You may be wondering whether you have anything that can be declared as a National Critical Information Infrastructure (NCII). It’s an interesting question. You might well have an NCII. What does mean for you? What are the practical consequences?

What falls within the definition of a National Critical Information Infrastructure?

The Cybercrimes and Cybersecurity Bill (CaC Bill) defines a National Critical Information Infrastructure very broadly. It is any data, database, network, communications infrastructure, (or part thereof), or anything associated with them that has been declared a NCII in terms of CaC Bill.

National Critical Information Infrastructures also include the things listed above which is in the possession or under the control of the State (national, provincial or local), and anyone exercising a public power or performing a public function.

Examples of possible NCIIs are the infrastructure (or part) of:

  • a bank
  • Home Affairs
  • JSE
  • a medical scheme

Basically anything the Minister thinks if lost, could cause harm to people, the economy or the country.

What does it mean if I have an NCII?

Before you have been declared to have a NCII, you may make written representations to the Minister. If you have a National Critical Information Infrastructure, the Minister can make regulations on how to access NCIIs, store and archive information on NCIIs and even the minimum security measures necessary. You have to comply with these regulations.

What if I don’t?

There are some consequences for the owner of a NCII if they if they fail to take the steps specified by the Minister:

  • Minister can order them to take the specified steps
  • they can be guilty of an offence
  • Minister can recover costs from them if he carries out the steps on their behalf

To find out more attend one of our Cyber Crime and Security Law Workshop.