Algeria’s Public Procurement Decree 2026-2028: New SaaS and Tender Opportunities to Watch

A New Procurement Window Opens for the Algerian Tech Sector

Two policy moves in early 2026 reshape what public-sector technology buying looks like in Algeria. The first is the March 18 government meeting reviewing the implementing decree for Law 23-12, reported by Financial Afrik, which pairs procurement modernization with sectoral roadmaps for 2026-2028. The second is Presidential Decree 26-07 of January 7, 2026, published in the Official Gazette on January 21, which mandates that every public institution create a dedicated cybersecurity unit reporting directly to the head of the organization. Read together, the two texts hand Algerian SaaS founders, cloud providers, and system integrators a sustained multi-year demand signal — and a clearer playbook to bid on it.

The macro context matters. Algeria has roughly 33.49 million internet users (72.9% penetration), according to the U.S. International Trade Administration’s 2024 digital economy guide, and state-owned entities remain the largest IT buyers in the country. The same guide flags cybersecurity services, data centers and cloud solutions, IT equipment, and fiber infrastructure as the top priority sectors for vendors. The implementing decree under review is the instrument that will move that demand from policy intent into concrete tenders published on BOMOP and BAOSEM, the two official tender bulletins.

What the March 2026 Decree Changes

The draft executive decree reviewed on March 18 implements Law 23-12 of August 5, 2023, which established Algeria’s modern public procurement legal framework. Until the implementing decree is published in the Official Gazette, contracting authorities — ministries, wilayas, state-owned enterprises, public agencies — apply transitional rules from Law 23-12 alongside residual provisions of the prior 2015 framework. Once the implementing decree drops, eligibility documents, technical evaluation grids, and electronic submission channels all migrate to the new framework. The whole vendor compliance stack moves with it.

Two structural shifts matter most for SaaS, cloud, and integrator startups. First, the legal framework continues Algeria’s push toward electronic procurement platforms as a transparency and anti-corruption tool, which lowers a real barrier — historically, smaller Algerian vendors lost tenders simply because they could not navigate paper-heavy submission cycles centered on Algiers. A digitized BOMOP workflow, paired with the implementing decree’s procedural clarity, makes participation more accessible to founders outside the capital. Second, the pairing with sectoral roadmaps for 2026-2028 is a signal: each ministry will publish its own multi-year project portfolio. For a SaaS founder, this is the first time public-sector demand will be visible 24 months in advance rather than discovered tender-by-tender.

The decree does not replace Law 23-12; it instruments it. That distinction matters because the legal architecture — qualification rules, allotment principles, ARMP (Autorité de Régulation des Marchés Publics) oversight — was already set in 2023. What changes in 2026 is the operational layer: who can bid, what documents qualify, how technical scoring works, and how vendor performance gets tracked.

The Cybersecurity Angle: Decree 26-07

Presidential Decree 26-07 is the single largest cybersecurity procurement signal Algeria has produced. The decree requires every public institution to stand up a cybersecurity unit that is separate from IT management and reports directly to the head of the organization. Each unit must design threat maps, deploy remediation plans, run continuous monitoring, and coordinate with ASSI (Agence de la Sécurité des Systèmes d’Information) on incident response. The institutions affected number in the hundreds — every ministry, every wilaya, every major public enterprise.

The procurement implications are concrete. Public institutions must conduct security assessments of ICT suppliers and embed cybersecurity clauses aligned with national standards in their vendor contracts. They must acquire core categories of tooling: SIEM (Security Information and Event Management), IAM (Identity and Access Management), EDR (Endpoint Detection and Response), and network security appliances. ASSI maintains approval authority for products deployed in high-risk applications. For Algerian SaaS vendors building security tooling, MSSPs (managed security service providers), and integrators with cybersecurity practices, this is a multi-year recurring-revenue pipeline rather than a single capex cycle.

Decree 26-07 also creates demand for adjacent services — risk assessment, security architecture design, ongoing managed monitoring, and staff training — that local integrators can deliver more competitively than imported solutions. Because public institutions can not hire enough certified security professionals internally to staff these new units fast enough, the externalized-services share of the cybersecurity budget will run high. That is where Algerian SaaS founders with vertical security products and Algerian system integrators with ASSI-compliant service catalogs find their edge.

What Algerian SaaS Founders and Integrators Should Do

1. Qualify Now — Build the Vendor Eligibility Package Before the Decree Drops

Public procurement in Algeria runs on documentation. The implementing decree, once published, will tighten what counts as a qualified vendor — tax certificates from the Direction Générale des Impôts, social security clearances from CNAS and CASNOS, professional registration (registre de commerce with the right activity codes), financial statements from the past three fiscal years, bank capacity letters, and ARMP supplier registration. SaaS founders who treat this as a Q4 sprint will miss the early tenders from the 2026-2028 roadmaps. The right move is to assemble the full eligibility dossier now, in the second half of 2026, while contracting authorities are still drafting their first wave of project specifications. Two specific actions: register on the BOMOP electronic submission portal under the activity codes that match your service (cloud hosting, software publishing, cybersecurity audit, system integration), and request a bank certificate confirming your capacity to issue performance and bid bonds. Most lost public tenders in Algeria fail at the administrative compliance stage, not the technical one.

2. Target the Right Tender Categories — Read the 2026-2028 Sectoral Roadmaps

Algeria’s sectoral roadmaps will surface concrete project pipelines per ministry. For SaaS and cloud vendors, the highest-value tender categories will cluster in four lanes: e-government platforms (Dzair Digital Services portal extensions, citizen-facing digital identity, online tax filing), cybersecurity tooling and managed services driven by Decree 26-07, infrastructure modernization (data centers, cloud migration, network upgrades), and sector-specific SaaS for health, education, finance, and customs. The U.S. Trade administration’s 2024 digital economy guide explicitly lists cybersecurity services, data centers and cloud solutions, and IT equipment as the highest-priority opportunity sectors. The discipline founders need: stop scanning BOMOP daily for keywords; build a roadmap-driven funnel. Identify the three to five ministries whose 2026-2028 sectoral roadmaps align with your product, then track their tender publication calendar quarterly. Founders who chase every IT tender burn cash on bid preparation. Founders who track three ministries deeply and pre-position with their procurement teams win the contracts that matter.

3. Build the Compliance and Documentation Stack — Security Clauses Are Not Optional

Decree 26-07 changes the contract template itself. Every ICT vendor contract with a public institution must now include cybersecurity clauses aligned with national standards, and the contracting authority must run a security assessment of the supplier before award. This means SaaS founders need a documented security posture before they bid — not after they win. Concretely: write and publish an ISMS (Information Security Management System) policy, run an internal vulnerability assessment that you can share under NDA, prepare ASSI-aligned data-protection documentation (especially for any solution that processes personal or sensitive public-sector data), and document where your infrastructure is hosted. For Algerian SaaS hosted abroad, prepare the data-localization conversation early — public institutions are increasingly required to keep certain data categories in-country. Integrators who package this compliance documentation as part of their bid response — rather than treating it as a post-award scramble — score higher on technical evaluation grids and shorten the contract negotiation cycle.

The 2026-2028 Horizon: Algeria’s Tech Sector Window

The simultaneity of these two policy moves — the March 2026 implementing decree paired with sectoral roadmaps, and Decree 26-07’s nationwide cybersecurity unit mandate — points to something larger than a single tender wave. It points to a structural shift in how Algerian public institutions buy technology. For the last decade, public-sector IT procurement was dominated by a small set of established integrators, large foreign vendors, and one-off project tenders that were hard to anticipate. The 2026-2028 window changes both inputs: the procedural layer becomes more transparent and digital, and the demand layer becomes more visible through sectoral roadmaps.

For Algerian SaaS founders and cloud providers, the practical horizon is this. The first wave of implementing-decree-compliant tenders will likely arrive in Q4 2026 or Q1 2027, depending on Official Gazette publication timing. The cybersecurity unit procurement wave from Decree 26-07 is already in motion — institutions are scoping their needs now, with their first formal tenders expected through 2026. Founders who position in the second half of 2026 — eligibility dossiers complete, sectoral focus picked, security documentation packaged — capture the first cycle. Founders who wait for the implementing decree to be fully implemented before preparing will catch the second cycle in 2027-2028, by which point reference customers and pre-existing relationships will already structure the market.

This is the window. The Algerian tech sector has spent years building products for B2B and consumer markets where unit economics were brutal. The public sector, instrumented by Law 23-12, the March 2026 implementing decree, and Decree 26-07, offers something different: long contract cycles, recurring revenue, reference customers that compound. The founders who treat it as their primary go-to-market channel for 2026-2028 — not an afterthought — will define the next generation of Algerian SaaS leaders.

Frequently Asked Questions

Sources & Further Reading

• Algeria prepares a decree to modernize public procurement — Financial Afrik
• Government reviews draft executive decree on public procurement, sectoral roadmaps — APS
• Algeria orders cybersecurity units in public sector amid surge in cyberattacks — Ecofin Agency
• Algeria — Selling to the Public Sector — U.S. International Trade Administration
• Algeria — Digital Economy — U.S. International Trade Administration
• Commission advances cloud sovereignty through strategic procurement — European Commission
• Algeria Projects — Tenders Info