Algeria’s National Cybersecurity Strategy 2025–2029: A Deep-Dive Analysis

Introduction

On December 30, 2025, President Tebboune signed Presidential Decree No. 25-321, formally approving Algeria’s National Cybersecurity Strategy for 2025–2029. One week later, on January 7, 2026, Presidential Decree No. 26-07 established the operational framework for cybersecurity within public institutions, mandating the creation of dedicated cybersecurity units across the government. The decree was published in the Official Gazette on January 21, 2026.

Together, these two decrees represent the most significant cybersecurity policy development in Algeria’s history — a comprehensive regulatory architecture that will shape how the country defends its digital infrastructure, how businesses must configure their security posture, and how the cybersecurity profession develops over the next five years.

This article provides a detailed analysis of what the strategy contains, what the institutional framework looks like, and what the practical implications are for government agencies, private sector companies, and cybersecurity professionals.

---

The Strategic Context: Why a National Strategy, Why Now?

The timing of Algeria’s National Cybersecurity Strategy reflects both internal and external pressures.

Internal: scale of the threat
Algeria recorded over 70 million cyberattacks in 2024, according to Kaspersky data that ranked the country 17th globally among the most targeted nations. Security solutions blocked over 13 million phishing attempts and neutralized nearly 750,000 malicious email attachments during the same period. These figures reflect the growing attack surface created by rapid digitalization across government services, banking, and telecommunications.

Internal: digitalization acceleration
The government’s National Digital Transformation Strategy (SNTN), unveiled in May 2025 by High Commissioner for Digitalization Meriem Benmouloud, set ambitious targets under the “Algeria Digital 2030” banner — including full digitization of public services, development of five or more national data centers, and training 500,000 active ICT experts by 2030. Each of these initiatives expands the digital attack surface. A national cybersecurity strategy is the security layer that makes digitalization sustainable rather than reckless.

External: regional and global threat landscape
State-sponsored cyberattacks targeting national infrastructure, ransomware attacks against critical sectors, and supply chain compromises are a growing feature of the global threat landscape. Algeria’s energy infrastructure — Sonatrach’s extensive oil and gas operations — is a particularly high-value target. A national cybersecurity strategy provides the framework for defending these assets.

Regulatory alignment: FATF compliance
Algeria remains on the FATF grey list (jurisdictions under increased monitoring) as of February 2026, though the February 2026 FATF plenary noted that Algeria has substantially completed its action plan and warrants an on-site assessment to verify sustained implementation. Financial sector cybersecurity is intertwined with AML/CTF compliance — robust cybersecurity controls prevent unauthorized access and fraudulent transactions that generate anti-money-laundering concerns. The cybersecurity strategy reinforces the broader financial integrity framework.

---

Presidential Decree 25-321: The Strategy’s Core Elements

Presidential Decree No. 25-321, signed December 30, 2025, approves the National Cybersecurity Strategy for 2025–2029, aimed at strengthening the protection of public administrations and state digital infrastructures. The strategy encompasses five strategic pillars:

Pillar 1: Governance and Institutional Strengthening
The strategy reinforces the institutional architecture for national cybersecurity coordination, building on the framework established by Presidential Decree No. 20-05 of January 20, 2020 (subsequently amended by Decree No. 25-298 of November 10, 2025):

• CNSSI (Conseil National de la Sécurité des Systèmes d’Information / National Information Systems Security Council) continues its role as the strategic coordination body at the national level, operating within the Ministry of National Defense — setting policy, coordinating between ministries, and representing Algeria in international cybersecurity forums
• ASSI (Agence de Sécurité des Systèmes d’Information / Information Systems Security Agency, also referred to as ANSSI in some legal texts) serves as the technical and operational execution arm — incident response coordination, vulnerability disclosure, certification of cybersecurity products, and technical guidance to sectors
• DZ-CERT (Algerian Computer Emergency Response Team), hosted by CERIST, continues coordinating incident response for national cyber incidents with expanded capacity and faster response protocols

Pillar 2: Critical Infrastructure Protection
The strategy designates specific categories of critical information infrastructure (CII) — including energy, telecommunications, water, transportation, financial services, and government services — and establishes differentiated security requirements for each. CII operators face enhanced obligations including:

• Mandatory security audits on a defined schedule
• Incident reporting to ASSI within defined timeframes (specific windows to be elaborated in ASSI guidance)
• Business continuity and disaster recovery requirements
• Use of approved cybersecurity products for specific high-risk applications

Pillar 3: Capacity Building and Human Capital Development
Recognizing that technical capacity is the binding constraint on implementing any cybersecurity strategy, the 2025–2029 framework includes explicit human capital development objectives:

• Expansion of cybersecurity training programs at universities and vocational centers, connected to the 285,000 new vocational training places announced for 2026 — which include new certificate-oriented cybersecurity qualification programs
• Certification programs aligned with international standards (ISO 27001 implementers, CISSP, CEH)
• Cybersecurity competition programs (CTF — Capture the Flag) to identify and develop talent
• International cooperation for skills transfer and training with MENAFATF partners, EU programs, and bilateral agreements

Pillar 4: Legal and Regulatory Framework Enhancement
The strategy maps a roadmap for regulatory development, including updates to:

• The penal code’s provisions on cybercrime, aligned with evolving international standards — notably, Algeria chairs the UN Ad Hoc Committee on Cybercrime that recently developed the UN Cybercrime Convention
• Sector-specific cybersecurity regulations for banking, healthcare, and energy
• Personal data protection implementing regulations under Law 18-07
• Government procurement requirements for cybersecurity in ICT contracts

Pillar 5: International Cooperation
Algeria’s cybersecurity strategy explicitly includes international dimensions:

• Active participation in MENAFATF cybersecurity working groups
• Bilateral cybersecurity cooperation agreements with France, EU institutions, Arab League members, and African Union programs
• Participation in UNODC and ITU cybersecurity capacity building programs for Africa
• Information sharing arrangements with partner country CERTs
• Algeria’s chairmanship of the UN Ad Hoc Committee on Cybercrime positions the country as a significant voice in shaping global cybercrime norms

---

Presidential Decree 26-07: The Institutional Architecture for Public Sector Security

Decree 26-07, published in the Official Gazette on January 21, 2026, provides the operational framework specifically for cybersecurity within public institutions. Its key provisions:

Mandatory cybersecurity units: Every public institution — ministries, agencies, public enterprises — must establish a dedicated cybersecurity unit that operates separately from the technical information systems management function. The unit reports directly to the head of the institution and is responsible for:

• Designing and overseeing implementation of the institution’s cybersecurity policy
• Identifying risks through dedicated mapping and deploying remediation plans
• Continuous monitoring of the institution’s information systems for threats and incidents
• Coordinating with ASSI on significant incidents and reporting immediately to relevant authorities
• Conducting or overseeing security assessments of information systems
• Ensuring compliance with national cybersecurity standards and personal data protection legislation

Chief Information Security Officers (CISOs): Building on the CISO mandate established by Decree 20-05, Decree 26-07 clarifies the CISO’s authority, reporting lines, and minimum competency requirements. CISOs must have demonstrable cybersecurity expertise — a requirement that, given the scarcity of qualified professionals, presents immediate human capital challenges.

Third-party and supply chain security: Public institutions must conduct security assessments of ICT suppliers and service providers as part of procurement due diligence. Contracts with ICT vendors must include cybersecurity clauses aligned with national standards, coordinated with public procurement and internal security bodies.

Regular security audits: Public institutions must conduct security audits on a schedule defined by ASSI guidance, using approved auditors or internal teams with appropriate qualifications.

---

Practical Implications for Government Agencies

Decree 26-07 creates immediate practical challenges for public institutions:

Staffing the cybersecurity units: Algeria has a significant shortage of qualified cybersecurity professionals. Creating hundreds of institutional cybersecurity units simultaneously requires either hiring from an already-thin market, retraining existing IT staff, or engaging external consultants. The government’s vocational training expansion — 285,000 new places in 2026, including dedicated cybersecurity certification programs — addresses the medium-term supply problem but not the immediate staffing requirement.

Budget implications: Establishing cybersecurity units requires dedicated budget — personnel, tooling (SIEM platforms, endpoint detection and response, vulnerability scanners), training, and audit costs. Ministries that have not historically budgeted for cybersecurity must now integrate these costs into annual planning.

Technology acquisition: Compliance with Decree 26-07 will drive procurement of cybersecurity technology products. SIEM platforms, identity and access management systems, network security appliances, and endpoint security tools are all required. This represents a significant market opportunity for cybersecurity vendors operating in Algeria.

---

Implications for the Private Sector

While Decree 26-07 applies specifically to public institutions, the broader cybersecurity strategy has significant implications for private sector companies:

Critical infrastructure operators: Private companies operating in CII sectors (telecom operators, private banks, private healthcare facilities, energy companies) face enhanced requirements even though they are not government entities. The CII designation carries sector-specific regulatory requirements administered through sectoral regulators (Bank of Algeria for banking, ARPCE for telecom).

ICT vendors and system integrators: Companies supplying ICT products and services to the public sector must meet security requirements embedded in procurement contracts. This creates both a compliance burden and a competitive advantage for vendors who can demonstrate robust security credentials (certifications, audit results, penetration test reports).

Cybersecurity service providers: The strategy creates enormous demand for cybersecurity services: managed security service providers (MSSPs), security audit firms, penetration testing companies, CISO-as-a-service providers, and security awareness training companies. This is arguably the most direct commercial opportunity created by the strategy.

Startups and technology companies generally: The strategy raises the baseline security expectation for all companies handling sensitive data. Law 18-07 compliance (data protection) and cybersecurity compliance increasingly overlap — companies that invest in security architecture as a foundational principle rather than an afterthought will be better positioned for both regulatory compliance and customer trust.

---

International Alignment: Where Algeria’s Strategy Fits Globally

Algeria’s National Cybersecurity Strategy 2025–2029 is broadly aligned with international best practices as documented by NIST (National Institute of Standards and Technology), ENISA (European Union Agency for Cybersecurity), and ITU (International Telecommunication Union). Key alignments include:

• Risk-based approach: The strategy adopts a risk management framework (identify, protect, detect, respond, recover) consistent with the NIST Cybersecurity Framework
• Critical infrastructure designation: Algeria’s CII categories align with standard international classifications
• Incident response coordination: The DZ-CERT and ASSI structure mirrors the national CERT architecture recommended by ITU and ENISA
• International cooperation: Cross-border incident response cooperation is a recognized best practice given the transnational nature of cyber threats

Areas where Algeria’s approach differs from some international frameworks:

• Data governance emphasis: Algeria’s combination of cybersecurity and data governance requirements (Decree 25-320 establishing national data classification, cataloguing, and interoperability frameworks) creates additional compliance layers for public administrations handling classified information
• State coordination emphasis: The strategy places significant emphasis on state-coordinated security rather than market-driven security, reflecting Algeria’s state-led development model
• International cybercrime norms leadership: Algeria’s chairmanship of the UN Ad Hoc Committee on Cybercrime positions the country as a shaper of international cybercrime standards, rather than merely adopting existing frameworks

---

The Talent Crisis: The Strategy’s Achilles’ Heel

The most significant constraint on implementing Algeria’s National Cybersecurity Strategy is talent. Building dedicated cybersecurity units in every public institution, staffing cybersecurity operations centers for critical infrastructure, and providing the advisory services that private sector compliance demands requires thousands of qualified cybersecurity professionals Algeria currently does not have.

The brain drain of tech talent compounds this challenge — trained cybersecurity professionals who emigrate to France, Canada, or the Gulf reduce the domestic supply. Algeria’s SNTN strategy explicitly targets a 40% reduction in skilled worker migration by 2030, recognizing this as a strategic vulnerability.

The strategy’s human capital pillar addresses this through training expansion, but training pipelines take time — typically 2–4 years from program design to graduate deployment. The strategy’s 2025–2029 timeframe means that for the first two to three years, implementation will be constrained by the talent shortage rather than by legal or financial resources.

Short-term mitigation strategies include: accelerated government-funded certifications for existing IT staff; managed security service partnerships with international providers; international cooperation arrangements that embed foreign expert advisors; and targeted recruitment from the diaspora community.

---

Conclusion: An Ambitious Strategy for a Critical Moment

Algeria’s National Cybersecurity Strategy 2025–2029, anchored by Decrees 25-321 and 26-07, is an ambitious policy framework that correctly identifies cybersecurity as a foundation of sustainable digital transformation. Its institutional architecture is well-conceived. Its priorities — critical infrastructure protection, capacity building, international cooperation — are well-aligned with best practices.

The strategy will be judged not by its text but by its implementation. The talent shortage is the primary implementation risk. The procurement of cybersecurity technology — if done through transparent, quality-focused processes — can create a domestic market that attracts international vendors and develops local expertise. The international cooperation dimensions can accelerate knowledge transfer.

For businesses and professionals in Algeria’s technology ecosystem, the strategy’s message is clear: cybersecurity is no longer optional. It is a regulatory requirement, a market differentiator, and a national strategic priority. Those who invest in building genuine cybersecurity capabilities — not just checkbox compliance — will be the architects of the digital Algeria that the strategy envisions.

---

---

Sources

• Algeria Strengthens Cybersecurity Framework to Protect National Infrastructure — TechAfrica News
• Algeria Adopts New Cybersecurity Framework as Digital Risks Rise — We Are Tech Africa
• Algeria Orders Cybersecurity Units in Public Sector Amid Surge in Cyberattacks — Ecofin Agency
• Presidential Decree No. 26-07 — ARPCE Official
• Cybersecurity at the Core of Algeria’s Digital Sovereignty Strategy — DzairTube
• Cybersecurity and Governance — State of Software Engineering in Algeria
• Data Protection and Cybersecurity Laws in Algeria — CMS Expert Guide
• FATF Jurisdictions Under Increased Monitoring — February 2026
• Algeria Aims for Full Digital Transformation by 2030 — We Are Tech Africa
• Algeria Plans 285,000 New Vocational Training Places in 2026 — Ecofin Agency
• DZ-CERT — Algerian Computer Emergency Response Team — CERIST