Decree 26-07 Incident Response: What Algerian Private-Sector Teams Must Do in the First 72 Hours

The Regulatory Moment Most Private Companies Are Not Ready For

Algeria’s cybersecurity legislation has historically concentrated on public institutions and critical infrastructure operators. Presidential Decree No. 26-07, signed in January 2026, continues that emphasis — mandating that all state information systems establish dedicated cybersecurity units, designate CISOs, and align with frameworks overseen by the Information Systems Security Agency (ASSI). For a Ministry of Finance IT team or a state telecom operator, this decree has direct, immediate operational consequences.

For an Algerian private-sector company — an e-commerce platform, a fintech, an accounting firm, a logistics operator — the decree’s direct legal reach is limited. But the ecosystem it has accelerated is not. Law No. 25-11 on the protection of personal data, enacted in 2023 and now being actively enforced by the newly empowered ANPDP, imposes explicit breach notification obligations on all data controllers and processors operating in Algeria, regardless of sector or ownership. Criminal liability under Law No. 09-04 applies to any entity — public or private — that fails to report or conceals a cybersecurity incident involving unauthorized access to information systems.

The gap between legal obligation and organizational readiness is stark. Algeria’s penalties for non-compliance are substantial: fines from DZD 5,000 to DZD 10 million and imprisonment from 2 months to 10 years depending on the offense and intent. Yet surveys of Algerian SMEs consistently find that fewer than one in five has a documented incident response plan, and fewer than one in ten has ever conducted a tabletop exercise simulating a breach. The first 72 hours after a breach discovery are the most consequential — for containment, for regulatory compliance, and for evidence preservation. This playbook covers what private-sector teams must do, in order, within that window.

What the Law Actually Requires of Private Companies

Before the operational playbook, the legal framework must be understood precisely. Three instruments create obligations for Algerian private-sector organizations after a cybersecurity incident.

Law No. 25-11 (Personal Data Protection): Controllers — organizations that determine the purpose and means of processing personal data — must notify ANPDP within 5 days of becoming aware of a personal data breach. The notification must describe the nature of the breach, the categories and approximate number of individuals affected, the categories and approximate number of personal data records concerned, the likely consequences of the breach, and the measures taken or proposed to address the breach. Processors — organizations that process data on behalf of a controller — must notify the controller “as soon as they become aware” of a breach, with no grace period specified. If you are a cloud provider, a payroll processor, or a software vendor handling client data, you are a processor under Law 25-11 and your notification obligation to your client is immediate.

Law No. 09-04 (ICT Offenses): This law criminalizes unauthorized access to information systems, obstruction of automated data processing, and fraudulent introduction or modification of data. Critically, it applies not only to attackers but also to organizations that fail to report incidents or that take actions (or inactions) that could be construed as facilitating continued unauthorized access. An organization that discovers a breach, continues operating the compromised system without containment, and fails to notify the relevant authority faces potential exposure under this law.

Presidential Decree No. 20-05 and the ASSI Framework: ASSI has supervisory authority over incidents affecting systems classified as critical information infrastructure. Private companies operating in sectors designated as critical — banking, energy, healthcare, telecommunications — have reporting obligations to ASSI in addition to ANPDP. The specific reporting timelines for ASSI notifications are not publicly codified in the same way as the ANPDP 5-day rule, but ASSI expects prompt notification from critical-sector operators.

What Algerian Private-Sector Teams Should Do in the First 72 Hours

1. Detect, Contain, and Preserve Evidence (Hours 0–6)

The first action upon discovering or being notified of a potential breach is isolation, not investigation. Disconnect compromised systems from the network — do not shut them down, as a running system retains volatile memory (RAM) that may contain attacker tools, encryption keys, and active network connections. A shutdown destroys this forensic evidence. If your organization has no live forensics capability, take a memory dump using a free tool such as Volatility Framework before any other action.

Preserve all relevant logs before any system changes: firewall logs, authentication logs, email server logs, and application access logs for the 30-day period preceding discovery. In many Algerian organizations, logs are overwritten every 7–14 days due to storage constraints. If the breach is discovered on day 15 after the initial compromise, you may already have lost the evidence of initial access. This is why log retention policy — minimum 90 days, 365 days for regulated sectors — must be established before an incident, not after.

Document the exact timestamp of discovery, who discovered it, and the initial indicators (unusual login, ransom note, performance degradation, customer report). This timestamp is the legal anchor for your 5-day ANPDP notification clock under Law 25-11.

2. Assess Scope and Determine if Personal Data is Involved (Hours 6–24)

Not every security incident triggers a legal notification obligation — only those that involve personal data (under Law 25-11) or critical infrastructure (under ASSI oversight). The scope assessment answers three questions: What systems were accessed? What data did those systems contain? Are any of those data records personal data as defined by Law 25-11?

Algeria’s Law 25-11 defines personal data broadly: any information that can directly or indirectly identify a natural person, including names, national ID numbers, health records, financial data, location data, and online identifiers. If the compromised system contained a customer database, an employee HR file, or any record associating a person with a service, the incident is a personal data breach and the 5-day notification clock is running.

Conduct a data mapping exercise if one does not already exist — this means identifying every database, file share, and SaaS account that was accessible from the compromised systems. Document findings in writing. If external forensic assistance is required, engage a cybersecurity firm immediately; the 5-day window is not negotiable.

3. Notify ANPDP and Affected Parties Within 5 Days (Hours 24–120)

The ANPDP notification does not require certainty about the full scope of the breach — Law 25-11 explicitly allows organizations to provide information “in phases” if the full picture is not yet available at the time of initial notification. This phased approach means you can submit an initial notification on day 3 with what you know, then supplement it on day 7 with a complete forensic report. Waiting until the forensic investigation is complete before notifying is the most common compliance mistake — and it is the one that creates the greatest regulatory and criminal liability.

The initial ANPDP notification should include: the date and time of discovery, the suspected or confirmed nature of the breach (ransomware, unauthorized access, accidental exposure), the estimated categories of data involved (customer financial records, employee HR data, health information), the estimated number of individuals potentially affected, and the immediate containment steps already taken. ANPDP’s contact for breach notifications is published on its official portal.

If the breach is likely to result in a high risk to the rights and freedoms of natural persons — for example, exposure of financial credentials, health records, or national ID numbers — Law 25-11 also requires direct notification to the affected individuals “without undue delay.” This notification must include a plain-language description of the breach, the likely consequences, and the actions affected persons can take to protect themselves.

4. Preserve Business Continuity and Manage Stakeholder Communications (Hours 0–72, Parallel Track)

Containment and legal notification are the primary tracks, but a third parallel track — stakeholder communications — must run simultaneously. Notify your legal counsel within the first 6 hours; they will advise on regulatory strategy, insurance claim initiation, and communication privilege. Notify your cyber insurance carrier (if you have one) within 24 hours; most policies require prompt notification and may void coverage for incidents where notification was delayed without reasonable justification.

For companies with enterprise clients who entrust them with data (processors under Law 25-11), notify those clients immediately — “as soon as aware” is the legal standard. Do not wait for the full forensic report. Clients need to assess their own exposure, notify their own customers if required, and make their own regulatory filings. A processor that delays client notification by 48 hours while conducting its own investigation has violated Law 25-11 and almost certainly its own service agreement.

The Structural Lesson

Algeria’s cybersecurity legal framework has reached a point of operational maturity that most private-sector organizations have not internalized. The 5-day ANPDP notification requirement is not aspirational — it is enforceable, with criminal backstop in Law No. 09-04. The organizations that treat incident response planning as a 2024-era optional practice are now operating in a 2026 regulatory environment where “we didn’t know what to do” is not a defense.

The practical requirement is a documented incident response plan — a 5–10 page document that names the incident response team, defines escalation paths, lists the regulatory notification contacts and timelines, and specifies the containment steps for common breach scenarios (ransomware, credential compromise, insider threat). This document should be reviewed quarterly and tested by tabletop exercise at least once a year. Organizations that already have ISO 27001 certification will have this as a required ISMS artifact; organizations without it must build it independently.

ASSI has published reference materials for incident response aligned with Algeria’s regulatory framework. The DZ-CERT national computer emergency response team accepts incident reports and provides technical assistance to private-sector organizations facing active intrusions. Engaging DZ-CERT early — even before the full scope of an incident is known — is both operationally valuable and demonstrates good-faith regulatory cooperation that regulators weigh in enforcement decisions.

Frequently Asked Questions

Q: Does the 5-day ANPDP notification requirement apply to every type of security incident?

No — only incidents involving personal data as defined by Law 25-11. A ransomware attack on a server containing only internal financial projections (no personal data) does not trigger ANPDP notification. A ransomware attack on a server containing customer names, email addresses, or payment records does trigger the 5-day obligation. The scope assessment in hours 6–24 determines which regime applies. If you are uncertain whether data qualifies as personal data under Law 25-11, treat it as personal data and notify — the cost of an unnecessary notification is far lower than the cost of a missed one.

Q: What happens if we miss the 5-day ANPDP notification deadline?

Missing the deadline does not automatically trigger prosecution, but it creates regulatory exposure that grows with delay. ANPDP’s enforcement posture is still developing as a newly empowered authority, and early enforcement actions typically focus on organizations that knew about a breach and made no notification rather than those that were late due to genuine investigative complexity. Document the reasons for any delay in writing — system complexity, attacker-maintained persistence, forensic firm availability — and submit the late notification with a detailed explanation. Self-reporting late is always treated more favorably than non-reporting discovered through third parties.

Q: Should we engage DZ-CERT or a private incident response firm first?

Both, ideally in parallel. DZ-CERT provides free technical assistance and incident coordination for Algerian entities, and engaging them early demonstrates regulatory good faith. A private incident response firm (preferably one with prior Algerian regulatory experience) provides the contractual confidentiality, speed, and breadth of forensic tooling that DZ-CERT’s resource constraints may not match for large or complex incidents. DZ-CERT is most valuable for threat intelligence sharing and coordination with ASSI; the private firm is most valuable for technical containment and evidence collection.

—

Sources & Further Reading

• Algeria Strengthens Cybersecurity Framework to Protect National Infrastructure — TechAfrica News
• Cybersecurity Regulations in Algeria: Compliance, Reporting and Penalties — Generis Online
• Algeria Data Protection and Cyber Security Laws — CMS Law
• Algeria — Cyber Policy Portal — UNIDIR
• OWASP Incident Response Guide — OWASP