauses. The Day 60 milestone is “risk map drafted + policy signed”.

3. Days 61–90: Wire incident reporting into ASSI and gate the procurement pipeline

The final 30 days operationalise the two requirements that have the most immediate consequence outside the institution: incident reporting to ASSI and procurement gating. The unit establishes a single named contact point (a person and an inbox) for ASSI, agrees a working incident classification scheme that aligns with what ASSI expects to receive, and runs at least one tabletop exercise that simulates an incident notification end to end. ASSI’s coordinating role under the Ministry of National Defence — defined in the 2025–2029 National Cybersecurity Strategy — means this contact line is the institution’s primary cybersecurity interface with the state.

In parallel, the unit walks the procurement function through the new security-clause template. Every outsourcing file opened after Day 90 should include a security annex that the cybersecurity unit signs off on, covering data residency, subcontractor controls, incident notification timelines, and audit rights. The Day 90 milestone is a unit that has a real incident line to ASSI, a working policy, a current risk map, and a procurement gate.

4. Build the ASSI coordination cadence from day one, not at month three

ASSI is the strategic partner, not a regulator to be managed at arm’s length. The unit lead should treat the relationship as a multi-year working partnership: a regular reporting cadence (monthly status notes for the first year, quarterly thereafter), participation in the ASSI-coordinated activities described in the National Cybersecurity Framework, and a willingness to share risk-map summaries and lessons-learned reports. Institutions that build this cadence early get earlier access to threat intelligence, faster incident response support, and a stronger voice in how sector-level guidance is shaped. The unit should also map the relationship with related bodies — DZ-CERT for incident response coordination, the personal data protection authority for privacy compliance — and assign named liaisons to each.

5. Budget the unit honestly and protect it from absorption by IT

The single biggest implementation risk is budget absorption. If the cybersecurity unit’s budget sits inside the IT directorate’s envelope, the unit will quietly lose resources to operational IT priorities every quarter. The fix is structural: the head of the institution approves a separate cybersecurity unit budget line, distinct from IT operations, with its own multi-year envelope. The Day 90 milestone here is a signed budget for the rest of fiscal 2026 and a draft for 2027 that protects the three biggest cost categories — people (60–70% of the budget), tooling (20–30%), and external services such as audits and incident response retainers (10–15%). Institutions that publish their cybersecurity unit budget separately in their internal planning documents send a clear signal that the unit is a permanent function, not a project.

Building Algeria’s Cyber Resilience Foundation

A 90-day implementation roadmap is not the whole answer to Decree 26-07. It is the entry point. What the roadmap actually delivers is a working operating unit by the end of one quarter, a defensible audit trail for the head of the institution, and a working relationship with ASSI that will mature over the next two to three years. The unit that exists on Day 91 is not a finished cybersecurity capability — it is a credible foundation that the institution can build on through 2027 and into the back half of the 2025–2029 strategy window.

What this roadmap signals more broadly is that Decree 26-07 has changed the operating model for public-sector IT in Algeria. The CIO is no longer the only senior IT voice in the room; the cybersecurity unit lead has a parallel reporting line straight to institutional leadership, and a domain — risk, audit, procurement security, incident reporting, data protection — that cuts across every digital initiative the institution runs. For public-sector IT teams, that means closer working ties with a peer function, more rigorous internal review of new systems, and a structural answer to the question of who, exactly, is accountable when something goes wrong.

Done well, the implementation of Decree 26-07 across Algeria’s ministries, wilayas, and public enterprises will give the country a layered cybersecurity architecture: a national strategy at the top, ASSI coordinating, institutional units executing, and a domestic talent base that grows because the demand for it is now codified in law. The 90-day plan is how each institution contributes a brick to that architecture.

Follow AlgeriaTech on LinkedIn for professional tech analysis Follow on LinkedIn

Follow @AlgeriaTechNews on X for daily tech insights Follow on X

Frequently Asked Questions

1. What does Decree 26-07 require Algerian public institutions to do?

Presidential Decree No. 26-07, published in the Official Gazette on January 21, 2026, requires every Algerian public institution to establish a dedicated cybersecurity unit. The unit must operate separately from IT technical management, report directly to the head of the institution, design and oversee the cybersecurity policy, run risk mapping with remediation plans, monitor systems and audit them regularly, report incidents immediately to relevant authorities, ensure compliance with personal data protection law, and coordinate with procurement on the security clauses in outsourcing contracts.

2. Who must comply with Decree 26-07?

All public institutions and administrations are in scope — ministries, wilaya administrations, public enterprises (EPE/EPIC), regulatory agencies, state-owned operators of critical information systems, public universities, public hospitals, and large social-security and tax administrations. The decree does not publish an explicit deadline; in practice, institutions still in planning mode by Q3 2026 will be visibly behind the policy momentum set by the 2025–2029 National Cybersecurity Strategy.

3. How does the cybersecurity unit work with ASSI?

ASSI (Agence de la Sécurité des Systèmes d’Information), operating under the Ministry of National Defence, coordinates national cybersecurity strategy and acts as the partner agency for institutional cybersecurity units. Each unit should designate a named contact point for ASSI, agree an incident classification scheme that aligns with ASSI’s intake expectations, share risk-map summaries and lessons-learned reports, and join the ASSI-coordinated activities described in the 2025–2029 strategy. The relationship is a multi-year working partnership, not a one-off compliance check.