Looking for the Cybersecurity Bill or Cybersecurity Act in South Africa? Will there be one? What is the status of it? Here’s what we know so far. Some call it the Cyber Security Bill or Act, but it should be the Cybersecurity Bill.

The Department of Justice and Constitutional Development first published a Bill on 28 August 2015, updated it on 19 January 2017, and introduced it in Parliament on 22 February 2017. During the public participation period in 2017, extensive comments were made on the bill, particularly on its demanding aspects. Those comments were considered and incorporated into a new Bill published in October 2018. On 26 May 2021, the President signed the Cybercrimes Act into law.

What happened to cybersecurity?

The key change was that the cybersecurity aspects of the Bill were removed. This begs questions.

  • What happened to the cybersecurity aspects?
  • Will those important issues be dealt with in another Act?
  • Will there be a new Cybersecurity Bill or Cybersecurity Act in South Africa?
  • What is the Cybersecurity Bill?

Why do we need the Cybersecurity Bill?

Well, it is important to secure information in cyberspace. According to Interpol’s 2023 African cyber threat assessment report, South Africa has the highest cybersecurity incidents in Africa. This law would play a role in regulating how that is done in South Africa.

Who is affected by the Cybersecurity Bill?

The private sector

Everyone, probably, because everyone has to secure the data they have in cyberspace. The impact will probably be significant, especially for organisations that have extensive electronic data. Our increased reliance on cloud services means a stronger need to secure information in cyberspace, both in the public and private sectors.

It will have a big impact on providers of cybersecurity products and services. And also cybersecurity professionals.

The Cybersecurity Bill will also have a big impact on financial and other institutions that have infrastructure that the minister might declare as national critical information infrastructure, as well as electronic communication service providers (or ECSPs).

The public sector

There is an impact on all organs of state and state-owned companies (SOCs), espcailly the police and defence force.

In the public sector context, the Department of Public Service and Administration has gazetted various directives to guide government departments on information security without a national Cybersecurity Act. The key directives are the directive on public service information security and the directive on cloud computing in the public service. The directive on cloud computing guides departments on considering cybersecurity when adopting and using cloud services and mentions that there will be a national Cybersecurity Act.

The timeline for the Cybersecurity Act

We don’t know. It has been about six years since the cybersecurity aspects were removed from the old Bill. In December 2023, the State Security Agency started engaging various stakeholders in the public and private sectors on the status of the Cybersecurity Bill. They are planning on having workshops in the first half of 2024. This is promising.

The legislative process is slow and will take at least two years (probably much longer) to enact a new Act. Still, you should monitor the process and contribute to the development of this law.

How we can help you

We will monitor developments regarding the Cybersecurity Bill and notify you if there are any developments.

Overview of the Cybersecurity Bill

More and more cybersecurity is a vital and significant part of national security.

Cybersecurity regulation typically provides measures for the government to recover from cybersecurity threats and incidents. Every country cares about national security because it enables its people to live in peace and harmony and to be free from fear. National security includes cybersecurity. More and more, cybersecurity is a vital and significant part of national security. Cybersecurity measures are designed to defend and protect national security and must be pursued with due recognition of the rights to:

Cybersecurity measures must comply with the law, including international law.

Cybersecurity legislation often deals with topics such as data sovereignty and data localisation.

We will give you a full overview and our insights on this page if a South African government department or agency (possibly the Department of Justice and Constitutional Development or the State Security Agency) publishes a draft of it.

What is the cybersecurity regulation in South Africa?

Does South Africa have cybersecurity legislation? Currently, it doesn’t have a specific bill or act dealing with cybersecurity, but there is a process underway that has been unfolding for many years and will probably result in a Cybersecurity Bill.