Egypt's data protection law stops being a paper exercise on 1 November 2026. Kenya's Senate is debating a dedicated Artificial Intelligence Bill that would create an AI Commissioner with the power to fine offenders up to 5 million shillings. Nigeria's regulator has already told data controllers a missed compliance audit can cost 10 million naira or 2% of annual gross revenue, whichever is higher. Yet only 16 of the African Union's 55 member states have ratified the one treaty meant to harmonise all of this, the Malabo Convention, and none of the continent's four largest economies, South Africa, Nigeria, Kenya or Egypt, is among them.
That gap between continental ambition and national reality is the defining feature of AI and data governance in Africa in 2026. Compliance teams cannot rely on a single rulebook the way they increasingly can in the EU. Instead they are tracking four or five national regimes moving at different speeds, an African Union strategy still in its early implementation phase, and an EU AI Act whose extraterritorial reach already pulls in African companies serving European customers.
None of this is theoretical. It determines whether a Lagos fintech's credit-scoring model needs a data protection impact assessment before launch, whether a Johannesburg health-tech company can keep selling diagnostic software to a European hospital group, and whether a Nairobi lender's automated loan-decision system will soon answer to a dedicated AI regulator instead of only a data protection office.
Is there a single African law governing AI and data?
No. The African Union's Continental Artificial Intelligence Strategy, endorsed by the Executive Council in Accra on 18 and 19 July 2024, sets policy direction rather than binding rules, and its own implementation timeline runs Phase 1, building governance structures and national strategies, from 2025 to 2026, with core project execution not starting until 2028. The one instrument with actual legal force, the Malabo Convention on Cyber Security and Personal Data Protection, entered into force on 8 June 2023 after Mauritania became its fifteenth ratifying state, but as of 2026 only 16 of 55 AU members have ratified it. Companies operating across borders in Africa are therefore still navigating national law country by country, not a harmonised continental regime.
What does Nigeria's Data Protection Act require in 2026?
The Nigeria Data Protection Act 2023 gave the Nigeria Data Protection Commission standalone statutory enforcement powers, reinforced by the General Application and Implementation Directive that took effect in September 2025. Every organisation classified as a Data Controller or Data Processor of Major Importance must register with the Commission and file an annual Data Protection Compliance Audit Return, ordinarily due by 31 March, though the Commission extended the 2025 filing cycle to 30 May 2026. Officials have signalled that penalties for a missed or deficient audit return can now reach 10 million naira or 2% of annual gross revenue, whichever is higher, a marked shift from the advisory posture of the earlier Nigeria Data Protection Regulation. There is no AI-specific statute yet, so automated decision-making involving personal data is governed through the Act's general provisions on lawful processing and data subject rights.
Does South Africa regulate AI, or only data?
Only data, for now, and even that guidance is thin where AI is concerned. The Protection of Personal Information Act's section 71 restricts decisions based solely on automated processing that have legal or similarly significant effects, a provision structurally close to the GDPR's Article 22, but South Africa's Information Regulator had issued no dedicated guidance, case law or enforcement position on it as of early 2026. The Regulator has confirmed it will publish guidance on personal information impact assessments during the 2026/27 financial year, intended to double as the vehicle for AI risk assessment. Separately, the Department of Communications and Digital Technologies opened its Draft National AI Policy for public comment in April 2026, proposing a whole-of-government model in which existing regulators, the Information Regulator, ICASA, the Competition Commission and financial regulators, keep their current mandates and coordinate through a new National AI Regulatory Forum rather than a single AI authority. Enforcement teeth remain real under POPIA itself: the maximum administrative fine is 10 million rand per contravention, and the Information Regulator issued its first fine, 5 million rand against the Department of Justice and Constitutional Development, in July 2023.
How close is Kenya to a dedicated AI law?
Closer than most of the continent, but not there yet. Kenya's Artificial Intelligence Bill, 2026, sponsored by Senator Karen Nyamu, would create an independent Office of the Artificial Intelligence Commissioner with powers to inspect AI systems, maintain a public register of high-risk systems, and enforce a risk-based regime modelled in part on the EU AI Act. The Bill explicitly ties high-risk AI obligations to the existing Data Protection Act, 2019, requiring providers to conduct data protection impact assessments and, where automated decisions produce legal or similarly significant effects, to guarantee a right to human intervention. It still needs approval from the National Assembly and presidential assent before it becomes law. Until then, the Office of the Data Protection Commissioner, operating under the Data Protection Act and Kenya's National Artificial Intelligence Strategy 2025 to 2030, remains the only body actively supervising AI-adjacent processing, with power to investigate and impose administrative penalties for breaches.
What changes for companies when Egypt's data law takes full effect?
Egypt's Personal Data Protection Law, in force since 2020 but never fully operational without implementing rules, finally got its Executive Regulations under Minister of Telecommunications Decree No. 816 of 2025, published in November 2025. That publication started a one-year grace period expiring 1 November 2026, after which the Personal Data Protection Center gains full authority to license, inspect and sanction organisations processing personal data in Egypt. The Regulations address AI directly but narrowly: processors using personal data to train or operate AI models must handle it in line with "locally, regionally and internationally recognised" standards, a reference to the non-binding Egyptian Charter for Responsible Artificial Intelligence issued by the National Council for Artificial Intelligence. Egypt still has no standalone AI statute, so the Charter functions as soft guidance layered on top of hard data protection law.
Why does the EU AI Act matter to a company with no EU office?
Because the Act regulates outcomes, not addresses. Under Article 2(1)(c), the EU AI Act applies to providers and deployers located outside the Union whenever the output of their AI system is used within it, the same extraterritorial logic that made GDPR a global compliance reference rather than a European one. A Nigerian fintech running AI credit scoring for European diaspora customers, or a South African diagnostics company licensing its software to a European hospital group, falls within scope regardless of where its servers sit. The obligations for general-purpose AI model providers already took effect in August 2025, and the major compliance deadline for high-risk systems, covering employment, credit and insurance decisions among others, lands on 2 August 2026. These obligations stack on top of, rather than replace, whichever national data protection law already applies.
| Jurisdiction | Core law | Regulator | 2026 milestone |
|---|---|---|---|
| Nigeria | Data Protection Act 2023 + GAID 2025 | Nigeria Data Protection Commission | 2025 audit returns due 30 May 2026, fines up to 10 million naira or 2% |
| South Africa | POPIA, Draft National AI Policy | Information Regulator | PIIA guidance covering AI expected in the 2026/27 financial year |
| Kenya | Data Protection Act 2019, AI Bill 2026 pending | Office of the Data Protection Commissioner | AI Bill awaiting National Assembly approval and presidential assent |
| Egypt | Personal Data Protection Law 151/2020 + Regulations | Personal Data Protection Center | Grace period ends 1 November 2026, full enforcement follows |
What should compliance teams do before the AU strategy catches up?
Track each jurisdiction on its own terms rather than waiting for continental harmonisation that, on the AU's own timeline, will not mature before 2028. The AfCFTA Digital Trade Protocol, whose eight supporting annexes on data flows, digital identity and emerging technologies were adopted in February 2025, points toward freer cross-border data transfer, but its five-year transition period means national rules still govern day-to-day compliance for years to come. Obsidian tracks each of these regimes, Nigeria's NDPA and GAID, South Africa's POPIA and its evolving AI policy, Kenya's Data Protection Act and pending AI Bill, Egypt's PDPL and its November 2026 deadline, plus the AU and AfCFTA instruments that sit above them, against their tier-0 official sources, with alerts the moment a gazette, regulation or bill status changes. For teams that also need to reason about how these regimes interact with the EU AI Act or GDPR, Obsidian's AI companion answers questions against that same verified source base rather than a general model's guess, and the MCP integration puts the same regulatory data directly inside the AI assistants compliance and legal teams already use daily.
The next twelve months will separate the jurisdictions that move from policy paper to enforcement from those still drafting. Egypt's grace period ends in November, Kenya's Bill could pass before year end, and South Africa's Information Regulator has committed to its first AI-relevant guidance. Waiting for the African Union's continental framework to resolve these differences is not a compliance strategy. Continuous per-jurisdiction monitoring is, and it is worth checking what a plan built around exactly this coverage costs before the next deadline arrives.