Digital operators in the Democratic Republic of Congo have 100 days — until June 30, 2026 — to obtain prior authorisation from the government or face fines, suspension, and loss of operating rights. The countdown began on March 11, when Digital Economy Minister Augustin Kibassa Maliba signed a ministerial order activating the licensing machinery of the DRC’s Digital Code (Ordonnance-Loi No. 23/010, enacted March 2023). From July 1, operating without a valid authorisation is a sanctionable offence.

The order creates a structured application pathway — designating the Postal and Telecommunications Regulatory Authority of Congo (ARPTC) as the technical gatekeeper, with the minister as the final approving authority — for a category of operators the Congolese state has designated as strategic. For the DRC’s 100-million-person digital economy, the regulatory architecture has arrived.

Who Must Apply — and for What

The prior-authorisation requirement covers five categories of operator:

• Data centre builders and operators — any entity constructing or running a data centre facility in the DRC must seek prior authorisation.
• Qualified trust service providers — companies offering electronic signatures, seals, timestamping, certification, archiving, website authentication, electronic registered mail, and cryptology services.
• Application hosting providers — including cloud infrastructure and managed hosting services.
• Large digital platforms — the order specifies cloud services, online marketplaces, app stores, social networks, content-sharing platforms, online banking platforms, fintech companies, matchmaking platforms, and search engines.
• Essential digital services — a residual category that regulators can interpret broadly.

In practice, that scope covers most significant operators in the Congolese digital economy: Vodacom DRC, Airtel DRC, and Orange DRC all operate mobile money platforms that fall within “online banking platforms” and “fintech companies.” International platforms with Congolese user bases — social networks, app stores, search engines — are explicitly captured.

The Compliance Process: What Operators Must Do

The ARPTC assesses each applicant’s “legal, technical, organisational, and financial capacity” and issues a recommendation to the minister, who has final authority to grant or refuse. Applicants must file legal documentation, tax compliance records, technical specifications, and a business plan — a full operational review, not a simple registration. Authorisations are valid for five years, renewable, and subject to ongoing ARPTC oversight. Operating without authorisation from July 1 exposes companies to fines, shortened licence periods, suspension, or revocation.

For operators with legal functions in Kinshasa, the 100-day window is tight but workable. For multinationals without established DRC counsel, the documentation burden is significant. The ARPTC has not, as of publication, indicated whether it will hold industry consultations or publish guidance during the transition period — an omission that would meaningfully help smaller operators navigate the process.

Regional Context: A Different Model

The DRC is not the first African country to impose licensing requirements on digital services — but it is doing so in Central Africa, a region largely absent from the continent’s regulatory modernisation story.

Africa’s most active regulatory jurisdictions — Kenya, Nigeria, Rwanda, South Africa — built data protection frameworks in the 2019–2023 period (Kenya DPA 2019, Nigeria NDPA 2023, Rwanda PDPL 2021, South Africa POPIA 2021). These laws govern how data is handled. The DRC’s framework is architecturally different: it governs whether a company is allowed to operate at all. South Africa’s ICASA licences telecoms infrastructure and its FSCA oversees fintech — but neither imposes a data centre or platform prior-authorisation requirement comparable to the DRC’s. The DRC model is closer to Ghana’s Electronic Transactions Act or Egypt’s Cybercrime Law: frameworks that assert direct state authority over digital market access.

For Central Africa, DRC may set a template. The Republic of Congo, CAR, Cameroon, and Gabon all lack comparable regimes. Whether DRC’s implementation proves workable will shape whether neighbours follow.

The Multinational Problem

None of the major hyperscalers operate data centres inside the DRC. AWS, Google Cloud, and Microsoft Azure are anchored in South Africa — with Google and Microsoft also in Kenya, and Microsoft in Nigeria. But all three run cloud services actively consumed by DRC enterprise and government clients. Meta’s platforms — Facebook, Instagram, WhatsApp — are among the most-used services in the country. Under the Digital Code’s explicit scope, their DRC-facing operations fall within the “large digital platforms” category. None have commented publicly on the March 11 order.

International platforms operating from outside DRC may be legally required to seek authorisation — a jurisdictional question the Congolese courts have not yet tested. For established in-country operators (Raxio DRC1, OADC-TEXAF, the mobile money platforms), the picture is clearer: a five-year renewable licence from a government actively seeking data centre investment represents regulatory certainty as much as compliance cost. The ARPTC, whose mandate has historically centred on telecoms, must now assess cloud providers, fintechs, trust services, and data centres simultaneously — an institutional stretch that will determine whether the regime lands credibly.

What Happens on July 1

July 1 does not trigger automatic shutdowns. It makes operating without authorisation a sanctionable offence under the same enforcement powers the ARPTC applies to telecoms licensing violations. In practice, early enforcement will be selective: the ARPTC has more leverage over operators with physical infrastructure in-country than over foreign platforms with no presence. The first actions are likely directed at those who have not engaged at all, not at those whose applications are in progress.

The real credibility test comes in 2027–2028, when first-round authorisations come up for renewal. Kenya’s ODPC and Nigeria’s NDPC both took two to three years post-legislation to develop meaningful enforcement track records. The ARPTC starts from a narrower mandate and will need to scale faster.

Digital operators active in the DRC have 100 days from the date of this article to submit applications — or to take a considered legal position on why they fall outside the order’s scope. Neither option should wait until June.