⚡ Key Takeaways

Presidential Decree 25-320 (December 30, 2025) creates Algeria’s first national data governance framework — mandatory data classification, centralized catalogues, and a sovereign secure network for inter-agency exchange. Combined with Decree 26-07 (January 7, 2026), which mandates dedicated cybersecurity units in every public institution, these are the most sweeping data reforms in Algeria’s history. The HCN’s data governance committee began operations on February 19, 2026, and the DZair Digital Services portal entered field trials on March 1 with 13 services across 4 ministries.

Bottom Line: Public sector CIOs must start data audits and cybersecurity unit staffing immediately. Private sector IT firms should position as implementation partners — demand for data classification, interoperability integration, and cybersecurity consulting will surge through 2027.

Read Full Analysis ↓

Advertisement

🧭 Decision Radar

Relevance for Algeria
High
Foundational framework for all public sector data management
Action Timeline
Immediate
Data governance committee already operational since February 2026
Key Stakeholders
All government ministries, public agencies
Decision Type
Strategic
Defines the architecture for national digital transformation
Priority Level
Critical
Legal obligation with presidential decree authority

Quick Take: Every public institution in Algeria now has a legal obligation to classify its data, register it in the national catalogue, ensure interoperability compliance, and establish a dedicated cybersecurity unit. CIOs and IT directors should begin data audits immediately, budget for cybersecurity unit staffing in the next fiscal cycle, and engage with HCN guidance on classification standards. Private sector IT firms should position themselves as implementation partners for institutions that lack internal capacity.

From Fragmented Data to Sovereign Architecture

For decades, Algeria’s public administration operated without a unified approach to data management. Each ministry maintained its own systems, its own classification methods, and its own storage practices. Data flowed (or more often, did not flow) between institutions through ad-hoc channels, inconsistent formats, and manual processes. The result was what governance specialists call “data silos”: isolated pools of information that cannot be easily shared, cross-referenced, or secured.

Presidential Decree No. 25-320, published in Algeria’s Official Gazette on December 30, 2025, aims to dismantle this fragmented architecture and replace it with a unified national framework for data governance. The decree provides the state with structured tools to organize the management, exchange, and security of data between public institutions and organizations providing public services.

This is not an incremental update. It is a foundational layer for Algeria’s entire digital transformation strategy, directly supporting the 500-plus digital projects planned under the National Strategy for Digital Transformation (SNTN-2030) and the DZaïr Digital Services portal that entered field trials in March 2026.

What Decree 25-320 Establishes

The decree creates a comprehensive governance system built on four structural pillars.

1. National Data Classification Reference

Every piece of data handled by public institutions must now be classified according to a national classification reference. This is the foundational element of the framework. Data classification determines how information is stored, who can access it, how it can be shared, and what security measures apply to it.

The classification system categorizes data based on sensitivity levels: publicly available data, internally restricted data, confidential data, and data critical to national security. Each level carries specific handling requirements, access controls, and transmission protocols.

This addresses a long-standing gap. Without standardized classification, individual ministries made their own determinations about what constituted sensitive data, leading to inconsistent protection levels across government. A dataset classified as routine in one ministry might contain fields that another ministry considers confidential.

2. National Database of Data Sources

The decree mandates the creation of a centralized national catalogue of data sources. This is effectively a registry of what data exists, where it resides, who owns it, and how it can be accessed. Think of it as a national data inventory.

For an administration that has never systematically catalogued its data assets, this is a massive undertaking. Every ministry, every public agency, every state-owned enterprise must audit its information holdings and register them in the national catalogue. The catalogue enables data discoverability: when a ministry needs information that another institution holds, it can locate it through the catalogue rather than through informal channels.

3. Secure Interoperability Framework

The third pillar establishes rules and infrastructure for data exchange between public institutions. The decree creates a national internal exploitation system dedicated to secure data exchange through an independent national secure network that is separate from the public internet.

This is a critical design choice. Rather than routing government data exchange through the public internet with encryption (the approach most countries take), Algeria’s framework envisions a physically or logically separate network for inter-agency data transmission. This provides an additional layer of security but also requires significant infrastructure investment.

The interoperability framework also establishes standardized data formats and exchange protocols, ensuring that data produced by one institution can be consumed by another without manual conversion or reformatting.

4. Governance Authority

Supervision of the entire system is entrusted to the High Commission for Digitalization (Haut Commissariat à la Numérisation, or HCN), which coordinates with existing authorities responsible for information systems security and personal data protection. The HCN, led by High Commissioner Meriem Benmouloud with ministerial rank, oversees 37 interministerial projects and is the executive body driving Algeria’s digital transformation agenda.

On February 19, 2026, the national data governance committee officially began its work under the HCN, tasked with harmonizing operational mechanisms of the national data governance system and finalizing deployment of APIs that enable different government systems to communicate without human intervention.

Decree 26-07: The Cybersecurity Enforcement Layer

Decree 25-320 does not exist in isolation. Eight days later, on January 7, 2026, Presidential Decree No. 26-07 was signed and published in the Official Gazette on January 21, 2026. This decree mandates that every public institution create a dedicated cybersecurity unit.

Mandatory Cybersecurity Units

Under Decree 26-07, every public institution, including ministries, agencies, and public enterprises, must establish a dedicated cybersecurity unit that operates separately from the technical information systems management function. The unit reports directly to the head of the institution, not to the IT department.

This organizational separation is deliberate. In many institutions, cybersecurity was historically a subset of IT operations, leading to conflicts of interest where the same team responsible for keeping systems running was also responsible for flagging security deficiencies in those systems. By separating the functions and elevating the cybersecurity unit to report directly to institutional leadership, the decree ensures that security concerns receive executive-level attention.

Unit Responsibilities

Each cybersecurity unit is responsible for:

  • Designing institutional cybersecurity policy aligned with the national framework
  • Risk identification and mapping through dedicated threat assessments
  • Deploying remediation plans for identified vulnerabilities
  • Continuous monitoring of information systems for threats and incidents
  • Coordinating with ASSI (Agence de Securite des Systemes d’Information) on significant incidents and reporting immediately to relevant authorities
  • Ensuring compliance with personal data protection legislation in coordination with the ANPDP

Context: 70 Million Cyberattacks

The urgency behind Decree 26-07 is quantifiable. According to Kaspersky data, Algeria recorded over 70 million cyberattacks in 2024, ranking 17th globally among most-targeted nations. Security tools also blocked more than 13 million phishing attempts and nearly 750,000 malicious email attachments during the same period. For a country where most public institutions lacked formal cybersecurity policies, let alone dedicated security units, this exposure represented an unacceptable risk.

The decree was issued as an operational implementation of the National Cybersecurity Strategy 2025-2029, formally adopted through Presidential Decree No. 25-321 on December 30, 2025, the same date as the data governance decree.

The Broader Regulatory Architecture

Decrees 25-320 and 26-07 are not standalone instruments. They are part of a comprehensive regulatory architecture that Algeria has been building since 2018:

Law 18-07: Personal Data Protection (2018, effective 2023)

Algeria’s foundational data protection law, Law No. 18-07, enacted on June 10, 2018 and effective since August 2023, establishes the legal framework for personal data processing. It created the National Authority for the Protection of Personal Data (ANPDP), whose members were appointed by Presidential Decree No. 22-187 in May 2022. The law requires prior authorization for data processing activities and imposes penalties for non-compliance ranging from 20,000 DZD to 1,000,000 DZD in fines and up to five years imprisonment.

In July 2025, Law No. 25-11 supplemented Law 18-07 by introducing mandatory Data Protection Officer appointments and Data Protection Impact Assessment requirements, strengthening the compliance framework ahead of the data governance decree.

Draft Digital Identity Law (November 2025)

The Algerian government approved a draft law on digital identity and trust services on November 2, 2025, establishing a legal framework for secure digital transactions. The law creates a national digital identification system linked to the biometric identity card and grants electronic documents, signatures, seals, and timestamps the same legal validity as their physical counterparts. It updates Algeria’s 2015 electronic signatures legislation.

National Cybersecurity Strategy 2025-2029 (Decree 25-321)

The strategy, prepared by the Information Systems Security Agency (ASSI) under the Ministry of National Defense, establishes five strategic pillars for cybersecurity governance, including governance strengthening, critical infrastructure protection, capacity building, international cooperation, and legal framework development. The strategy mandates security audits for critical infrastructure and sector-specific cybersecurity regulations for banking, healthcare, and energy.

DZaïr Digital Services Portal (March 2026)

The HCN began field trials on March 1, 2026 for its national digital services portal, testing 13 public services from four ministries across five pilot sites in the Algiers and Tipaza regions. The services span civil records, property documentation, social benefits, and construction permits. The ambition is to bring 200 services online by end of 2026, with near-total digital coverage by 2028.

Together, these instruments create a layered regulatory stack: data protection law at the base, data governance framework for government operations, cybersecurity enforcement for institutional security, digital identity for citizen authentication, and digital services delivery at the citizen-facing layer.

Compliance Obligations for Public Institutions

Decree 25-320 creates concrete compliance obligations for every government ministry and public institution. Here is what each entity must do:

Data Audit and Classification

Every institution must audit its existing data holdings and classify them according to the national reference. This means identifying every database, every spreadsheet, every document repository, and every data feed, then categorizing each according to sensitivity level. For large ministries with decades of accumulated data across multiple legacy systems, this is a multi-month effort.

Catalogue Registration

All data assets must be registered in the national catalogue. This requires metadata documentation: what the data contains, its format, its update frequency, its ownership, its access controls, and its interconnections with other datasets.

Interoperability Compliance

Data systems must be adapted to support standardized exchange formats and protocols. Legacy systems that cannot interface with the national secure network will need middleware, API layers, or replacement.

Security Implementation

Under Decree 26-07, each institution must establish and staff a cybersecurity unit, develop an institutional cybersecurity policy, conduct threat mapping, and establish incident response procedures coordinated with ASSI.

Advertisement

The Private Sector Dimension

While Decree 25-320 directly targets public institutions, its effects will ripple into the private sector through multiple channels.

Government Contractors and IT Service Providers

Any private company that provides IT services to public institutions, manages government data, or operates systems that interface with public administration networks will need to align with the new governance framework. This includes cloud service providers, managed IT services companies, systems integrators, and software vendors.

The interoperability requirements, in particular, will force private sector partners to adapt their solutions to standardized data formats and exchange protocols. Companies currently providing bespoke, proprietary solutions to individual ministries may need to re-architect their offerings for compatibility with the national framework.

Data Center and Cloud Opportunities

The decree’s emphasis on secure, sovereign infrastructure creates commercial opportunities for Algerian data center operators. The requirement for a separate national secure network for government data exchange implies demand for local hosting, networking equipment, and security services that cannot be outsourced abroad.

Algeria’s two national data centers under construction, at Mohammadia and Blida, will provide the foundational infrastructure. Companies positioned to expand local hosting capacity, particularly with government-grade security certifications, stand to benefit from the compliance-driven demand that Decree 25-320 will generate.

Consulting and Training Market

The compliance requirements create demand for specialized consulting services: data classification experts, cybersecurity auditors, interoperability architects, and governance framework designers. Given the scarcity of these skills within public institutions, the consulting market for data governance implementation could be significant.

The HCN’s goal of training 500,000 ICT specialists by 2030 as part of the SNTN-2030 strategy signals the scale of the human capital challenge. The strategy also aims to reduce tech talent emigration by 40 percent. Private training providers, universities, and professional certification bodies all have roles to play in building the workforce that the data governance framework requires.

The DZaïr Digital Services Connection

The practical urgency of Decree 25-320 becomes clear when viewed alongside the DZaïr Digital Services portal initiative. The HCN began field trials on March 1, 2026, testing 13 public services from four ministries across five pilot sites in the Algiers and Tipaza regions, with a national launch scheduled for March 31, 2026.

The portal’s ambition is to bring 200 government services online by end of 2026, with near-total digital coverage by 2028. But online government services require interoperable data. A citizen applying for a building permit online needs the system to pull data from the land registry, the tax authority, and the local planning commission, all in real-time, through secure channels.

Without the data governance framework that Decree 25-320 establishes, the DZaïr portal would be a front-end layer sitting atop disconnected back-end systems. Citizens would submit digital requests that still require manual, offline data reconciliation between ministries. The decree provides the plumbing that makes genuine end-to-end digital services possible.

This explains the timing. Decree 25-320 was signed on December 30, 2025. The data governance committee began work on February 19, 2026. The DZaïr portal entered field trials on March 1, 2026. These are not coincidental dates but coordinated stages of a single digital transformation program.

Lessons From Regional Data Governance Efforts

Algeria can learn from both successes and failures in regional data governance initiatives.

Saudi Arabia’s NDMO (National Data Management Office), established in 2020 under the Saudi Data and Artificial Intelligence Authority (SDAIA), provides the most comprehensive regional precedent. NDMO published National Data Governance Interim Regulations covering data classification, personal data protection, data sharing between public entities, and open data. The framework includes 77 controls and 191 compliance specifications. The key lesson from Saudi Arabia’s experience is that executive-level sponsorship (NDMO operates under royal decree authority over all government entities) is essential for overcoming institutional resistance.

Egypt’s Personal Data Protection Law (Law 151/2020) established a comprehensive data protection framework, but implementation has been slow. Executive regulations were only issued in November 2025, five years after the law was passed, and the Personal Data Protection Center (PDPC) became operational around the same time, with full enforcement beginning in November 2026. Algeria’s advantage is the simultaneous launch of governance framework, cybersecurity enforcement, and digital services, reducing the gap between legislation and implementation.

Tunisia’s experience highlights the implementation gap. Tunisia published its National Digital Strategy 2021-2025 but has struggled with implementation due to political instability, insufficient funding, and lack of dedicated budget allocation. Algeria’s advantage is institutional stability and the HCN’s dedicated mandate with its own operational budget, but the risk of implementation delay is ever-present when regulatory ambition meets bureaucratic reality.

Implementation Challenges

Human Capital

Algeria faces a significant shortage of qualified cybersecurity professionals. Creating hundreds of institutional cybersecurity units simultaneously requires either hiring from an already-thin market, retraining existing IT staff, or engaging external consultants. The HCN’s target of training 500,000 ICT specialists by 2030 addresses this gap in the long term, but immediate needs will strain available talent.

Budget

Establishing cybersecurity units requires dedicated budget for personnel, tooling (SIEM platforms, endpoint detection and response, vulnerability scanners), training, and audit costs. Ministries that have not historically budgeted for cybersecurity must now integrate these costs into annual planning. Data governance compliance adds further costs for data auditing, system adaptation, and catalogue registration.

Legacy Systems

Many government institutions operate on legacy information systems that predate modern data standards. The national interoperability framework assumes that systems can exchange data in standardized formats through secure networks. For institutions running decades-old databases, mainframe systems, or even paper-based records, achieving interoperability requires significant modernization investment.

Institutional Resistance

Standardizing data governance across government inherently challenges institutional autonomy. Ministries that have controlled their own data practices for decades may resist external classification requirements, mandatory data sharing through the catalogue, and external cybersecurity oversight. The decree’s top-down authority (presidential decree, HCN supervision) provides legal leverage, but cultural change within institutions takes time. The HCN’s own assessment acknowledges the lessons from the earlier “e-Algerie 2013” program, where only half the objectives were achieved due to lack of centralized coordination.

Regional Comparison

Algeria’s approach to data governance regulation positions it among the more advanced frameworks in the MENA and African regions:

Country Data Governance Framework Data Protection Authority Cybersecurity Units Mandated
Algeria Decree 25-320 (2025) ANPDP (Law 18-07) Yes (Decree 26-07)
Tunisia National Digital Strategy (2021) INPDP (2004) Partial
Egypt PDPL (Law 151/2020) PDPC (2020/2025) For critical infrastructure
Saudi Arabia NDMO Framework (2020) SDAIA Yes (NCA requirements)
UAE Cybersecurity Strategy (2019) Various Yes

Algeria’s framework is notable for combining data governance and cybersecurity enforcement in a coordinated regulatory push, signed within eight days of each other and designed to work together. The Saudi model under the National Data Management Office (NDMO) is the closest analog, though it benefits from significantly greater resources.

What Comes Next

The data governance committee that began work in February 2026 now faces the operational challenge of translating decree requirements into implemented systems. The immediate priorities include:

  1. Finalizing the classification reference: Defining exactly which data categories exist, what security levels apply, and how they map to specific handling requirements.
  1. Building the national catalogue infrastructure: The technical platform for registering and discovering data sources across government.
  1. Establishing interoperability standards: Defining data formats, exchange protocols, and API specifications that all institutions must adopt.
  1. Piloting with early adopters: Working with the four ministries already participating in the DZaïr Digital Services portal trials to demonstrate data governance compliance in practice.
  1. Capacity building: Training data governance officers, cybersecurity unit staff, and institutional leadership on the new requirements.

The decree establishes the legal foundation. Building the institutional, technical, and human capacity to fulfill its promise is the work of the next several years. For Algeria, a country that has set itself the ambition of reaching the forefront of global digital rankings and boosting the digital sector’s contribution to 20 percent of GDP, getting data governance right is not optional. It is the prerequisite for everything else.

Follow AlgeriaTech on LinkedIn for professional tech analysis Follow on LinkedIn
Follow @AlgeriaTechNews on X for daily tech insights Follow on X

Advertisement

Frequently Asked Questions

What are the four structural pillars of Decree 25-320, and when did the HCN data governance committee begin operations?

Decree 25-320 establishes: (1) a national data classification reference requiring every piece of public institution data to be categorized by sensitivity level — publicly available, internally restricted, confidential, or national security critical; (2) a centralized national database of data sources serving as a registry of what data exists, where it resides, and who owns it; (3) a secure interoperability framework with a sovereign network separate from the public internet for inter-agency data exchange; and (4) governance authority vested in the High Commission for Digitalization (HCN) led by Meriem Benmouloud. The HCN’s data governance committee officially began operations on February 19, 2026.

How does Decree 26-07 mandate cybersecurity units in every public institution, and why must they report separately from IT departments?

Presidential Decree 26-07, signed January 7, 2026 and published in the Official Gazette on January 21, requires every public institution — including ministries, agencies, and public enterprises — to establish a dedicated cybersecurity unit that operates separately from the technical IT management function and reports directly to the head of the institution. This organizational separation addresses the historic conflict of interest where the same team responsible for keeping systems running was also responsible for flagging security deficiencies. Each unit must design institutional cybersecurity policy, conduct regular security audits, manage incident response, and coordinate with the national CERT.

What is the DZair Digital Services portal, and how does it connect to the 500+ digital projects under Algeria’s SNTN-2030 strategy?

The DZair Digital Services portal entered field trials on March 1, 2026 with 13 services across 4 ministries, serving as a unified citizen-facing interface for government services. It is built on top of the data governance infrastructure that Decree 25-320 mandates — standardized data classification, interoperability between agencies, and a sovereign secure network. This portal is a direct implementation of Algeria’s National Strategy for Digital Transformation (SNTN-2030), which plans over 500 digital projects. Without the governance framework’s centralized data catalogue and standardized exchange protocols, cross-ministry digital services like those on the DZair portal would remain technically impossible.

Sources & Further Reading