A Cybersecurity School Becomes Algeria’s CISO Factory
On Monday, 1 June 2026, the Agence de la Sécurité des Systèmes d’Information (ASSI) — the information-systems-security agency under the Ministry of National Defense — opened the second national training session for RSSI (Responsable de la Sécurité des Systèmes d’Information, the French title for Chief Information Security Officer) at the École Nationale Supérieure de Cybersécurité (ENSCS) in Sidi Abdellah, west of Algiers. The three-day program, reported by ITMag, was run in collaboration with the Ministry of Higher Education and Scientific Research and gathered RSSI professionals from state institutions and national organizations.
The session is small in calendar terms — three days — but large in strategic weight. It is the moment where Algeria’s recent wave of cybersecurity legislation stops being paper and starts becoming people. Decrees create obligations; only trained security officers can discharge them.
Why This Session Exists: Decree 26-07 Needs Bodies
The training is the direct human-capital answer to a legal mandate. On 7 January 2026, President Tebboune signed Presidential Decree No. 26-07, published in the Official Gazette on 21 January 2026, which — as Ecofin Agency reported — requires every public institution to establish a standalone cybersecurity unit reporting directly to leadership. Those units are responsible for data protection, system security, risk assessment, incident response, and compliance with personal-data-protection law, and they must report security incidents to the relevant authorities immediately.
A decree can mandate a unit; it cannot mandate competence. Each of those units needs a qualified RSSI at its head and trained analysts beneath. That is the gap the ENSCS sessions close. ASSI is, in effect, manufacturing the officer corps that Decree 26-07 calls into existence — one cohort at a time.
The backdrop is a sharp rise in threat volume. According to Kaspersky telemetry cited in coverage of the decree, Algeria faced over 70 million attempted attacks in 2024, with more than 13 million phishing attempts blocked and nearly 750,000 malicious email attachments stopped — placing the country 17th globally among the most-targeted nations. Numbers at that scale make a self-evident case for putting a trained security officer inside every ministry, agency, and public enterprise.
Advertisement
The Strategy Behind the Sessions
The RSSI program does not stand alone. It is the operational training pillar of the 2025-2029 National Information Systems Security Strategy, which President Tebboune approved by Presidential Decree No. 25-321 on 30 December 2025, and which ASSI published on 3 March 2026 — a framework TechAfrica News described as a five-year roadmap to defend public administrations and critical digital infrastructure. ALGERIATECH covered the strategy’s architecture in its full analysis of the 2025-2029 plan, where CNSSI (the National Information Systems Security Council) sets strategic direction and ASSI executes at the technical and operational level.
ENSCS is the newest piece of that architecture. The school was created by Presidential Decree No. 24-181 on 5 June 2024 and opened its doors in September 2024 with a first cohort of 220 students, jointly supervised by the Ministry of Higher Education and the Ministry of National Defense. Its director, Mohamed Amine Riahla, framed the school’s role plainly during the session: ENSCS “was recently created, but has significant ambitions, including coordination with ASSI.” The June session is that coordination made concrete — a young school lending its labs and faculty to upskill serving state cadres rather than only training new graduates.
The curriculum reflects a practitioner focus. According to coverage in Le Jour d’Algérie, the three days combined technical-skills reinforcement, secure software-development norms and best practices, hands-on workshops led by cybersecurity experts, and updates on cybersecurity legislation and regulation — exactly the blend a sitting RSSI needs to translate Decree 26-07 into a working program.
What Algerian security teams should do
For public-sector IT leaders and the enterprises that serve them, this is a window of opportunity. The institutional plumbing is being built; the move now is to plug into it rather than wait.
1. Map your institution to Decree 26-07 before the audit does
Every public body now owes a standalone cybersecurity unit reporting to leadership. Inventory what you have — a named RSSI, an incident-response path, a personal-data compliance owner — against the five functions the decree names: data protection, system security, risk assessment, incident response, and compliance. Document the org chart that makes the unit independent and direct-reporting, because that structural detail is the part most institutions overlook when they bolt security onto an existing IT department.
2. Nominate and enroll your RSSI candidates in ASSI’s national track now
The June 2026 cohort is the second session, which means a recurring national pipeline is forming. Identify the one or two people who will hold the RSSI title, and position them for the next ENSCS session rather than improvising training later. A candidate already inside the ASSI/ENSCS track carries credibility with regulators that an ad-hoc internal hire does not, and the curriculum maps directly to the duties your unit will be measured against.
3. Build the incident-reporting muscle the decree actually requires
Decree 26-07’s sharpest operational clause is immediate reporting of incidents to the relevant authorities. Stand up the runbook now: who detects, who classifies, who notifies ASSI/DZ-CERT, and within what window. Run a tabletop exercise against the 70-million-attack threat reality so the reporting reflex is built before a real incident tests it. A unit that can report correctly under pressure is worth more than one with the best tooling and no process.
4. Treat the RSSI role as a career track, not a checkbox
The national sessions signal that “RSSI” is becoming a recognized, certifiable profession in Algeria — adjacent to the CISSP and CEH wave ALGERIATECH tracked in its cybersecurity certification analysis. Pair ENSCS attendance with international certifications and a defined progression path. Retention matters: a trained RSSI is now a scarce, in-demand asset, and the institutions that offer a real career — not a title with no budget — will keep theirs.
Where This Fits in Algeria’s 2026 Cybersecurity Build-Out
The ENSCS sessions are a small, repeatable event that reveals the shape of a much larger project. In roughly six months, Algeria moved from approving a national strategy (Decree 25-321, December 2025) to mandating units in every public institution (Decree 26-07, January 2026) to publishing the strategy text (March 2026) to training the officers who will run those units (the second ENSCS session, June 2026). That is a coherent sequence: roadmap, obligation, doctrine, people — each step building on the last.
What makes the training pillar the decisive one is that infrastructure and decrees are reproducible, but capable security officers are not. A country can buy firewalls and pass laws faster than it can grow a cadre of seasoned RSSI. By routing serving state cadres through a national school that coordinates directly with the operational agency, Algeria is compressing the slowest part of cybersecurity maturity — human capability — into a repeatable national program. The second session is proof the pipeline is becoming routine, and routine is precisely what turns a one-time launch into a durable national capability.
Frequently Asked Questions
What is an RSSI and how does it relate to a CISO?
RSSI stands for Responsable de la Sécurité des Systèmes d’Information — the French-language title for a Chief Information Security Officer (CISO). In Algeria’s public sector, the RSSI is the qualified officer who heads the dedicated cybersecurity unit that Presidential Decree 26-07 now requires in every public institution, responsible for data protection, system security, risk assessment, incident response, and compliance.
Who organizes the national RSSI training and where is it held?
The training is organized by ASSI (Agence de la Sécurité des Systèmes d’Information), the information-systems-security agency under the Ministry of National Defense, in collaboration with the Ministry of Higher Education and Scientific Research. The sessions are held at the École Nationale Supérieure de Cybersécurité (ENSCS) in Sidi Abdellah, west of Algiers — a school created by Presidential Decree 24-181 in June 2024.
What does Decree 26-07 require Algerian public institutions to do?
Presidential Decree No. 26-07, signed 7 January 2026 and published in the Official Gazette on 21 January 2026, requires every public institution to establish a standalone cybersecurity unit reporting directly to leadership. The unit must handle data protection, system security, risk assessment, incident response, and personal-data-protection compliance, and must report any security incident to the relevant authorities immediately.
Sources & Further Reading
- Further Reading
- Lancement de la 2ème session nationale de formation des RSSI — ITMag
- L’ASSI organise la deuxième session de formation au profit des cadres de l’État — Le Jour d’Algérie
- Algeria orders cybersecurity units in the public sector amid surge in cyberattacks — Ecofin Agency
- Algeria Strengthens Cybersecurity Framework to Protect National Infrastructure — TechAfrica News
- Algeria Cybersecurity Strategy 2025-2029: Full Analysis — ALGERIATECH
