When Digital Economy Minister Augustin Kibassa Maliba signed a ministerial order on March 11, 2026, he did not introduce a new law. The Democratic Republic of Congo’s Digital Code — Ordonnance-Loi No. 23/010 — had already been enacted in March 2023. What the March 11 order did was start the clock.

The order set out the procedures by which affected operators must apply for, and receive, prior authorisation to continue operating in the DRC. A transitional window runs through June 30, 2026. From July 1, enforcement begins in earnest — and operating without a valid authorisation exposes companies to fines, suspension, and withdrawal of approval, plus additional penalties under existing Congolese law.

For most of the past three years, the Digital Code sat on the statute books with limited operational effect: the authorisation process had not been formally defined. That gap has now closed. The order creates a structured application pathway, designates the Postal and Telecommunications Regulatory Authority of Congo (ARPTC) as the technical gatekeeper, and positions the minister as the final approving authority. For operators in DRC’s nascent but growing digital economy — a market of 100 million people with a government that has just committed €8.7 billion to digital transformation — the regulatory architecture has arrived.

Who Must Apply — and for What

The authorisation requirement is not universal. The Digital Code creates three tiers of regulatory obligation — authorisation (highest oversight, prior approval required), declaration (notification regime for lower-risk services), and homologation (accreditation for government digital services). The March 11 order concerns only the first tier: the activities the Congolese state has designated as strategic or sensitive.

That category is broader than it might initially appear. It covers:

• Data centre builders and operators — any entity constructing or running a data centre facility in the DRC must seek prior authorisation.
• Qualified trust service providers — companies offering electronic signatures, seals, timestamping, certification, archiving, website authentication, electronic registered mail, and cryptology services.
• Application hosting providers — including cloud infrastructure and managed hosting services.
• Large digital platforms — the order specifies cloud services, online marketplaces, app stores, social networks, content-sharing platforms, online banking platforms, fintech companies, matchmaking platforms, and search engines.
• Essential digital services — a residual category that regulators can interpret broadly.

The practical scope extends to most of the significant names operating in Congo’s digital economy. Vodacom DRC and Airtel DRC operate mobile money platforms — M-Pesa and Airtel Money respectively — that would appear to fall within “online banking platforms” and “fintech companies.” Orange DRC’s mobile money service, Orange Money, falls under the same logic. International platforms with Congolese user bases — social networks, app stores, search engines — are explicitly captured, though the enforcement mechanics against foreign entities headquartered outside DRC will depend on whether the ARPTC develops extraterritorial reach.

The Compliance Process: What Operators Must Do

The order assigns the ARPTC a dual role: it verifies the completeness of application files and assesses each applicant’s “legal, technical, organisational, and financial capacity.” Based on that assessment, the ARPTC issues a recommendation to the minister, who retains sole authority to grant or refuse authorisation.

Applicants must submit a package covering legal documentation (incorporation, ownership, governance), tax compliance records, technical specifications of the service or infrastructure in question, administrative records, a description of activities, and a business plan. The requirement for a business plan alongside technical records signals that the government is conducting something closer to a full operational review than a simple registration exercise.

Authorisations, once granted, are valid for five years and are renewable. Holders remain subject to all other applicable Congolese regulations, and the ARPTC can revisit compliance at any point during the authorisation period. Sanctions for non-compliance include fines, reduction of the authorisation validity period, suspension, and withdrawal. Operators who begin or continue activities without any authorisation face additional penalties under existing Congolese legislation — the specific quantum of those penalties is set in the parent Digital Code, whose full text remains available only in French.

For operators with legal and compliance functions in Kinshasa, the 112-day window is workable but tight. For multinationals without established DRC legal counsel, or for smaller regional operators, the documentation burden is significant. The ARPTC has not, as of publication, indicated whether it will publish guidance materials or hold industry consultations during the transitional period.

The Data Centre Sector: Early Movers With Compliance Exposure

The DRC’s data centre market is small by African standards but growing rapidly — driven by the same data sovereignty concerns that now underpin the Digital Code’s authorisation requirements.

The most prominent operator is Raxio Group, which inaugurated its $30 million facility in Kinshasa’s Limete district in 2024. Raxio DRC1 is the country’s largest data centre — a Tier III-accredited, carrier-neutral facility spanning 1,542 square metres with capacity for 400 racks and 1.5MW of IT power. A second significant facility is the OADC-TEXAF joint venture: a 2MW-capable, 1,500 square metre open-access data centre that became the DRC’s first live Tier III-certified, carrier-neutral facility.

Both operators are exactly the kind of infrastructure-layer actors the Digital Code’s authorisation requirement was designed for. As Tier III, carrier-neutral facilities serving multiple enterprise and government clients, they hold significant strategic value — which is precisely why they appear on the government’s prior-approval list. Neither operator has commented publicly on the March 11 order, but both would be expected to begin authorisation applications well before the June 30 deadline.

Beyond the two established facilities, the DRC government has separately been in active talks with foreign firms to develop additional data centre infrastructure as part of its National Digital Plan 2026–2030. The government’s stated goal is to migrate state data from foreign servers to local hosting — digital sovereignty as infrastructure policy. The authorisation regime and the infrastructure investment drive are two sides of the same policy coin: build it locally, then control who runs it.

Regional Context: Where DRC Stands in Africa’s Regulatory Architecture

The DRC is not the first African country to impose licensing or authorisation requirements on digital service categories — but it is doing so in Central Africa, a region that has been largely absent from the continent’s regulatory modernisation story.

Kenya, Nigeria, and Rwanda — Africa’s three most active digital regulation jurisdictions — all enacted comprehensive data protection laws in the 2019–2023 period. Kenya’s Data Protection Act came into force in 2019, establishing the Office of the Data Protection Commissioner. Nigeria’s Nigeria Data Protection Act (NDPA) followed in 2023, creating the Nigeria Data Protection Commission, which has been one of the continent’s most active enforcement bodies since its formation. Rwanda enacted its personal data protection law in 2021, designating the National Cyber Security Authority (NCSA) as the supervisory regulator.

All three are primarily data protection frameworks — concerned with personal data processing, consent, rights, and cross-border transfers. The DRC’s Digital Code is different in architecture: it is a broader digital economy law, rooted in market licensing rather than personal data rights. Its closest regional analogues are Ghana’s Electronic Transactions Act, Tanzania’s Electronic and Postal Communications Act, and aspects of Egypt’s 2018 Cybercrime Law — frameworks that assert state authority over digital infrastructure and services rather than focusing on individual rights.

This distinction matters for how operators and investors read the regulatory environment. A data protection law creates compliance obligations around how data is handled. A digital licensing law creates compliance obligations around whether a company is allowed to operate at all. The DRC’s framework does both — the Digital Code contains data protection provisions alongside its licensing architecture — but the authorisation regime being activated now is about market access, not data handling. Operating in DRC without a licence after July 1 is not a privacy violation: it is, in the government’s framing, an unlicensed commercial activity.

For Central Africa, the DRC’s framework may set a template. The Republic of Congo (Brazzaville), Central African Republic, Cameroon, and Gabon all lack comparable digital service licensing regimes. If DRC’s implementation is reasonably smooth — which will depend significantly on the ARPTC’s operational capacity — neighbouring governments may take note. If it proves cumbersome or opaque, it risks reinforcing perceptions of regulatory uncertainty that have historically constrained investment across the sub-region.

Investment Implications: Barrier or Foundation?

The question of whether the Digital Code’s authorisation requirement helps or hurts foreign investment in DRC’s digital sector does not have a single answer. The honest framing is that it does both, for different actors.

For established operators already in the market — Raxio, OADC-TEXAF, the mobile operators — the authorisation process is a compliance burden but not an existential threat. Obtaining a five-year, renewable licence from a government that actively wants more data centre investment creates a degree of regulatory certainty. A licensed operator knows that it has cleared the government’s review of its legal, technical, and financial standing. That can actually lower perceived risk for subsequent investment decisions, debt financing, and enterprise customer commitments.

The picture is more complicated for new market entrants and for global digital platforms. A company evaluating its first DRC data centre investment must now factor in a government approval process with undefined timelines — the March 11 order does not specify how long the ARPTC has to process applications or how quickly the minister must decide. For a business case with a planned go-live date, that uncertainty is a real cost. International platforms — social networks, cloud providers, app stores — face a different problem: they may be legally required to seek authorisation for DRC operations conducted from outside the country, which raises questions about jurisdictional reach that the Congolese legal system has not yet tested.

The DRC government has structured the Digital Code’s market access requirements alongside a $1.5 billion committed investment envelope under the National Digital Plan 2026–2030, with an additional €7.2 billion still to be raised. The government needs private sector capital to hit its infrastructure targets — 30,000 towers, national broadband access, a national payments platform. That fundamental dependency creates an incentive for the government to implement the authorisation regime in a manner that is workable and reasonably predictable, rather than as a barrier that deters the foreign investment it needs.

Whether that incentive translates into a well-functioning administrative process is the open question. The ARPTC has historically been focused on telecoms licensing rather than broader digital services regulation. Scaling its capacity and competence to assess data centre operators, cloud providers, fintech platforms, and trust service providers simultaneously — within a 112-day window — is an institutional challenge that will test the authority in ways it has not been tested before.

What Happens on July 1

The DRC Digital Code does not create a situation where unregistered operators are automatically shut down on July 1. What it creates is a situation where operating without authorisation becomes a sanctionable offence — subject to the same enforcement powers the ARPTC applies to telecoms licensing violations.

In practice, enforcement in the immediate post-July period will likely be selective and graduated: the ARPTC will have more leverage over established, visible operators with physical infrastructure in the country than over international platforms with no in-country presence. The first enforcement actions, when they come, are likely to be directed at operators who have failed to engage with the process at all, rather than those whose applications are in progress.

The real test of the regime’s credibility will come in 2027 and 2028, when first-round authorisations come up for review and the ARPTC has to demonstrate that it can assess, renew, and where necessary revoke licences on the basis of transparent criteria. Africa’s data protection enforcers — Kenya’s ODPC, Nigeria’s NDPC — took two to three years after their founding legislation to develop meaningful enforcement track records. The ARPTC is starting from a narrower mandate and will need to expand quickly.

For now, the clock is running. Digital operators active in the DRC have 102 days from the date of this article to submit their authorisation applications — or to take a considered legal position on why they believe they fall outside the scope of the order. Neither option should be deferred until June.

Key Facts

• Legal basis: DRC Digital Code — Ordonnance-Loi No. 23/010, enacted March 13, 2023
• Activation order: Signed by Minister Kibassa Maliba on March 11, 2026
• Compliance deadline: June 30, 2026
• Enforcement start: July 1, 2026
• Authorisation validity: 5 years, renewable
• Reviewing authority: ARPTC (Postal and Telecommunications Regulatory Authority of Congo)
• Final approval: Minister of Digital Economy
• Sanctions: Fines, shortened authorisation periods, suspension, withdrawal
• Affected sectors: Data centres, trust services, app hosting, cloud, social networks, marketplaces, fintech, app stores, search engines
• Named DRC data centre operators: Raxio DRC1 ($30M, 1.5MW, 400 racks); OADC-TEXAF (2MW, 550 racks) — both Tier III certified
• DRC population: ~100 million (Africa’s fourth largest)
• DRC National Digital Plan 2026–2030: €8.7B total; $1.5B secured
• Days remaining to compliance deadline (from March 20, 2026): 102