The Cybercrimes and Cybersecurity Bill is in the process of being enacted. Some people will call it the Cyber Bill, Cybercrimes Bill, Cybercrime Act or Cybercrime Law. Others might refer to it as CaCA, the CaC Bill or just CaC. What will you call it? There is still time to influence the law. Why is it necessary? Who is affected? What action do you need to take? Should you be commenting on it? What does it deal with? We answer these questions in this article.

Why do we need the Cyber Bill?

Many people will be asking – Do we need the Cybercrimes Bill? But cybercrime is on the increase and the Cybercrimes and Cybersecurity Bill aims to keep people safe from criminals, terrorists and other states. It also consolidates South Africa’s cybercrime laws into one place. Essentially, it aims to stop cybercrime and improve the security of the country.

Who is affected by the Cybercrimes and Cybersecurity Bill?

  • People involved with IT (or POPI) regulatory compliance.
  • All Electronic Communications Service Providers (ECSPs).
  • Representatives from various government Departments.
  • Cyber criminals and terrorists.
  • Providers of software or hardware tools that could be used to commit offences.
  • Financial services providers because there are some prohibited financial transactions.
  • Owners of copyrights and pirates.
  • Information Security experts.
  • Anyone who owns an Information Infrastructure that Government could declare as critical.
  • Everyone who uses a computer or the Internet.
  • The South African Police Service.

Possible Actions for you to take

  1. Attend a public Cyber Crime and Security Law Workshop.
  2. Arrange for your own private in-house Cyber Crime and Security Law Workshop.
  3. Brief your board on cyber security risks and the legal implications for your organisation.
  4. Read the 2017 version of the Bill (or the 2015 version) and its related CyberCrimes Discussion Document 2017 (or the 2015 version).
  5. Send this article to someone else you think might be interested.
  6. Influence the content of the law.
  7. Subscribe to the Michalsons newsletter to receive future updates.

The timeline on the Cybercrimes Bill

The Cybercrimes Bill was first published on 28 August 2015, updated on 19 January 2017 and will probably be introduced in Parliament in late January 2017. The deadline to comment on the first version was in December 2015, but there is still an opportunity to influence the content of the law, especially when it is introduced into Parliament.

What does the Cyber Bill deal with?

The Cybercrimes Bill creates many new offences (about 50). Some are related to data, messages, computers, and networks. For example:

  • using personal information or financial information to commit an offence,
  • hacking,
  • unlawful interception of data,
  • computer related forgery and uttering,
  • extortion or terrorist activity.

The penalties range from one year to ten years imprisonment or R1million to R10million. So, R1million for each year in jail. Lots of penalties are either R5million or five year, or R10million or ten years. Could you commit one of these offences?

The Cybercrimes Bill gives the South African courts jurisdiction to try these offences is some cases where there is uncertainty.

The Cybercrimes and Cybersecurity Bill gives the South African Police Service and the State Security Agency (and their members and investigators) extensive powers to investigate, search, access and seize just about anything (like a computer, database or network) wherever it might be located, provided they have a search warrant. Foreign states and South Africa will co-operate to investigate cybercrimes.

To deal with cybercrime, the Minister of Police must establish and operate a:

  •  24/7 Point of Contact center for cyber crimes and appoint a Director of it, and
  • National Cybercrime Centre and appoint a Director of it.

To improve Cyber Security, the Cybercrimes and Cybersecurity Bill creates a Cyber Response Committee made up of about 13 people. The chairperson will be the Director-General: State Security. The Minister of State Security must establish and operate:

  • a Cyber Security Centre and appoint someone from the State Security Agency as its Director, and
  • one or more Government Security Incident Response Teams and appoint someone from the State Security Agency as the head of each one.

The Minister of Defence must establish and operate a Cyber Command and appoint someone as the General Officer Commanding.

The Minister of Telecommunications and Postal Services must:

  • establish and operate a Cyber Security Hub and appoint a Director of it, and
  • make different sectors which provide an electronic communications service establish and operate (at their cost) Private Sector Security Incident Response Teams.

The CaC Bill aims to identify, declare and protect National Critical Information Infrastructures, like the Department of Home Affairs database. The Cybercrimes Bill creates a National Critical Information Infrastructure Fund to be used to manage disasters. There are various obligations on the owner of (or person in control of) a National Critical Information Infrastructure.

The Cybercrimes and Cybersecurity Bill helps people to admit evidence of cybercrimes.

An ECSP must:

  • inform its client of cybercrime trends,
  • enable clients to report cybercrimes to it,
  • tell clients how to protect themselves.

An ECSP must:

  • immediately report offences to the National Cybercrime Centre,
  • preserve any information that relates to it.

If an ECSP doesn’t it is liable on conviction to a fine of R10 000 for each day on which such failure to comply continues.

The President may enter into agreements with other states considering this is a global issue.

Various laws are repealed or amended, most notably Chapter 9 and sections 85, 86, 87, 88 and 90 of the ECT Act.


If you are interested, please complete the form on the right or enquire now. We will contact you to find out more about your requirements and give you a quote.