The New Digital Sovereignty in the DRC: From Simple License to Contract of Trust
In the landscape of the Democratic Republic of Congo (DRC), the digital sector is no longer a legal vacuum. With the evolving regulatory framework, it is transforming into a space of sovereignty. The era of unregulated digital expansion is giving way to a structured legal order where authorization is not merely a license but a contract of trust between the operator and the State.
As the digital transformation accelerates, the DRC is imposing a decisive framework centered on security, control of critical infrastructure, and the oversight of dominant market actors. For fintechs, particularly mobile money operators like Wave, this new regime introduces stringent compliance obligations with a critical deadline: June 30, 2026.
This article dissects the legal underpinnings of this shift, the specific authorization regime for financial technology companies, and the procedural roadmap for obtaining the requisite licenses.
I. The New Legal Architecture: Sovereignty and Strategic Regulation
The DRC’s digital law is pivoting from a laissez-faire approach to a proactive model of sovereignty. The three pillars of this new regime are:
1. Targeted Regulation: The law focuses on strategic activities that form the backbone of the digital economy, including Data Centers, trust services (electronic signatures, timestamping), and dominant platforms (including large-scale fintech and social media).
2. Reinforced Sovereignty: By controlling critical infrastructure and data flows, the State aims to ensure that digital services operating within its territory adhere to national security and public order standards.
3. Compliance as a Legal Urgency: The transition period ends on June 30, 2026. After this date, operating without proper authorization will constitute a serious legal violation.
For fintechs like Wave—which operate as a dominant electronic payment platform and a trust intermediary between users—this framework is non-negotiable.
II. The Necessary Authorization for Fintech
In the DRC, a fintech company providing mobile money transfers, payment initiation, and electronic wallet services must obtain a hybrid authorization. While the Agence de Régulation des Télécommunications (ARPTC) historically oversaw telecommunications, the new digital regime likely coordinates with financial oversight bodies. However, based on the principle of “Authorization as a Contract of Trust,” a fintech must secure two primary licenses:
1. The “Digital Services Operator” Authorization
This is the core license derived from the new digital sovereignty regime. It covers:
· Operation of a Dominant Platform: Given Wave’s market penetration, it qualifies as a dominant platform requiring specific scrutiny.
· Trust Services: If the fintech uses or provides digital authentication for transactions, it falls under the “trust services” category.
· Infrastructure Management: If the company operates data centers or servers within the DRC (as data localization rules are anticipated), this license applies.
2. The Electronic Money Issuer (EMI) License
Under the Banque Centrale du Congo (BCC) regulations (Regulation No. 110 on Electronic Money), a fintech must obtain authorization as an Electronic Money Issuer. This is separate from the general digital license and governs financial operations, consumer protection, and anti-money laundering (AML) protocols.
III. Requirements for Obtaining the License
To obtain the “Contract of Trust” with the State, a fintech must meet cumulative legal, technical, and financial requirements.
A. Legal and Corporate Structure
· Local Incorporation: The company must be a commercial company (SPRL or SA) incorporated under DRC law.
· Capital Requirements: Minimum capital requirements set by the BCC for EMI licenses (typically exceeding USD 1 million, subject to confirmation depending on the scale of operations).
· Fit and Proper: Shareholders, directors, and key managers must demonstrate impeccable moral character, professional integrity, and relevant experience. Criminal background checks are mandatory.
B. Technical and Infrastructure Requirements
· Data Localization: Critical user data and transaction records must be hosted on servers located within the DRC or in a jurisdiction with reciprocal data protection standards.
· System Security: Implementation of robust cybersecurity measures, including ISO/IEC 27001 certification or equivalent, to prevent fraud and data breaches.
· Interoperability: The platform must ensure interoperability with other authorized financial services in the DRC to avoid market monopolization.
C. Financial and Compliance Requirements
· AML/CFT Program: A comprehensive anti-money laundering and counter-terrorism financing program, including a designated compliance officer and transaction monitoring systems.
· Safeguarding of Funds: User funds must be safeguarded in a segregated account in a licensed commercial bank in the DRC.
· Audit: Submission of audited financial statements and a technical audit report certifying the platform’s stability.
IV. Procedure to Obtain the License
The process is a dual-track procedure involving the Ministry of Digital Affairs (for the digital authorization) and the Central Bank of Congo (BCC) (for the financial license). To streamline, applicants typically file a master file.
Step 1: Pre-Filing Consultation
Engage with the regulatory directorates to confirm the scope of activities and obtain the checklist of required documents.
Step 2: Submission of Application File
The file must include:
· Articles of incorporation and proof of registration with the Guichet Unique de Création d’Entreprise.
· Detailed business plan and financial projections.
· Technical specifications of the platform (architecture, security protocols, data center details).
· AML/CFT policy manual.
· CVs and police records of administrators and managers.
Step 3: Dual Instruction
· The ARPTC or the competent digital authority reviews the technical and digital sovereignty aspects (6 to 8 weeks).
· The BCC reviews the financial stability and consumer protection aspects (3 to 6 months).
Step 4: Site Inspection and Technical Audit
Regulators conduct an on-site inspection of the headquarters and data centers to verify the accuracy of declarations.
Step 5: Issuance of the Authorization
If approved, the operator receives a formal authorization decree (for the digital part) and a license (for the financial part). The operator is then registered in a public registry of authorized digital service providers.
V. Duration and Costs
Duration
· Validity: Licenses are typically issued for an initial period of 5 to 10 years, renewable.
· Transition Deadline: Existing operators (like Wave, if already operating) must regularize their situation by June 30, 2026. After this date, any operation without authorization is illegal.
Costs
The costs are divided into:
1. Application Fees: Non-refundable fees for processing the file (approximately USD 5,000 – USD 10,000 depending on the authority).
2. License Fees: An annual fee based on turnover or a fixed sum (e.g., USD 50,000 – USD 200,000 per year for dominant platforms).
3. Safeguard Costs: The requirement to keep user funds in segregated accounts imposes indirect capital costs.
VI. Conclusion: Are We Ready?
The DRC is sending a clear message: digital activity is no longer a peripheral sector but a central pillar of national sovereignty. For fintechs like Wave, the transition from a “simple license” to a “contract of trust” signifies a new era of accountability.
The deadline of June 30, 2026 serves as a watershed moment. Operators who view this compliance burden solely as a legal hurdle will fall behind. Those who embrace it as a framework for stability, security, and cooperation with the State will solidify their position in the Congolese digital economy.
The question remains: Is the ecosystem ready to integrate this new logic of responsibility? For serious operators, the answer must be yes—and the time to act is now.