It is reported that foreign investors must comply with local content rules, which vary by sector. A certain percentage of local content must be included in goods and technologies produced by companies with foreign investors. In addition, local content rules require that foreign workers not exceed 10% of the total workforce. It is also reported that local content rules are applied inconsistently, creating disincentives for foreign investment.

Arts. 27 and 28 of Law No. 1/2016 provide that organisations may not transfer any personal information to countries that fail to provide a legally equivalent level of protection unless the transfer has been previously authorised by the Governing Body for the Protection of Personal Data or under some exceptions, such as consent or contractual necessity. It is reported that the Governing Body for the Protection of Personal Data has not yet been established, and there is no list of legally equivalent countries.

It is reported that there is a requirement for prior authorisation or licences issued by the Ministry of Trade for all exports. Businesses in Equatorial Guinea have identified this requirement as the most cumbersome part of the trade process. All traders are also required to register with the Ministry of Trade. The country's export regulations and procedures also lack transparency, and official trade data and information are not readily available. These challenges are reported to be problematic for shipping companies, small traders and traders of non-traditional products.

Equatorial Guinea has not joined any agreement with binding commitments to open transfers of data across borders.

Law No. 1/2016 on the Protection of Personal Data provides a comprehensive regime of data protection in Equatorial Guinea. The Data Protection Authority (the Governing Body for the Protection of Personal Data) established by Law No. 1/2016, however, is not yet operational and, as such, many provisions within the Data Protection Law are of limited effect.
Apart from Law No. 1/2016, the Electronic Communications Law (Law No. 2/2016 of 22 July 2016) regulates the domestic handling of data in the framework of electronic communications and networks, as well as several other laws and sectoral directives containing relevant provisions.

According to Art. 1 of the Law on Data Retention in Electronic Communications and Public Communication Networks, providers and operators of electronic communications services and public communication networks must retain the data generated, produced or processed in their activities of electronic communications services or public communication networks. According to Art. 5, these providers must retain the following data: (i) data necessary to trace and identify the origin of communication for fixed network telephony and mobile telephony, Internet access, e-mail and Internet telephony; (ii) data necessary to identify the destination of communication for fixed network telephony and mobile telephony, e-mail and Internet telephony; (iii) data necessary to determine the date, time and duration of a communication; (iv) data necessary to identify the type of communication; (v) data necessary to identify the communication equipment of the users; and (vi) data necessary to identify the location of the communication equipment. According to Art. 9, the obligation of electronic storage of data ceases after one year, computed from the date on which the communication took place, except in cases of particular interest for the criminal investigation, in which case the duration may be extended up to a maximum period of two years through the corresponding court order.

Art. 19 of Law No. 1/2017 provides that information society service providers, registries and domain name registration agents and the owners of domain names are obliged to provide the public authorities with the data requested or required in the exercise of their powers of inspection, control and sanction, as well as when necessary for the investigation of cybersecurity incidents. The need for a court order is not specified in the law. Information society services are defined as any business, activity or product thereof provided electronically for consideration at the request of the recipient or on an unremunerated basis, provided that it constitutes an economic activity for the service provider.

Art. 42 of Law No. 1/2017 states that service providers and recipients shall have an obligation to provide the government with all the information and collaboration necessary for the exercise of their legal powers, allowing their agents and inspecting or controlling personnel access to their facilities, the consultation of any documentation and the manipulation of their electronic equipment, systems and applications. The need for a court order is not specified in the law. Service providers are defined as the natural or legal persons who provide communication or information services via the Internet or the information society.

Art. 41 of the Ministerial Order No. 3/2020 states that the judicial authority and other bodies authorised by Equatoguinean legislation can authorise interception by telecom licence holders, subject to public service obligations. Obligated subjects must configure their equipment in such a way as to facilitate access by authorised agents to all communications transmitted, generated for transmission or received by the subject of a lawful interception, as well as to the traffic data associated with these communications. Also, Art. 42.6 provides that where obliged entities apply compression, encryption, digitisation or any other type of encoding to communications subject to lawful interception, they shall hand over those communications without the effects of such processes, provided that they are reversible. In addition, Art. 42.7 stipulates that interception must take place in real-time. Art. 42.3 also stipulates that the obligated parties must communicate to the authorised agent, among other data, the identity or identities of the subject of the interception measure and the other parties involved in the electronic communication.
According to 6 and Art. 34 of the Ministerial Order, the companies subject to public service obligations include fixed telephony, broadband, 2G, 3G, 4G and 5G mobile telephony and data services. In addition, carrier services for the provision of voice, data and broadband, as well as broadcasting services and their respective networks, are also considered essential.

Chapter I of Title IV of Law No. 1/2017 establishes a safe harbour regime for intermediaries for copyright infringements. According to Art. 35, all providers of Internet communication services and network operators are subject to the regime of responsibility established by this law. The following articles explain the responsibilities of the different service providers:
- Art. 36: Responsibility of network access providers and telecommunications network operators.
- Art. 37: Responsibility of the service provider for temporary copies of data requested by users.
- Art. 38: Responsibility of the provider of data hosting or storage services.
- Art. 39: Responsibility of providers of linking services or search tools.

Chapter I of Title IV of Law No. 1/2017 establishes a safe harbour regime for intermediaries beyond copyright infringements. According to Art. 35, all providers of Internet communication services and network operators are subject to the regime of responsibility established by this law. The following articles explain the responsibilities of the different service providers:
- Art. 36: Responsibility of network access providers and telecommunications network operators.
- Art. 37: Responsibility of the service provider for temporary copies of data requested by users.
- Art. 38: Responsibility of the provider of data hosting or storage services.
- Art. 39: Responsibility of providers of linking services or search tools.

It is reported that Equatorial Guinea's approach to SIM registration requires mobile network operators to collect and store a user's personal information and proof of identity. The relevant legislation could not be found.

Online versions of some Spanish newspapers are reported to be regularly blocked. In 2022, it was reported that the independent media outlet AhoraEG was only accessible via a virtual private network.

It has been reported that the government blocked internet access during periods of political tension in both 2022 and 2023. In addition, the indicator "6.2.4 - Government Internet shut down in practice" of the V-Dem Dataset, which measures whether the government has the technical capacity to actively make internet service cease, thus interrupting domestic access to the internet or whether the government has decided to do so, has a score of 3 in Equatorial Guinea for the year 2023. This corresponds to "Rarely but there have been a few occasions throughout the year when the government shut down domestic access to Internet."

As per Art. 11 of Decree-Law No. 3/1980, which approves the Advertising Statute, advertising agencies are defined as companies that are duly authorised to professionally engage on behalf of third parties in creating, planning, executing, or distributing advertising campaigns through any means of dissemination. Art. 16 specifies that individuals or entities intending to participate in advertising activities must meet the requirements set by the Secretariat of State for Information and Tourism. They are also required to adhere to regulatory standards and register in the General Advertising Registry under the Technical Secretariat of the Department of Information and Tourism.
Art. 17 outlines the conditions necessary to obtain the licence, including (i) possession of the necessary capacity to engage in the trade; (ii) adoption of any of the constitutive forms of society for juridical persons; (iii) demonstration of necessary morality and proof of economic solvency.