Digital & ICT Regulations in Mauritius — A Guide for SMEs

Last updated: April 7, 2026

Mauritius has a growing list of regulations governing the use of digital and ICT in daily life and business. Navigating these regulations can be overwhelming as many of them are written in formal and technical language. The daunting step of consulting a legal advisor to ensure compliance prevents many businesses from taking their first step into a more structured, digital way of working.

In this article, we introduce a practical summary of the existing and upcoming regulations in Mauritius governing digital and ICT. It is worth noting that the rules are still being written, with upcoming regulations still to be finalised and enacted as part of the government's Digital Blueprint 2025–2029.

For each act mentioned below, you will discover what it entails, when it applies to your business, and where to start if you need to take action. Our goal is to create awareness and to serve as a starting point so you know who to contact for your next steps.

Disclaimer — This article is a plain-language summary for awareness purposes only and does not constitute legal or compliance advice. Regulations change: always check for the latest updates and consult a qualified legal professional before making any decisions. marismart and Coral Network Ltd accept no liability for decisions made or not made on the basis of this article.

The Current Acts in Legislation

The following seven acts are currently in force in Mauritius. Each one is relevant to businesses operating in the digital space — though some will matter more to your specific situation than others.

Data Protection Act (2017)

What it does This act controls how personal information is collected, stored, used, and shared. Personal information means anything that can identify a person — a name, email address, phone number, purchase history, or even an IP address. Businesses that handle this kind of data must have a lawful reason to collect it, must keep it secure, and must be transparent with people about how it is used. The Act is enforced by the Data Protection Office (DPO).

When it applies to your business: This Act applies to you if your business collects any personal information from customers, staff, or suppliers — through a website form, a loyalty programme, a CRM system, or even a WhatsApp contact list. It covers virtually every business that has any digital presence.

Where to start: Start with what you collect. If you're gathering names, emails, or any customer information, you need a privacy policy. This is a plain and honest document outlining what data you collect, why, and how people can ask you to delete it. It’s advised to put it on your website.Only collect data you actually need. The less you hold, the less you're responsible for.

Have a basic plan for data breaches — even a simple process for who to contact and what to do is enough to start.

If your business handles personal data regularly, you will also need to register with the Data Protection Office. The fee is between Rs 1,000 and Rs 2,500 depending on your business size, valid for 3 years. Visit dataprotection.govmu.org to check whether registration applies to you and to understand your full obligations.

Cybersecurity and Cybercrime Act (2021)

What it does This act defines what counts as a cybercrime in Mauritius — including unauthorised access to computer systems, interception of data, spreading malicious software, and online fraud. It also sets out powers for law enforcement to investigate digital offences. Mauritius is a signatory to the Budapest Convention, the international treaty on cybercrime, which means cooperation with other countries on cross-border digital crimes.

When it applies to your business If your business operates online, stores customer data, or uses any networked system, this Act is relevant to you — not because you are likely to commit a cybercrime, but because it defines what protections you and your customers are entitled to, and what your obligations are if your systems are compromised or misused.

Where to start Ensure your systems have basic security measures in place: strong passwords, two-factor authentication, regular backups, and up-to-date software. If your business operates in a sensitive sector (banking, health, government supply), take note of the National Cyber Resiliency Agency currently being established — sector-specific directives are coming.

Electronic Transactions Act (2000)

What it does This act makes electronic documents, digital signatures, and online contracts legally valid in Mauritius. In plain terms: a contract signed digitally, an order confirmed by email, or a terms-and-conditions acceptance on a website all carry the same legal weight as a signed paper document — provided the conditions in the Act are met.

WhatsApp messages are broadly covered under this act. When transacting over WhatsApp, you should always be able to prove what was agreed and that both parties meant to agree to it. A WhatsApp thread can be deleted, screenshotted selectively, or misread out of context. Intent should always be clear.

When it applies to your business If your business accepts orders online, sends electronic invoices, issues digital receipts, or uses any form of electronic agreement with customers or suppliers, this Act underpins the legal validity of those transactions. It is particularly relevant for e-commerce businesses and any company moving from paper-based to digital processes.

Where to start You do not need to register under this Act. Just record proof of your transactions — orders received, confirmations sent, and any agreements made digitally. Make sure your customers know what they are agreeing to, and you should be able to demonstrate that agreement if needed.

Information and Communication Technologies Act (2001)

What it does This is the foundational law governing the ICT sector in Mauritius. It established the Information and Communication Technologies Authority (ICTA), which regulates telecoms operators, internet service providers, broadcasters, and related services. It covers licensing, spectrum management, and the general framework within which digital communications services operate in the country.

When it applies to your business If your business provides a telecommunications service, internet access, broadcasting, or any licensed ICT service, this Act applies directly.

Where to start If you are operating a service that may require a licence from ICTA (internet service provision, content platforms, telecommunications), check ICTA's licensing requirements at icta.mu. If you are a business using local ICT services, the ICTA license ensures the operator must adhere to a baseline of service quality, security, and accountability.

Postal Services Act (2002)

What it does This act governs the postal and courier services sector in Mauritius. It established the Postal Authority (under ICTA) and sets the licensing framework for anyone providing postal, courier, or related delivery services. It covers how operators must handle mail, set tariffs, deal with undeliverable items, and maintain service standards.

When it applies to your business If your business operates a courier or delivery service, this Act applies to you — you will need the appropriate licence from the ICTA Postal Authority. If you are an e-commerce business that uses courier services to fulfil orders, this Act governs the providers you work with. It determines the standards and obligations your logistics partners must meet.

Where to start If you run a courier or delivery operation, apply for the relevant licence through ICTA at icta.mu. If you are an e-commerce seller using third-party couriers, make sure your delivery partners are properly licensed — you can verify this through ICTA's list of licensed operators.

Mauritius Digital Promotion Agency Act (2023)

What it does This act established the Mauritius Digital Promotion Agency (MDPA), which replaced the National Computer Board (NCB). The MDPA is the government body responsible for promoting digital literacy, supporting ICT adoption, running the FabLab and innovation programmes, and driving digital skills development across Mauritius.

When it applies to your business This Act does not impose obligations on businesses. Instead, it is the legal basis for a body that offers support. The MDPA runs programmes relevant to SMEs looking to digitalise — including training, incubation, and digital skills initiatives.

Where to start Visit the MDPA to explore what support is available for your business. This is a resource, not a compliance requirement. If you are looking to upskill your team, explore digital tools, or access government-supported tech programmes, the MDPA is the relevant contact.

Mauritius Research and Innovation Council Act (2019)

What it does This act established the Mauritius Research and Innovation Council (MRIC), the body responsible for coordinating and funding research and innovation in Mauritius. It oversees research grants, supports the development of innovation capacity, and links academic, public, and private sector research efforts.

When it applies to your business If your business is involved in research and development, technology innovation, or applied research projects, MRIC may be a relevant funding and support body. This is not a compliance-heavy Act for most businesses — it is primarily about creating the institutional infrastructure for research & development in Mauritius.

Where to start If your business is pursuing innovation projects, product development, or tech-driven research, explore the funding schemes and grants available through MRIC at mric.mu. This Act is an opportunity rather than an obligation.

Upcoming Regulations under the 2025–2029 Digital Blueprint

In May 2025, the government published its Digital Blueprint 2025–2029 — a detailed roadmap for transforming Mauritius's digital economy. Several significant regulatory changes are in development as part of this programme. None of these are in force yet as of April 2026, but businesses that prepare now will have a much easier transition when they are.

E-Commerce Regulatory Framework (in development)

Online sellers will need to register with a new verified database of operators. There will be licensing requirements and operational standards for anyone selling goods or services online. If you run an online shop today — even an informal one (eg. selling on Facebook, TikTok live) — this will create formal obligations.

Data Protection Act (amendments planned)

The existing Data Protection Act 2017 is being updated to more closely align with the EU's GDPR (General Data Protection Regulation). New regulations for data protection officers and online privacy are also planned, along with a Freedom of Information Act. If you already follow GDPR principles, you are ahead of the curve.

Cybersecurity Directives for Critical Sectors (in development)

Sector-specific cybersecurity obligations are coming for industries such as banking, healthcare, and utilities. These will set minimum security standards, incident reporting requirements, and operational resilience benchmarks. A National Cyber Resiliency Agency is being set up to oversee this.

ICT Act

(amendments planned) The ICT Act 2001 is being updated to better reflect freedom of expression principles and to introduce a framework for Non-Geostationary Satellite Orbit (NGSO) broadband services. Social media moderation guidelines are also part of the incoming changes — relevant for businesses that manage public-facing platforms or online communities.

AI Regulation Framework (under consultation)

Mauritius is planning a hybrid approach to AI governance, drawing from the EU's risk-based model and the UK's principles-based approach. An industry committee with private sector representatives is involved. This is early-stage, but businesses deploying AI tools should watch this space.

Blockchain-Enabled Electronic Transferable Records (Electronic Transactions Act amendment planned)

Amendments to the Electronic Transactions Act will recognise blockchain-based transferable records for international trade. This is particularly relevant for import/export businesses and those dealing in trade finance, as it could significantly reduce paperwork and increase transaction security.

What to Do With This

You do not need to become a compliance expert overnight. What matters is knowing which of these acts touches your business, and having a basic plan for each one.

Start with the Data Protection Act — it applies to almost every business with a digital presence and has the clearest, most immediate obligations. Then work through the others based on what your business actually does.

If in doubt, speak to a legal or compliance professional. This article is a starting point, not a substitute for qualified advice.

• Data touches your business? Start with the Data Protection Act.
• Selling online or planning to? The incoming E-Commerce Framework will affect you — get structured now.
• Using AI, blockchain, or emerging tech? Follow the METC and watch the AI regulation consultation.
• Running a courier or delivery service? Check your licensing requirements under the Postal Services Act.
• Developing new tech products? Explore MRIC funding and MDPA support programmes.

Just want to digitalise your business? Contact us.