A basic legal framework on intermediary liability beyond copyright infringement is absent in Burundi's law and jurisprudence.

According to Arts. 29-31 of the Law No. 100/97 of 18 April 2014, on the conditions of operating in the electronic communication sector (amending the Ministerial Law No. 520/730/540/231 of 9 April 1995), operators of electronic communications networks open to the public and electronic communication services providers are required at the time of any subscription, to identify subscribers and maintain subscriber lists and produce directories. They are also required to submit the information on the identity of subscribers to the Agence de Régulation et de Contrôle des Télécommunications (ARCT, Regulatory Agency for Telecommunications).

It is reported that Order No. 1 of 8 April 2014, issued by the "Agence de Régulation et de Contrôle des Télécommunications" (ARCT), required all end users of telecommunication services to provide personal data before acquiring a SIM card. It required the provision of personal information such as names, addresses, places, and dates of birth, a copy of national identity cards, and passport photographs, as part of the mandatory SIM card registration. Similarly, it is reported that Art. 3 of Burundi’s Ministerial Law No. 540/356 of March 17, 2016, obliges mobile operators to take all the necessary measures to verify if the SIM card users are the real subscribers and to block the SIM card if they detect an anomaly.

It is reported that Art. 5 of Order No. 540/356 on fighting fraud in the ICT domain gives the Agence de Régulation et de Contrôle des Télécommunications (ARCT, Regulatory Agency for Telecommunications) the right to direct any operator to provide the detailed identity of any subscriber. Further, Art. 6 empowers the ARCT to provide a voice server where the operator must divert all phone communications of a user where crime is suspected. The operators must provide a secured web application to the regulator. Art. 9 allows ARCT to request the full identity of an internet subscriber and their IP address, and install IP probes on the technical installations of an ISP. Moreover, Art. 10 obliges operators to comply with any request by the ARCT and its technical partner in order to fight fraud in electronic communications. Failure to cooperate attracts a daily fine of five million Burundian Francs (USD 2,000). The legal text is not available online.

Arts. 29 and 30 of Law No. 100/97 on the conditions for operating electronic communication services provide that, for public security reasons and judiciary inquiries, telecom operators must provide the full identity and geo-location of their subscribers in real time whenever asked by the Agence de Régulation et de Contrôle des Télécommunications (ARCT, Regulatory Agency for Telecommunications). Failure to identify subscribers attracts a fine of Burundian Francs 5,000,000 (USD 2,000).

A basic legal framework on intermediary liability for copyright infringement is absent in Burundi's law and jurisprudence. The legal and regulatory framework around intermediary liability is not clear, which is reported to lead to insufficient legal certainty to conduct a wide range of activities, free from the threat of potential liability and the chilling effect of potential litigation. The Burundi Electronic Transaction Law, which has some provisions on intermediary liability, has not yet been promulgated. In addition, there are specific provisions that provide liability for intermediaries. Art. 30 of Law 100/97 of April 2014 on electronic telecommunications, provides that operators of electronic communications are fully responsible for fighting fraud on their domains.

In May 2018, the government adopted the New Code of Penal Procedures of Burundi that allows for the interception of electronic communications of citizens and computer seizures if someone is suspected of committing a crime.
Specifically, Art. 61 of the law provides for infiltration as one of the investigative methods, which allows the use of electronic spying on a suspect. The law allows security forces to carry out multiple searches targeting entire districts and to seize computer systems to investigate data. Additionally, the public prosecutor has the right to request the installation of any interception tool by any entity either the service provider or any skilled agent as provided in Arts. 69, 70 and 71. When presenting the law before the Burundian Parliament, the Minister of Justice, Aime-Laurentine Kanyana, is reported to have stated that the intent of that law was to adapt to new forms of criminality that had emerged in recent times, including cases where criminals were using electronic means.

Burundi has not joined any free trade agreement committing to open transfers of cross-border data flows.

Nationally Burundi has no comprehensive data protection law. However, Decree-No. 100/182 of 30 September 1997 laying down organic provisions on telecommunications contains data protection provisions and imposes confidentiality obligations on personal information (Art. 23-26).

It is reported that Burundi does not mandate functional or accounting separation for operators with significant market power (SMP) in the telecom market.

There is a requirement to acquire a license from the Agence de Régulation et de Contrôle des Télécommunications (ARCT, Regulatory Agency for Telecommunications) for operation in ICT sectors and to gain access to the frequency spectrum. Decree No. 100/97 of 18th April 2014 raised the cost of acquiring a telecommunication licence, by more than 500% from USD 200,000 to USD 10,000,000, as per Art. 33. It is reported that the increase has made it extremely hard for operators to reduce the cost of their services, and this impacts on affordability, and thus limits access to the internet in Burundi.
The ARCT regulates and licenses foreign companies providing communication services, including Voice over Internet Protocol (VoIP), issues license to Internet service providers (ISPs) and regulates satellite usage, GPS, and VSAT. According to Art. 8 of Decree – Law No. 1/011, the ARCT grants authorizations to operate links, independent private networks, and value-added services provided by public and private operators. However, authorizations to operate commercial services are granted by the Government after technical advice from the ARCT.

Burundi has not appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

Burundi has a telecommunications authority: Agence de Régulation et de Contrôle des Télécommunications (ARCT). However, it is reported that this entity is not fully independent.

It is reported that there is an obligation for passive infrastructure sharing in Burundi to deliver telecom services to end users. It is practiced in the mobile sector and in the fixed sector based on commercial agreements.

ONATEL is a State-Owned Enterprises (SOEs) in Burundi with 100 percent government ownership. However, it is reported that SOEs have no market-based advantages and compete with other investors under the same terms and conditions.