NCSI FULFILMENT PERCENTAGE
Version 15 Apr 2025 Choose a version
STRATEGIC CYBERSECURITY INDICATORS
-
1. CYBERSECURITY POLICY 9/15 60%915 60%
-
1.1. High-level cybersecurity leadership 333
Requirements
CriteriaThe country has appointed governmental leadership responsible for cybersecurity at the national level.
Accepted referencesLegal act, national strategy, official statutes or terms of reference, or official website
Evidence
Evidence presented in a foreign language
https://sgg.gouv.bj/doc/accord-2022-324/
The Information Systems and Digital Agency (Agence des Systèmes d'Information et du Numérique) is the government entity responsible for cybersecurity at the national level.
Evidence presented in a foreign language
https://asin.bj/p/mission-attributions/
Official website of the Agency
-
1.2. Cybersecurity policy development 333
Requirements
CriteriaThere is a competent entity in the central government to whom responsibility is assigned for national cybersecurity strategy and policy development.
Accepted referencesLegal act, official statute or terms of reference, or official website
Evidence
Evidence presented in a foreign language
https://sgg.gouv.bj/doc/accord-2022-324/
The Information Systems and Digital Agency (Agence des Systèmes d'Information et du Numérique) is the competent entity within the central administration to which responsibility for developing the national strategy and policy on cybersecurity is entrusted through its missions and attributions (Article 5 of the statutes of the Information Systems and Digital Agency, page 3).
Evidence presented in a foreign language
Official website of the Agency
-
1.3. Cybersecurity policy coordination 003
Requirements
CriteriaThe country has a regular official format for cybersecurity policy coordination at the national level.
Accepted referencesLegal act, official statute or terms of reference, or official website
Evidence
-
1.4. National cybersecurity strategy 333
Requirements
CriteriaThe central government has established a national-level cybersecurity strategy defining strategic cybersecurity objectives and measures to improve cybersecurity across society.
Accepted referencesValid official document
Evidence
Evidence presented in a foreign language
https://asin.bj/doc/42/download
National Digital Security Strategy 2023-2026 (Strategie Nationale De Securite Numerique 2023-2026)
-
1.5. National cybersecurity strategy action plan 003
Requirements
CriteriaThe central government has established an action plan to implement the national cybersecurity strategy.
Accepted referencesCurrent official document, legal act, or official statement
Evidence
-
-
2. GLOBAL CYBERSECURITY CONTRIBUTION 3/6 50%36 50%
-
2.1. Cyber diplomacy engagements 333
Requirements
CriteriaThe government contributes to international or regional cooperation formats dedicated to cybersecurity and cyber stability. (The indicator is limited to strategic-level cooperation; operational-level incident response cooperation and cross-border law enforcement cooperation are addressed separately under other indicators.)
Accepted referencesOfficial website of the organisation or cooperation format, official statement or contribution
Evidence
-
2.2. Commitment to international law in cyberspace 001
Requirements
CriteriaThe country has an official position on the application of international law, including human rights, in the context of cyber operations.
Accepted referencesOfficial document or statement, international indexes
Evidence
-
2.3. Contribution to international capacity building in cybersecurity 002
Requirements
CriteriaThe country has led or supported cybersecurity capacity building for another country in the past three years.
Accepted referencesOfficial website or project document
Evidence
-
-
3. EDUCATION AND PROFESSIONAL DEVELOPMENT 6/10 60%610 60%
-
3.1. Cyber safety competencies in primary education 002
Requirements
CriteriaPrimary education curricula in the public education system include cyber safety (online safety, computer safety) competencies.
Accepted referencesOfficial curriculum or official report
Evidence
-
3.2. Cyber safety competencies in secondary education 002
Requirements
CriteriaSecondary education curricula in the public education system include cyber safety (online safety, computer safety) competencies.
Accepted referencesOfficial curriculum or official report
Evidence
-
3.3. Undergraduate cybersecurity education 222
Requirements
CriteriaAt least one undergraduate education programme is available in the country to train students in cybersecurity.
Accepted referencesAccredited study programme
Evidence
Evidence presented in a foreign language
-
3.4. Graduate cybersecurity education 333
Requirements
CriteriaAt least one cybersecurity education programme is available in the country at the graduate level.
Accepted referencesAccredited study programme
Evidence
Evidence presented in a foreign language
-
3.5. Association of cybersecurity professionals 111
Requirements
CriteriaA professional association of cybersecurity specialists, managers, or auditors exists in the country.
Accepted referencesOfficial website
Evidence
Evidence presented in a foreign language
Association Béninoise pour la Cybersécurité et la Promotion du Numérique
Evidence presented in a foreign language
Bjwhitehats
https://owasp.org/www-chapter-cotonou/
OWASP Cotonou
-
-
4. CYBERSECURITY RESEARCH AND DEVELOPMENT 2/4 50%24 50%
-
4.1. Cybersecurity research and development programmes 222
Requirements
CriteriaA cybersecurity research and development (R&D) programme or institute exists and is recognised and/or supported by the government.
Accepted referencesOfficial programme or official website
Evidence
Evidence presented in a foreign language
The Institute for Training and Research in Computer Science (Institut de Formation et de Recherche en Informatique - IFRI) is the research and development (R&D) institute for cybersecurity.
-
4.2. Cybersecurity doctoral studies 002
Requirements
CriteriaAn officially recognised PhD programme exists accommodating research in cybersecurity.
Accepted referencesOfficial programme or official website
Evidence
-
PREVENTIVE CYBERSECURITY INDICATORS
-
5. CYBERSECURITY OF CRITICAL INFORMATION INFRASTRUCTURE 12/12 100%1212 100%
-
5.1. Identification of critical information infrastructure 333
Requirements
CriteriaThere is a framework or a mechanism to identify operators of critical information infrastructure.
Accepted referencesLegal or administrative act
Evidence
Evidence presented in a foreign language
https://asin.bj/doc/43/download
The Republic of Benin has a framework for classifying information infrastructures. This framework is briefly described in the Critical Information Infrastructure Protection Policy (Page 22). The entire document describing the framework for identifying critical information infrastructures is confidential.
-
5.2. Cybersecurity requirements for operators of critical information infrastructure 333
Requirements
CriteriaOperators of critical (information) infrastructure are required to assess and manage cyber risks and/or implement cybersecurity measures.
Accepted referencesLegal act, or mandatory cybersecurity framework or standard
Evidence
Evidence presented in a foreign language
https://asin.bj/doc/43/download
Critical information infrastructure operators are required to assess and manage cyber risks and/or implement cybersecurity measures. These requirements are described in the OIIC Obligations section (Page 22) of the Critical Information Infrastructure Protection Policy.
-
5.3. Cybersecurity requirements for public sector organisations 333
Requirements
CriteriaPublic sector organisations are required to assess and manage cyber risks and/or implement cybersecurity measures.
Accepted referencesLegal or administrative act, mandatory cybersecurity framework or standard
Evidence
Evidence presented in a foreign language
https://asin.bj/doc/44/download
The Information Systems Security Policy of the State of the Republic of Benin requires public sector organizations to assess and manage cyber risks and/or implement cybersecurity measures within its scope of application (Page 11) and in the requirements named BASIC PRINCIPLES (P3) on page 12.
Evidence presented in a foreign language
https://asin.bj/doc/43/download
Public sector organizations that operate critical information infrastructure must comply with the State Information Systems Security Policy and the Critical Information Infrastructure Protection Policy.
-
5.4. Competent supervisory authority 333
Requirements
CriteriaA competent authority has been designated and allocated powers to supervise the implementation of cyber/information security measures.
Accepted referencesLegal act or official website
Evidence
Evidence presented in a foreign language
https://sgg.gouv.bj/doc/decret-2023-060/
The Information Systems and Digital Agency ensures the technical coordination of the implementation of the Critical Information Infrastructure Protection Policy.
Evidence presented in a foreign language
https://sgg.gouv.bj/doc/decret-2021-550/
The Information Systems and Digital Agency oversees the implementation of the State's Information Systems Security Policy and reports to the Minister responsible for Digital Affairs.
-
-
6. CYBERSECURITY OF DIGITAL ENABLERS 12/12 100%1212 100%
-
6.1. Secure electronic identification 222
Requirements
CriteriaA national electronic identification solution exists that allows for officially recognised and secure electronic identification of natural and/or legal persons.
Accepted referencesLegal act, nationally recognised identification scheme, or official website
Evidence
Evidence presented in a foreign language
La plateforme permet une identification électronique et sécurisée des personnes physiques ou morales.
-
6.2. Electronic signature 222
Requirements
CriteriaA nationally recognised and publicly available solution exists to issue secure and legally binding electronic signatures.
Accepted referencesLegal act or official website
Evidence
Evidence presented in a foreign language
https://identite-numerique.bj/
This web platform is the nationally recognized and publicly accessible solution for issuing secure and legally binding electronic signatures.
Evidence presented in a foreign language
https://asin.bj/doc/11/download
Law No. 2017-20 of April 20, 2018 on the digital code in the Republic of Benin, Articles 284 - 292.
-
6.3. Trust services 222
Requirements
CriteriaTrust services (e.g. digital certificates, timestamps, private key management service) are regulated, at least for use in the public sector.
Accepted referencesLegal act or official website
Evidence
Evidence presented in a foreign language
https://asin.bj/doc/11/download
Law No. 2017-20 of April 20, 2018 on the digital code in the Republic of Benin regulates trust services in its Book III (Page 113)
-
6.4. Supervisory authority for trust services 222
Requirements
CriteriaAn independent authority has been designated and given the power to supervise trust services and trust service providers.
Accepted referencesLegal act or official website
Evidence
Evidence presented in a foreign language
https://sgg.gouv.bj/doc/decret-2020-485/
Decree No. 2020-485 of October 7, 2020 relating to the responsibilities, organizations and operation of the Digital Trust Service Provider Control Body in the Republic of Benin.
Evidence presented in a foreign language
https://sgg.gouv.bj/doc/decret-2020-488/
Decree No. 2020-488 of October 7, 2020 appointing members of the qualification committee for trust service providers of the Digital Trust Service Provider Control Body in the Republic of Benin.
-
6.5. Cybersecurity requirements for cloud services 222
Requirements
CriteriaRequirements are established for the secure use of cloud services in government and/or public sector organisations.
Accepted referencesLegal or administrative act, cybersecurity framework or standard
Evidence
Evidence presented in a foreign language
https://asin.bj/doc/44/download
The State Information Systems Security Policy defines the requirements for the secure use of cloud services in government and/or public sector organizations (Page 40).
-
6.6. Supply chain cybersecurity 222
Requirements
CriteriaRequirements are established to identify and manage cybersecurity risks through the ICT supply chain.
Accepted referencesLegal act or official website
Evidence
Evidence presented in a foreign language
https://asin.bj/doc/44/download
The State Information Systems Security Policy defines the requirements for identifying and managing cybersecurity risks throughout the supply chain (Page 39).
-
-
7. CYBER THREAT ANALYSIS AND AWARENESS RAISING 3/12 25%312 25%
-
7.1. Cyber threat analysis 003
Requirements
CriteriaA government entity has been assigned the responsibility for national-level cybersecurity and/or cyber threat assessments.
Accepted referencesLegal act, statute, or official website
Evidence
-
7.2. Public cyber threat reports 003
Requirements
CriteriaPublic cyber threat reports and notifications are issued at least once a year.
Accepted referencesOfficial website, official social media channel, or public report
Evidence
-
7.3. Public cybersecurity awareness resources 333
Requirements
CriteriaPublic authorities provide publicly available cybersecurity advisories, tools, and resources for users, organisations, and ICT and cybersecurity professionals.
Accepted referencesOfficial website, public advisories
Evidence
Evidence presented in a foreign language
https://csirt.gouv.bj/category/alertes-et-avis/
The bjCSIRT regularly publishes reports and public notices on cyber threats.
Evidence presented in a foreign language
The PARE campaign offers young people and parents awareness content on the proper use of Internet tools and potential threats such as exposure to shocking content, the dangers of unsuspecting use of social media, online gambling by minors, malware, phishing, fake news, and scams of all kinds.
-
7.4. Cybersecurity awareness raising coordination 003
Requirements
CriteriaThere is an entity with the clearly assigned responsibility to lead and/or coordinate national cybersecurity awareness activities.
Accepted referencesLegal act, official document, or official website
Evidence
-
-
8. PROTECTION OF PERSONAL DATA 4/4 100%44 100%
-
8.1. Personal data protection legislation 222
Requirements
CriteriaThere is a legal act for personal data protection that is applicable to the protection of data online or in digital form.
Accepted referencesLegal act
Evidence
Evidence presented in a foreign language
https://asin.bj/doc/11/download
Law No. 2017-20 of April 20, 2018 on the digital code in the Republic of Benin, in its fifth book (Articles 379 - 490), is the legal act for the protection of personal data and data online or in digital form.
-
8.2. Personal data protection authority 222
Requirements
CriteriaAn independent public supervisory authority has been designated and allocated powers to supervise personal data protection.
Accepted referencesLegal act or official website
Evidence
Evidence presented in a foreign language
The Personal Data Protection Authority (Autorité de Protection des Données Personnelles - APDP) is the independent public supervisory authority designated and given powers to monitor the protection of personal data.
Evidence presented in a foreign language
https://asin.bj/doc/11/download
The Personal Data Protection Authority (APDP) was created by Law No. 2017-20 of April 20, 2018 on the digital code in the Republic of Benin as amended by Law No. 2020-35 of January 6, 2021.
Evidence presented in a foreign language
https://asin.bj/doc/12/download
Law No. 2020-35 of January 6, 2021 amending Law No. 2017-20 of April 20, 2018 relating to the digital code in the Republic of Benin.
-
RESPONSIVE CYBERSECURITY INDICATORS
-
9. CYBER INCIDENT RESPONSE 9/14 64%914 64%
-
9.1. National incident response capacity 333
Requirements
CriteriaThere is a CERT designated with nationwide responsibilities for cyber incident detection and response.
Accepted referencesLegal act or official website
Evidence
-
9.2. Incident reporting obligations 333
Requirements
CriteriaOperators of critical information infrastructure and/or government institutions are obliged to notify the designated competent authorities about cyber incidents.
Accepted referencesLegal act or official website
Evidence
Evidence presented in a foreign language
https://asin.bj/doc/43/download
Critical information infrastructure operators are required to report any incident that may have a serious impact on their information infrastructure as prescribed by the Critical Information Infrastructure Protection Policy (Page 22: OIIC Obligations paragraph 2).
Evidence presented in a foreign language
https://asin.bj/doc/44/download
As prescribed by the State Information Systems Security Policy (Page 41: Security Incident Management), government institutions and official institutions must report any incident to the Information Systems and Digital Agency through the bjCSIRT (National Computer Security Incident Response Team).
-
9.3. Cyber incident reporting tool 002
Requirements
CriteriaA publicly available official resource is provided for notifying competent authorities about cyber incidents.
Accepted referencesOfficial website
Evidence
-
9.4. Single point of contact for international cooperation 003
Requirements
CriteriaThe government has designated a single point of contact for international cybersecurity cooperation.
Accepted referencesLegal act or official website
Evidence
-
9.5. Participation in international incident response cooperation 333
Requirements
CriteriaThe national cyber incident response team (CSIRT/CERT/CIRT) participates in international or regional cyber incident response formats.
Accepted referencesOfficial website or official document
Evidence
-
-
10. CYBER CRISIS MANAGEMENT 0/9 0%09 0%
-
10.1. Cyber crisis management plan 002
Requirements
CriteriaThe government has established a crisis management plan for large-scale cyber incidents.
Accepted referencesLegal act or official website
Evidence
-
10.2. National cyber crisis management exercises 003
Requirements
CriteriaRegular interagency cyber crisis management exercises or crisis management exercises with a cyber component are arranged at the national level at least every other year.
Accepted referencesExercise document, official website, or press release
Evidence
-
10.3. Participation in international cyber crisis exercises 002
Requirements
CriteriaThe country participates in an international cyber crisis management exercise at least every other year.
Accepted referencesExercise document/website or press release
Evidence
-
10.4. Operational crisis reserve 002
Requirements
CriteriaA mechanism for engaging reserve support has been established to reinforce government bodies in managing cyber crises.
Accepted referencesLegal act or official website
Evidence
-
-
11. FIGHT AGAINST CYBERCRIME 11/16 69%1116 69%
-
11.1. Cybercrime offences in national law 333
Requirements
CriteriaCybercrime offences are defined in national legislation.
Accepted referencesLegal act
Evidence
Evidence presented in a foreign language
https://asin.bj/doc/11/download
Law No. 2017-20 of April 20, 2018 on the digital code in the Republic of Benin, in its Sixth Book (Page 193) and other articles.
-
11.2. Procedural law provisions 333
Requirements
CriteriaLegislation defines the powers and procedures for cybercrime investigations and proceedings and for the collection of electronic evidence.
Accepted referencesLegal act
Evidence
Evidence presented in a foreign language
https://asin.bj/doc/11/download
Law No. 2017-20 of April 20, 2018 on the digital code in the Republic of Benin, in its Sixth Book (Page 193) and other articles, defined the powers and procedures for investigations into cybercrime in the Republic of Benin.
-
11.3. Ratification of or accession to the Convention on Cybercrime 222
Requirements
CriteriaThe country has ratified or acceded to the Council of Europe (CoE) Convention on Cybercrime.
Accepted referencesLegal act on Convention ratification or accession, website of the CoE Treaty Office
Evidence
Evidence presented in a foreign language
https://www.coe.int/en/web/conventions/full-list?module=signatures-by-treaty&treatynum=185
The Republic of Benin ratified the Council of Europe Convention on Cybercrime on 20/06/2024 and it entered into force on 01/10/2024.
-
11.4. Cybercrime investigation capacity 333
Requirements
CriteriaLaw enforcement has a specialised function and capacity to prevent and investigate cybercrime offences.
Accepted referencesLegal act or official website
Evidence
Evidence presented in a foreign language
The National Digital Investigation Center (Centre National d'Investigation Numérique - CNIN).
Evidence presented in a foreign language
https://sgg.gouv.bj/doc/decret-2023-599/
Decree N° 2023-599 du 29 nov. 2023 relating to the creation, organization and operation of the National Digital Investigation Center - CNIN.
-
11.5. Digital forensics capacity 002
Requirements
CriteriaLaw enforcement has a specialised function and capacity for digital forensics.
Accepted referencesLegal act, statute, official document, or official website
Evidence
-
11.6. 24/7 contact point for international cybercrime 003
Requirements
CriteriaThe government has designated an international 24/7 point of contact for assistance on cybercrime and electronic evidence.
Accepted referencesOfficial website, legal act or statute
Evidence
-
-
12. MILITARY CYBER DEFENCE 0/6 0%06 0%
-
12.1. Military cyber defence capacity 002
Requirements
CriteriaArmed forces have designated units responsible for the cybersecurity of military operations and/or for cyber operations.
Accepted referencesLegal act, statute, other official document or official website
Evidence
-
12.2. Military cyber doctrine 002
Requirements
CriteriaThe tasks, principles, and oversight of armed forces for military cyber operations are established by official doctrine or legislation.
Accepted referencesLegal act, official doctrine, or official website
Evidence
-
12.3. Military cyber defence exercises 002
Requirements
CriteriaArmed forces have conducted or participated in a cyber defence exercise or an exercise with a cyber defence component in the past three years.
Accepted referencesOfficial website or official document
Evidence
-
Information Disclaimer
The information provided on the NCSI website is based on publicly available evidence materials. The appearance in the index and subsequent ranking is commensurate to the existence and public availability of such information. The NCSI links to third party websites and information. The NCSI and eGA are not responsible for the accuracy or completeness of third party website information.
What can I do to improve my country's data in NCSI?
Become a data contributor Update a specific indicator with evidence data
CONTRIBUTORS
Bureau of Analysis and Investigation
