You can download here (non official) translated copies of the Law N°4-2005 and its related
decrees:
 Law n° 2004-5, February 3, 2004, relative to computer security. download 
Chapter I: On the National Agency for Computer Security
Chapter II: On the Compulsory Risk Assessment
Chapter III : On the Auditors
Chapter IV: On Miscellaneous Provisions
Decree n° 1248 - 2004, May 25, 2004, setting the administrative, financial and operating procedures of the ANSI.
Decree n° 1249 - 2004, May 25, 2004, on requirements and procedures for the certification of expert auditors in the field of computer security. download
Decree n° 1250 - 2004, May 25, 2004, on the institutional computer systems and networks subjected to the compulsory periodic Risk Assessment of computer security, and on the criteria relating to the nature and periodicity of the Risk Assessment and to procedures for monitoring the implementation of the recommendations made in the Risk Assessment report.download
Chapter I: On the National Agency for Computer Security
Article 1- The purpose of the present law is to organize the field of computer security and to lay down general rules for protecting computer systems and networks.
Article 2-A public enterprise of a non administrative nature, possessing judicial personality and financial autonomy, called "-National Agency for Computer Security" is hereby established. In its relations with third parties, it shall be subjected to commercial legislation and its headquarters shall be established in Tunis.
The agency shall be placed under the supervision of the Ministry in charge of Communication Technologies.
The Agency's administrative and financial organization and functioning methods shall be set out by decree.
Article 3-The National Agency for Computer Security shall carry out a general inspection of the computer systems and networks coming under various public and private institutions, and shall be assigned, in particular, the following missions:
Seeing to the implementation of the national policy guidelines and general strategy in the field of computer systems and networks security;
Monitoring the implementation of computer security plans and programs in the public sector with the exception of applications that are proper to national defense and national security; and ensuring coordination among stakeholders in this field;
Ensuring technological watch in the area of computer security;
Setting norms and best practices in the field of computer security and putting together and publishing technical guides on the subject;
Fostering the development of national solutions in the field of computer security and promoting such solutions in accordance with the priorities and programs to be set by the Agency;
Participating in action to consolidate training and re-training in the field of computer security;
Seeing to the implementation of regulations on the obligation to conduct a periodic Risk Assessment on the security of computer systems and networks;
The supervision authority may entrust the Agency with any other activity that relates to its field of intervention.
Article 4-In the event of dissolution of the Agency, its property shall return to the State which shall discharge its obligations and commitments in accordance with the legislation in force.
Chapter II: On the Compulsory Risk Assessment
Article 5- The computer systems and networks coming under various public institutions are subject to a compulsory and periodic Risk Assessment of their computer security, with the exception of computer systems and networks that belong to the Ministries of National Defense and the Interior and Local Development.
They are also subjected to the compulsory periodic Risk Assessment of computer security.Computer systems and networks of institutions shall be determined by decree.
They Shall be established by decree as a criteria on the nature and periodicity of the Risk Assessment and the procedures for monitoring the implementation of the recommendations contained in the Risk Assessment report.
Article 6-If the institutions indicated in Article 5 of the present law fail to conduct the compulsory periodic Risk Assessment, the National Agency for Computer Security shall give a warning to the institution concerned which must carry out the Risk Assessment within a period not to exceed one month from the date of the warning.
If the deadline expire without result, the Agency shall be required to designate, at the expense of the delinquent institution, an expert to carry out the aforementioned Risk Assessment.
Article 7-Subject to the exceptions made in articles 3 and 5 of the present law, public and private institutions must allow the National Agency for Computer Security and the experts in charge of the Risk Assessment operation, to consult all the documents and files relating to computer security in order to perform their missions.
Chapter III: On the Auditors
Article 8- The Risk Assessment operation shall be carried out by experts, whether natural or legal persons, previously certified by the National Agency for Computer Security.
If laid down by decree, the conditions and procedures governing the certification of such experts.
Article 9-The employees of the National Agency for Computer Security and security auditors are required to preserve the confidentiality of any information they come to know in the exercise of their functions.
Shall be liable to the sanctions stipulated in Article 254 of the Penal Code anyone who discloses, participates in, or incites to, the disclosure of such information.
Chapter IV: On Miscellaneous Provisions
Article 10-Anyone who operates a computer system or a network, whether a public or a private institution, must immediately inform the National Agency for Computer Security of any attacks, intrusions and other disruptions liable to hinder the functioning of another computer system or network, so that the Agency can take the necessary measures to tackle them.
The operator shall comply with the measures decided upon by the National Computer Security Agency in order to put an end to such disruptions.
Article 11-In the cases mentioned in the foregoing article, and in order to protect computer systems and networks, the National Agency for Computer Security may propose the isolation of the concerned computer system or network pending cessation of the disruptions. The isolation shall be pronounced by the Minister in charge of Communication Technologies.
Regarding the exceptions made in Article 3 of the present law, appropriate procedures will be decided upon in coordination with the Ministers of National defense and the Interior and Local Development.
The present law will be published in the Official Gazette of the Republic of Tunisia and enforced as a law of the State. |
