Presidential Decree 26-07: Algeria Mandates Dedicated Cybersecurity Units Across Every Public Institution

Why This Decree Matters Now

Algeria’s digital transformation is accelerating. The government has launched over 500 digital projects for 2025-2026, with 75 percent focused on modernizing public services. E-government portals, digital payment systems, and cloud-hosted databases are expanding the public sector’s attack surface faster than defenses can keep up.

The threat landscape has responded accordingly. In 2024, Algeria recorded more than 70 million cyberattacks, according to Kaspersky data, placing the country 17th globally among the most targeted nations. Algerian systems also intercepted more than 13 million phishing attempts and nearly 750,000 malicious email attachments during the same period.

Until now, cybersecurity in most Algerian public institutions was an afterthought — handled informally by whichever IT staffer happened to be available, buried within general informatics departments, and rarely elevated to leadership attention. Presidential Decree 26-07 changes that dynamic entirely.

The decree arrives at a moment when Algeria’s public sector is simultaneously more digitized and more exposed than ever before. Government ministries are migrating to cloud-hosted platforms, tax authorities are processing electronic declarations, and public hospitals are deploying electronic health records. Every one of these initiatives expands the attack surface — and until now, there was no regulatory requirement ensuring that someone, anyone, was watching the perimeter.

What Presidential Decree 26-07 Requires

Signed on January 7, 2026, and published in the Official Gazette on January 21, 2026, Decree 26-07 defines the organization and operation of cybersecurity structures within all public institutions, administrations, and agencies. Here are its core mandates:

Risk Mapping and Policy Design. The unit is responsible for designing and overseeing implementation of the institution’s cybersecurity policy, starting with a thorough identification of risks through dedicated mapping. This means every public institution must catalog its information assets, identify vulnerabilities, assess threats, and produce a formal risk register — many for the first time.

Remediation Planning. Once risks are mapped, the unit must deploy remediation plans that prioritize the most critical vulnerabilities. This includes patching schedules, access control reviews, network segmentation initiatives, and data encryption requirements.

Continuous Monitoring. The decree mandates continuous monitoring of the institution’s information systems for threats and incidents. For many public bodies, this is an entirely new capability that requires investment in security information and event management (SIEM) tools, intrusion detection systems, and 24/7 operational capacity.

Mandatory Coordination with ASSI. Each unit must maintain active coordination with the Information Systems Security Agency (ASSI), Algeria’s national cybersecurity authority under the Ministry of National Defense. Significant incidents must be reported immediately. This creates a centralized threat intelligence pipeline that did not previously exist at this scale.

The National Cybersecurity Strategy Behind the Decree

Decree 26-07 does not exist in isolation. It is the operational arm of a broader strategic framework.

On December 30, 2025, Presidential Decree No. 25-321 formally adopted the National Cybersecurity Strategy for 2025-2029. This strategy was publicly unveiled by ASSI on March 3, 2026 at a presentation in Algiers, marking a milestone in Algeria’s cybersecurity governance.

The strategy pursues three main objectives: protecting critical infrastructure, securing sensitive state data, and ensuring the continuity of public services amid rapid digital transformation. These objectives are operationalized across several pillars:

1. Security audits for critical infrastructure — banking, energy, telecoms, water, and transport systems must undergo mandatory cybersecurity assessments.
2. Capacity building — aligned with 285,000 new vocational training places, including dedicated cybersecurity certification programs.
3. Sector-specific cybersecurity regulations — bespoke rules for banking, healthcare, and energy, administered through sectoral regulators (Bank of Algeria for banking, ARPCE for telecom).
4. International cooperation — strengthening Algeria’s participation in global threat intelligence sharing networks.
5. Awareness and prevention — improving cybersecurity awareness among public institutions and citizens, including SMS notifications sent to citizens through mobile operators to inform them about the strategy.

ASSI, in collaboration with the High Commission for Digitization, has also launched complementary initiatives including a National Data Center, National Cloud, National Reference for Data Governance, and Sovereign Network Infrastructure.

The Talent Challenge: Where Will the Staff Come From?

The decree’s ambition collides with a stark reality: Algeria does not have nearly enough cybersecurity professionals to fill these mandated positions.

Globally, the cybersecurity workforce gap stands at an estimated 4.8 million unfilled positions according to ISC2’s 2024 Cybersecurity Workforce Study, and the shortage is particularly acute in Africa, which has only approximately 20,000 certified cybersecurity professionals continent-wide according to the World Economic Forum.

Skills Centers. The Ministry of Post and Telecommunications inaugurated the first Skills Center in Setif on February 20, 2025, offering free short-term training in cybersecurity, AI, cloud computing, and IoT. Additional centers have since opened in Annaba, Chlef, and Oran, with plans to extend the network nationwide.

Vocational Training Expansion. The government has earmarked 285,000 new vocational training places starting February 2026, with cybersecurity certification programs among the priority tracks.

Huawei Partnership. Under a memorandum signed between the Ministry of Vocational Training and Huawei Algeria, vocational trainees at three institutes — the National Specialized Institute for ICT in Rahmania, the INSFP in Bousmail, and the African Institute for Vocational Training in Boumerdes — receive instruction in cloud computing, cybersecurity, and AI, culminating in a diploma jointly issued by the Ministry and Huawei. Some 8,000 Algerian students have already benefited from previous Algeria-Huawei training cooperation.

University Programs. Several Algerian universities have launched or expanded master’s programs in information security, though output remains modest compared to demand. The Higher National School of Computer Science (ESI) in Algiers and the University of Science and Technology Houari Boumediene (USTHB) offer cybersecurity concentrations, but annual graduate numbers remain in the low hundreds — a fraction of what the decree demands.

OWASP Algiers Chapter. The OWASP Algiers chapter provides a community-driven platform for cybersecurity knowledge sharing, with regular meetups and training sessions that supplement formal education. The chapter has participated in official cybersecurity communication events organized by the Ministry of National Defense. These grassroots initiatives are valuable but cannot scale to meet institutional demand alone.

1. Retrain existing IT staff — feasible but limited by the fact that cybersecurity requires specialized skills beyond general systems administration.
2. Hire from the private sector — but the domestic cybersecurity talent pool is small, and private firms will compete for the same professionals.
3. Engage external consultants — practical for risk mapping and initial assessments, but the decree requires permanent, dedicated units, not project-based engagements.

The ASSI Coordination Model: How It Works in Practice

The decree’s requirement for mandatory coordination with ASSI deserves special attention, because it transforms Algeria’s cybersecurity posture from fragmented to centralized.

Before Decree 26-07, each institution handled security incidents independently — or, more commonly, did not handle them at all. There was no obligation to report breaches, no standardized incident classification system, and no mechanism for one institution to warn others about active threats.

Under the new framework, ASSI serves as the central coordination hub. Each institutional cybersecurity unit must:

• Report significant incidents immediately to ASSI, using standardized reporting templates (to be defined in forthcoming guidelines).
• Participate in coordinated threat intelligence sharing, receiving ASSI advisories about active threats targeting Algerian institutions.
• Submit to ASSI-directed audits and assessments when requested.
• Implement ASSI-issued directives for emergency response during national-level cyber incidents.

This model mirrors the approach taken by mature cybersecurity nations. Singapore’s Cyber Security Agency operates a similar hub-and-spoke model with its Critical Information Infrastructure operators. Saudi Arabia’s NCA maintains direct coordination channels with government entities through its Essential Cybersecurity Controls framework.

The success of this model depends on ASSI’s capacity to process incoming reports, produce actionable intelligence, and distribute warnings in real time. If ASSI becomes a reporting black hole — where institutions file reports that are never acted upon — the coordination mandate will lose credibility and compliance will erode.

Implementation Roadmap: What Institutions Should Do Now

For public sector leaders reading this decree and wondering where to start, here is a practical implementation sequence:

What Comes Next

Decree 26-07 is a foundation, not a finish line. Several developments are expected in the coming months:

• ASSI implementation guidelines detailing minimum staffing levels, required certifications, reporting templates, and audit standards.
• Sector-specific regulations for banking, healthcare, and energy, as mandated by the 2025-2029 strategy.
• A compliance monitoring mechanism to assess institutional progress and identify laggards.
• Expanded training infrastructure with additional Skills Centers and international certification partnerships.
• A dedicated cybersecurity law currently in preparation, which will introduce mandatory requirements for institutions to implement necessary cybersecurity measures.

The decree’s success will ultimately be measured not by how many units are created, but by how many cyberattacks are detected, contained, and reported before they cause damage. Algeria has drawn the regulatory blueprint. The question now is execution.

Frequently Asked Questions