Algeria’s Omnibus Digital Law: What the 9-Axis Framework Means for Startups

The Omnibus Arrives: One Law to Replace Dozens

Algeria’s digital economy has long operated on a patchwork of legal instruments drafted at different moments and for different purposes. Law No. 18-07 on personal data protection (2018) sits alongside a 2015 electronic signature framework that predates mobile payments, a 2017 cloud-hosting decree, cybersecurity measures spread across multiple presidential decrees, and a fintech rulebook issued in 2025. Each regime was created in response to a specific technology wave; none was designed to speak to the others.

That fragmentation is precisely what the forthcoming omnibus digital bill is designed to end. A commission of 22 experts assembled by the High Commissioner for Digitalization spent more than a year cataloguing the gaps. Their conclusion: 51 distinct legal voids across the digital economy, many of them directly blocking startup activity — from unclear liability rules for cloud-hosted data to the absence of a binding cross-sector breach-notification standard. The resulting draft was submitted to the Secretariat General of Government on January 23, 2025, and is now on the parliamentary path to enactment.

The bill is explicitly designed with a 10-year operational horizon, meaning the compliance posture a founder builds today should serve as infrastructure — not just a one-time checkbox.

Algeria’s Current Digital Legal Landscape: Nine Domains in Flux

Understanding the omnibus means understanding what already exists and where the gaps lie. Verified sources map the bill across nine axes:

Axis 1 — Data Protection: Law No. 18-07 (2018), significantly amended by Law No. 25-11 in July 2025, now requires appointment of a Data Protection Officer (DPO), mandatory Data Protection Impact Assessments (DPIA) for high-risk processing, and breach notification to the National Authority for the Protection of Personal Data (ANPDP) within five days of becoming aware of an incident.

Axis 2 — Electronic Signatures and Trust Services: The November 2, 2025 Council of Ministers-approved draft law on trust services replaces an outdated 2015 framework, granting full legal equivalence to digital documents and extending ARPCE’s supervisory authority to trust service providers across sectors.

Axis 3 — Digital Identification: A national digital ID system anchored to the existing biometric identity card is being embedded into the bill, enabling secure single-sign-on across public and commercial services — opening the door for startups to build identity-verified onboarding flows without third-party KYC providers.

Axis 4 — Cybersecurity: Three presidential decrees from late 2025 and early 2026 have already begun operationalizing this axis: Decree No. 25-320 (December 30, 2025) established the national data governance framework; Decree No. 26-07 (January 7, 2026) created dedicated cybersecurity units in public institutions. The omnibus will consolidate the compliance obligations flowing from these decrees into a single statutory framework.

Axis 5 — Cloud Computing: The current legal basis — a 2017 hosting decree requiring infrastructure on Algerian territory — has never been updated for multicloud, hybrid, or SaaS deployment models. The omnibus is expected to introduce licensing tiers and data-residency rules calibrated to actual technology architectures.

Axis 6 — Data Governance and Interoperability: Presidential Decree No. 25-320 established a national data governance framework, but implementing it across the private sector requires statutory authority the decree alone does not provide. This axis of the omnibus supplies that authority — and creates obligations for data cataloguing and secure interoperability between systems.

Axis 7 — Electronic Transactions: Providing a unified legal basis for contracts, invoicing, and financial exchanges concluded digitally — eliminating sector-by-sector inconsistencies that currently force startups to obtain separate legal opinions for every transaction type.

Axis 8 — Digital Service Platforms: Regulatory obligations for marketplace operators, content platforms, and intermediary services are currently scattered across the 2024 audiovisual law, the 2024 press law, and e-commerce provisions. The omnibus is expected to introduce a coherent platform-liability and take-down framework.

Axis 9 — Fintech and Electronic Payments: Building on Bank of Algeria Instruction 06-2025 — which established the country’s first tiered digital-wallet rulebook and a 160M DZD minimum capital requirement for payment service providers — this axis extends the coherent payments architecture to the broader digital economy.

What Algerian Founders and CTOs Should Do Now

The omnibus has not yet passed parliament, but the smart move is preparation, not waiting. Companies that act in the 12–18 month window before enactment typically discover their compliance gaps when they still have time to fix them without operational disruption. Here is a structured preparation agenda:

1. Inventory Your Current Compliance Posture Against the 9 Axes

Start with a gap assessment across all nine domains. Most early-stage Algerian startups are operating with partial compliance on data protection (Law 18-07) and almost no formal position on axes 5 through 8. The July 2025 amendment to Law 18-07 already requires a DPO designation for companies processing sensitive data or conducting high-volume profiling — if you process health data, financial data, or biometrics, that obligation is live now, not pending. Assign an owner to map your current practices against each axis and produce a one-page risk register. The gap between your current state and the expected omnibus requirements is your compliance roadmap. Ignore any axis where your startup has zero exposure (a pure SaaS analytics tool may have minimal axis 9 obligations), but do not assume zero exposure without checking.

2. Designate a Compliance Lead or External Counsel Before the Parliamentary Clock Starts

Algerian startup culture tends to treat legal infrastructure as a post-Series A concern. The omnibus changes that calculus. Law 25-11 (July 2025) already mandates a DPO role for certain processing activities — failure to comply with an already-enacted law, not the pending omnibus, is an immediate liability. More importantly, once the omnibus passes the APN (National People’s Assembly), implementation decrees will follow quickly and companies will have a short transition window. Founders who already have a compliance function — even a part-time external counsel — will be able to respond in days; those starting from zero will lose weeks and potentially clients. The Algeria Venture ecosystem (2,000+ labeled startups) is developing toolkits, but tailored legal advice for your specific architecture is not fungible.

3. Monitor the Parliamentary Path and Plan Integration Timing

The bill was submitted to the SGG on January 23, 2025. The expected parliamentary process — referral to the APN’s science and technology committee, public hearings, plenary reading, Senate — typically takes 6 to 18 months for bills of this complexity. Track the progress on the APN website and via APS official announcements. Build a simple milestone calendar: draft law passed committee, passed first reading, Senate vote, presidential promulgation, implementing decrees published. Each milestone triggers a different compliance urgency for a different axis. Founders in cloud services face the most uncertainty (axis 5) and should start modeling two scenarios: a permissive multicloud regime and a strict data-residency model. Fintech founders have the most near-term clarity since axis 9 builds directly on the already-enacted Instruction 06-2025.

Where This Fits in Algeria’s 2026 Compliance Calendar

The omnibus digital bill does not arrive in isolation. It sits inside a dense 12-month regulatory calendar that Algeria’s startup ecosystem must navigate simultaneously. The ANPDP became fully operational in August 2023 and is now actively processing compliance notifications — companies that have not yet registered their processing activities with the authority are already in breach of Law 18-07. Law No. 25-11 (July 2025) tightened the data protection framework with GDPR-aligned mechanisms. The national digital strategy “Algérie Numérique 2030” is running 500+ public digital projects that will increasingly require certified private-sector providers. And Bank of Algeria Instruction 06-2025 created new licensing obligations for payment-adjacent startups.

The omnibus is therefore not a standalone shock — it is the statutory consolidation of a compliance direction Algeria has been moving in for three years. Founders who treat each individual law as a separate item on a to-do list will be perpetually reactive. Those who map the nine axes as a single architecture — data, identity, trust, security, cloud, transactions, platforms, payments, and governance — and build their product and legal infrastructure against that architecture will find the omnibus an accelerant rather than a burden. Algeria’s digital economy has 36.2 million internet users, 77% internet penetration, and a political mandate to generate a post-hydrocarbon private sector. The regulatory infrastructure being assembled is designed to support that mandate. Startups that align with it early earn the right to operate at scale.

Frequently Asked Questions

Sources & Further Reading

• Data Protection and Cybersecurity Laws in Algeria — CMS Expert Guide
• DPA Digital Digest: Algeria 2025 Edition — Digital Policy Alert
• Algeria Approves Draft Legislation on Digital ID and Trust Services — Biometric Update
• Algeria Updates Digital Services and Online Identity Law — Ecofin Agency
• Algeria’s Digital Economy — U.S. Commercial Guides (Trade.gov)
• Algeria’s New Digital Payment Law: 57% Unbanked at Stake — AlgeriaTech