According to Art. 147 of Law No. 18.002, the importation of cryptology equipment without prior authorisation is subject to a penalty of between one and five million CFA francs (approx. USD 1,760 - 8,810), imprisonment of between one and three months, or both.

The Central African Republic has a national regulatory framework for standardisation and quality management since the enactment of Law No. 19.004. However, the countries is still in the process of establishing its National Standardisation Agency. Once established, the Agency will be the only institution authorised to adopt international standards and formulate national standards.
In the absence of national rules, imports must, in principle, be accompanied by a certificate of conformity (CdC) with international technical regulations.
It is reported that all products exported to the CAR are subject to the Pre-shipment Inspection Programme. Third-party results may be accepted under certain conditions. The following are accepted:
- laboratories accredited according to ISO/IEC 17025 or equivalent;
- Supplier's laboratories, provided that the installation is under the company's certified quality management system and whose key elements of the ISO/CEI 17025 standard are respected. The text of the law is not available online.
Regarding telecom equipment, Art. 92 of Law No. 18.002 stipulates that terminal equipment intended for connection to a publicly accessible network must undergo approval and certification by the Regulatory Authority. Moreover, approval and certification are mandated for all radio equipment and installations, irrespective of whether they are intended for connection to a public network. Art. 93 specifies that approval and certification confirm the equipment or installation's compliance with the technical standards and specifications established by the International Telecommunication Union (ITU). Additionally, Art. 97 provides that terminal equipment requiring approval must not be manufactured for the domestic market, imported for consumption, held for sale, distributed (whether free of charge or for remuneration), connected to a publicly accessible network, installed, or advertised unless it has been approved and remains in continuous compliance with the applicable requirements.

Art. 100 of Law No. 18.002 provides that, in order to preserve the interests of internal or external State security and national defence, the supply, operation or use of cryptology means or services must be subject to:
- Prior declaration regime when the only purpose of this means or service is to authenticate a communication or to ensure the integrity of the message.
- Authorisation regime, with a written opinion from the Minister in charge of national security and internal security in other cases.
The Electronic Communications and Postal Regulatory Authority (ARCEP) must lay down the conditions under which the declaration or authorisation must be made or granted. It may provide for a simplified declaration or authorisation regime for certain types of equipment or services or for certain categories of users (Art. 101).

According to the Instruction No. 8/GR/2019 issued by the Governor of the Bank of Central African States to facilitate the interpretation and implementation of the Economic and Monetary Community of Central Africa (CEMAC) Regulation 02/18/CEMAC/UMAC/CM, there is a limit of 1 million XAF (approx. USD 1,700) per month and per person for the remote settlement of transactions, including online payments. According to Arts. 7-8, justification needs to be provided above this limit. The Instruction provides guidance on the provision of Art. 34 of the Regulation, which implements certain limits for using electronic payment instruments outside the CEMAC and applies to the six CEMAC member states, including the CAR.

It is reported that the de minimis threshold, that is the minimum value of goods below which customs do not charge duties, is XAF 30,000 (approx. USD 50), below the 200 USD threshold recommended by the International Chamber of Commerce (ICC).

Arts. 35 and 42 of Law No. 18.002 and Decree No. 9.042 set an obligation for passive infrastructure sharing in the Central African Republic to deliver telecom services to end users.

It is reported that the government owns 60% of Société Centrafricaine de Télécommunications (SOCATEL) stock. SOCATEL is the leading telecommunications and Internet service provider in the Central African Republic.

According to Law No. 18.002, the regulatory authorities may impose accounting separation concerning certain activities in the field of interconnection and/or access for the dominant operator (Art. 50). It is also reported that the Central African Republic imposes functional and accounting separation for operators with significant market power (SMP) in the telecommunications sector.

The CAR has not appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

According to Art. 2 of Law No. 17-020, the Electronic Communications and Postal Regulatory Authority (ARCEP), the executive authority for the supervision and administration of services in the telecommunications sector, is independent from the government in the decision-making process.

CAR has not signed any agreement with binding commitments on data transfer across-border.

The Central African Republic does not have a comprehensive data protection law. However, there is a sectoral law that applies to the telecommunications sector. Law No. 18.002 of January 2018 governing electronic telecommunications mentions the protection of the privacy of users of electronic communication networks and services (Arts. 112-115) and the protection of personal data (Arts. 116-126).

It is reported that a basic legal framework for intermediary liability for copyright infringement is absent in The Central African Republic's law and jurisprudence.

It is reported that a basic legal framework for intermediary liability beyond copyright infringement is absent in The Central African Republic's law and jurisprudence.

According to Art. 61 of Law No. 18.002, telecom operators must identify all their subscribers. It is reported that there has been an identity requirement for SIM cards since 2014.