The African continent has been slow to introduce cybersecurity legislation. The latest Global Cybersecurity Index released in June 2021 showed that only 29 countries, out of the 54 assessed, had introduced cybersecurity legislation. It also found that only 10 African countries possess national cybersecurity strategies to ensure the protection of their Critical Information Structure (CII) sectors. The report provides definitive evidence that Africa’s level of commitment to cybersecurity is lacking compared to the rest of the globe.
There are, of course, exceptions. Tanzania and Mauritius score very highly on the Global Cybersecurity Index rankings, with scores of 90.58 and 96.89, respectively, compared to the regional average of 36.09. Yet, these cases are highly unusual and for the majority of African economies, cybersecurity has for some time been considered ‘a luxury, not a necessity’.
The escalation of cybersecurity laws
This is beginning to change - African governments have begun to acknowledge rising cybercrime figures and subsequently started to move on the issue of cybersecurity legislation. To give a few examples; Ghana passed the Cybersecurity Act 1038 in 2020, designed to protect the country’s CII’s; Zambia passed the Cybersecurity and Cyber Crimes Act No.2 in 2021, creating a National Cyber Security Council; and Zimbabwe passed the Data Protection Act No.5 in 2021, which created a Cyber Security Centre to oversee the implementation of cybersecurity laws. Further cybersecurity legislation has also been passed by Botswana in 2018, South Africa in 2020, Mauritius in 2021, with Mozambique currently in the process of developing a national cybersecurity strategy, as well.
Much of the cybersecurity legislation that has been passed is incredibly complex. Broadly speaking, cybersecurity legislation can be split into two sections; laws that target cybercriminals, and laws that regulate and enforce the cybersecurity practices of businesses. The latter is what is most concerning to businesses operating on the continent as many of these acts include heavy fines and prison sentences if a business does not follow the laws set out.
Take for example Ghana’s Cybersecurity Act 1038 passed in 2020. The Act is designed to identify and protect Ghana’s CII’s from cybersecurity threats. It includes the clause that if a CII does not report a cybersecurity incident to the government within 24 hours of its occurrence, then the CII is liable to a fine between 3,000 and 120,000 GHS.
Another example is the Mauritius Cybersecurity and Cybercrime Act, passed in 2021. The Act establishes that all CII businesses must be subject to an independent IT security audit every year. Failure to comply with the National Cybersecurity Committee on yearly audits will make the CII liable to a fine of up to 100,000 rupees and the imprisonment of the relevant individual of up to 5 years.
The examples of Ghana and Mauritius are not isolated – all recent cybersecurity legislation across Africa include rules that businesses are required to follow. The importance of highlighting the minutia of these Acts is to show that cybersecurity legislation in Africa is creating a very difficult path for businesses to navigate. If businesses do not maintain an awareness of cybersecurity laws and of what applies to them, they are increasingly likely to receive hefty penalties.
What can be expected in the future?
It is expected that there will be an increase in the actual enforcement of cybersecurity legislation. Secondly, more cybersecurity legislation will be passed, a proportion of which is expected to be related to cross-border regional agreements. Both points relate to current issues that are limiting the success of cybersecurity legislation in Africa.
Though increasing numbers of cybersecurity laws are being passed, many African governments lack the proper infrastructure needed to enforce them. Gradually, governments are introducing enforcement frameworks to ensure that cybersecurity legislation is functional, rather than tokenistic. Establishing initiatives, such as CERTs (Computer Emergency Response Teams), cybersecurity agencies and police groups, is a key part of this. Some of the cybersecurity legislation that has been passed in recent years has been as much about updating old legislation in order to build enforcement frameworks, as much as it has been about introducing new laws to fight cybercrime. Currently, only 19 CERTs exist across Africa , but this should be fully expected to grow as African governments begin to put law into practice. It should be noted that the leaders of cybersecurity in Africa, Tanzania and Mauritius, both use CERTs and enforcement initiatives to combat cybercrime. So too do they use cross-border collaboration initiatives.
One of the challenges to combatting cybercrime is that the digital world is borderless. It is easy for cybercriminals to move from one jurisdiction where the laws are beginning to tighten, to another jurisdiction where there are no laws, or where they are poorly enforced. As cybercrime has surged under the Covid-19 pandemic, this issue has come to the fore. Both the Global Cybersecurity Index Report published in 2021 and INTERPOL’s 2021 African Cyberthreat Assessment Report recommend that regional initiatives, agreements and legislation must be made in order to effectively reduce cybercrime. Cross-border agreements do exist, but they are minimal. For example, the African Union released the Convention on Cybersecurity and Personal Data in 2014, but as of 2021 it has only been signed by 8 out of 55 members. South Africa and Nigeria are key countries that have not signed this convention. However, this lack of cross-border cooperation should be expected to change in the future. In fact, it is already doing so. Regionally, ECOWAS is leading the African continent in this regard. In early 2021, ECOWAS members agreed upon a regional strategy for fighting cybercrime . This has been followed by an ECOWAS symposium in September 2021 of the Organised Crime: West African Response on Cybersecurity group (OCWAR-C), funded by the EU. At this event, the OCWAR-C project coordinator, Ms Rabiyatou Bah, emphasised the importance of member states sharing information and coordinating their actions in order to reduce cybercrime .
As more cross-border initiatives launch, African businesses must remain alert to what regional responsibilities will be introduced, as well as those introduced by governments of their own country.
Get the full overview
