The President has signed the Cybercrimes Act into law. Get an overview of the Act and know the practical implications. We have studied the Cybercrimes Act over the years so that you don’t have to. We provide you with an overview below. Why is it necessary? Who is affected? What action do you need to take?  What does it deal with? We answer these questions in this article.

Why do we need the Cybercrimes Act?

Many people will be asking – Do we need the Cybercrimes Act? Cybercrime is on the increase and the Cybercrimes Act aims to keep people safe from criminals, terrorists, and other states. It also consolidates cybercrime laws into one place. Essentially, it aims to stop cybercrime and improve the security of the country.

Who is affected by it?

The practical impact of the Cybercrimes Act on all organisations and all individuals is significant and unfortunately mostly negative. We thought it had been fixed but it hasn’t. Law enforcement wants to curtail our freedom by making everyday things a crime. It impacts all of us who process data or use a computer. Individuals, parents, journalists, organisations, banks and many others will probably commit many offences daily. People involved with IT (or data protection) regulatory compliance.

The timeline

The Cybercrimes Act was first published as the Cybercrimes and Cybersecurity Bill on 28 August 2015, updated on 19 January 2017 and was introduced in Parliament on 22 February 2017. The Bill sat with Parliament for a while as there was a strong push by the old regime in government to enact the Bill in its then-current form. There were extensive comments on the Bill during the public participation period in 2017, and particularly on onerous aspects of the Bill. Those comments were considered and incorporated into the new Cybercrimes Bill that was published in October 2018. The Cybersecurity Bill was removed and became a separate process. The Bill was revived by the National Council of Provinces (NCOP) who opened another period of public participation from various stakeholders since October 2019. Yet again, NCOP received extensive comments and proposed changes. In June 2020, NCOP adopted the Cybercrimes Bill with their proposed changes. The Bill was sent back to the National Assembly for concurrence in July 2020. The Bill was passed by both houses of Parliament in December 2020 and was sent to the President for assent.

On 26 May 2021, the President signed the Bill into law. The President of South Africa has proclaimed the commencement date of certain sections of the Cybercrimes Act to be 1 December 2021. The President may fix different dates for different provisions of the Act.

The President has proclaimed 1 December 2021 as the commencement date for many sections

How we can help you

The Cybercrimes Act

Know what the law says by reading the Act.

Cybercrimes Act

Cybercrime programme

Take practical steps by working through our cybercrimes programme.

Join the programme

Cybercrimes workshop

Understand how the Act impacts your organisation by attending our workshops.

Cybercrimes workshop

Cybercrime Impact Assessment

Determine how the Act impacts your organisation by doing the online assessment.

Cybercrimes Impact Assessment

Cybercrimes training or learning

Discover suitable learning solutions for your employees, executives or organisation by exploring the options.

Exploring our learning solutions

Protect yourself from cyber risk

Proactively protect your organisation from cyber risk by reviewing your legal documents.

Review documents

Incident planning & response

Prepare for cybercrime incidents by getting our advice and assistance.

Incident response

Insights and alerts

Stay updated on cybercrime law by reading our latest insights.

Cybercrime insights

Other ways we can help you

Discover other ways we can help you by exploring our services.

Legal services

Overview of the latest version of the Cybercrimes Act

The Cybercrime Act creates many new offences. Some are related to data, messages, computers, and networks. For example:

The penalties consist of a fine, imprisonment, or both. How much could you be fined? The Act does not specify this, but if you are convicted of a cybercrime, you could spend between one year to fifteen years in prison, depending on the cybercrime. The Cybercrimes Act gives the courts jurisdiction to try these offences in some cases where there is uncertainty.

The National Director of Public Prosecutions must keep statistics on the number, and results of prosecutions for cybercrimes. These statistics must be included in the NDPP’s report on the NPA.

The Cybercrimes Act gives the Police Service (and their members and investigators) extensive powers to investigate, search, access and seize just about anything (like a computer, database or network) wherever it might be located, provided they have a search warrant. Foreign states will co-operate to investigate cybercrimes.

To deal with cybercrime, the Minister of Police must establish and maintain:

The Cybercrimes Act helps people to admit evidence of cybercrimes.

ECSPs and financial institutions must:

  • report offences to the police no later than 72 hours,
  • preserve any information that relates to it.

If an ECSP or a financial institution doesn’t, it is liable on conviction to a fine of R50 000.

This does not mean that ESCPs and financial institutions have to monitor the data they transmit or store on their systems. They also don’t have to actively look for situations that indicate unlawful activity.

The Cybercrimes Act enables the Minister of Justice to make regulations on information sharing. This includes sharing information on cybersecurity incidents, detecting, preventing and investigating cybercrimes.

The National Executive may enter into agreements with other states considering this is a global issue.

Various laws are repealed or amended, most notably Chapter 9 and sections 85, 86, 87, 88 and 90 of the ECT Act.