The IDB recently released the results of a cybersecurity maturity assessment that was conducted in 2025. In our first Snapshot for 2026, we present the key findings for the Caribbean countries included in the exercise and, thereafter, compare these results with the 2020 findings.

 

In late 2025, the Inter-American Development Bank published the 2025 Cybersecurity Report: Vulnerability and Maturity Challenges to Bridging the Gaps in Latin America and the Caribbean, which was prepared in conjunction with the Organization of American States and the Global Cybersecurity Capacity Centre, University of Oxford. This long-awaited report provides an update on the cybersecurity capacity maturity of countries in the Latin America and the Caribbean region. In the 2025 report, 30 countries were assessed, including 15 from the Caribbean/Caribbean Community (CARICOM)region.

In this article, we present the findings of the 2025 report for the Caribbean/CARICOM countries that were assessed. We also briefly compare the cybersecurity maturity of those countries with the findings presented based on the 2020 exercise.

 

Methodology

According to the IDB report, the Cybersecurity Capacity Maturity Model “seeks to provide an assessment of the maturity level of a country’s cybersecurity capabilities, assigning a specific stage which corresponds to their degree of cybersecurity attainment.”  The methodology employed has substantially remained the same since the 2021 assessment exercise, although some of the metrics were adjusted to reflect the evolving cybersecurity landscape. Nevertheless, the 2020 findings are considered a baseline.

The 2025 capacity maturity assessment was conducted across the following five dimensions as outlined in Exhibit 1.

Exhibit 1: Dimensions under the Cybersecurity Capacity Maturity Model as at 2025 (Source: IDB)

The stage of maturity of each indicator or aspect under each dimension is determined and can range from “Start-up”, which is the lowest stage of maturity, to “Dynamic”, the highest stage of maturity. The five stages of maturity are outlined in Exhibit 2.

Exhibit 2: The five stages of cybersecurity capacity maturity (Source: IDB)

 

How did Caribbean countries perform?

As previously stated, individual country reports have been prepared that discuss the assessment results. However, as reflected in Exhibit 3, and in about half of the Caribbean/CARICOM countries examined, at least one dimension is still at the lowest stage (Start-up). Although generally, the countries performed well for D1 (Policy and Strategy), D3 (Education and Skills), and D4 (Legal and Regulatory), D2 (Culture and Society), and D5 (Standards and Tech) were at lower stages of maturity. Further, no country has achieved “Dynamic” maturity in any dimension.

Exhibit 3: Summary of cybersecurity maturity levels by dimension in select Caribbean countries as of 2025 (Source: IDB)

The Dominican Republic, Jamaica, and Trinidad and Tobago led the region and demonstrated greater cybersecurity capacity maturity. On the other hand, the cybersecurity capacity in Haiti was reported to be still underdeveloped or embryonic, which may be attributed to the longstanding political and socio-economic instability the country has been experiencing, which has hindered institutional growth.

 

How does the region’s performance compare with the 2020 findings?

Generally, the region’s cybersecurity maturity has improved since 2020, as more countries would have been considered to be at Level 1 or the Start-up stage of maturity, as shown in Exhibit 4. Once again, the Dominican Republic, Jamaica and Trinidad and Tobago were comparatively more mature, as they were well on their way to achieving Level 3 (Established) maturity.

Exhibit 4: Summary of cybersecurity maturity levels by dimension in select Caribbean countries as of 2020 (Source: IDB)

Dimension 4 (Legal and Regulatory Frameworks) was generally the highest-scoring category across the Caribbean. Most countries had already implemented basic legislation against cybercrime, even if they lacked technical capacity. However, Dimensions 3 (Education) and 5 (Standards and Technology) were the weakest, as many of the countries lacked formal cybersecurity degree programs and had not yet implemented international security standards (such as the International Standards Organisation 27001) within their public sectors.

In addition to the Dominican Republic, Jamaica and Trinidad and Tobago, the improvements in maturity of the following countries should also be noted:

  • The Bahamas, thanks to the establishment of the Bahamas Computer Incident Response Team, which has been instrumental in implementing the National Cybersecurity Strategy, and updated electronic communications laws.
  • Barbados, which was able to successfully implement cyber training and awareness programmes, as well as certification programmes, nationally, and was in the process of promulgating a Cybercrime Bill 2024.
  • Belize, which successfully implemented its National Cybersecurity Strategy (2020–2023), established inter-institutional cybersecurity task forces and has increased the emphasis on public education.
  • Guyana, which has developed a National Cybersecurity Policy Framework, has invested heavily in digital government infrastructure and resilience, and has established data privacy laws.
  • Suriname, which has improved cybersecurity and data protection among the pillars of its National Digital Strategy 2023- 2030, the availability of introductory training programmes that provide official certifications, and the ongoing work to prepare legislation to address cybercrime and data privacy.

On the other hand, several countries have been experiencing persistent challenges that have hindered the development of their cybersecurity maturity. A primary obstacle for these countries includes the following:

  • The absence of a dedicated, fully resourced national CSIRT (Cybersecurity Incident Response Team)
  • Limited enforcement of the existing frameworks
  • Limited specialised cybersecurity education and training

 

Summary

The report concludes that while the Latin American and Caribbean region is on a “positive trajectory,” cybersecurity must be treated as a collective responsibility. It thus calls for accelerated investment, improved cross-sector collaboration, and a focus on operational capabilities to stay ahead of increasingly complex digital threats.

Regarding the Caribbean/CARICOM region, much of the improvements in maturity since the 2020 assessment were in ‘framework elements’, specifically D1, D3 and D4, which generally comprise laws, strategies and policies. However, the current challenge, as reflected in the 2025 assessment, is successfully implementing those enabling structures, which to a considerable degree require access to the technical hardware, software standards and suitably qualified personnel with the attendant change in organisational culture consistent with a more cybersecurity mature posture.

 

 

Image credit:  Freepik