Cybersecurity · Botswana
Cybersecurity regulation in Botswana (2026)
Botswana shaded by its cybersecurity status
Botswana enacted a standalone Cybersecurity Act (Act 21 of 2025) that establishes a comprehensive legal framework for cybersecurity governance, mandates identification and protection of Critical National Information Infrastructure (CNII), and imposes incident-reporting obligations on CNII operators and government institutions. It supersedes the earlier Cybercrime and Computer Related Crimes Act 2018, which has been repealed, and operates alongside the Data Protection Act 2024 (in force January 2025).
Key points
Act 21 of 2025 is Botswana's primary, standalone cybersecurity statute. It regulates cybersecurity activities, provides for the designation of Critical Information Infrastructure, mandates mandatory incident reporting, and penalises offences such as cyber-extortion and creation of harmful fake profiles.
The Cybercrime and Computer Related Crimes Act 2018 (No. 18 of 2018) previously criminalised unauthorised access, data interference, cyber fraud, harassment, and stalking. It has been repealed and is now superseded by the 2025 Act.
BOCRA is the principal cybersecurity regulator, responsible for administering the Cybersecurity Act 2025, overseeing BwCIRT operations, and implementing the National Cybersecurity Strategy across public and private sectors.
The Botswana Computer Incident Response Team (BwCIRT), established in 2019 under BOCRA, is the national point of contact for cyber incident coordination covering government departments, ISPs, and the broader internet community; it handles incidents confidentially with a dedicated hotline.
The Cybersecurity Act 2025 mandates identification and declaration of CNII across sectors including finance, energy, water, health, communications, emergency services, and e-government, with mandatory cybersecurity protocols and incident-reporting duties for designated operators.
The Data Protection Act 2024, effective 14 January 2025, complements the cybersecurity regime by imposing obligations on personal data processors and controllers, reinforcing breach-notification duties alongside the Cybersecurity Act.
Timeline - major decisions & events
Botswana's revised data protection law took effect, replacing the 2018 Act with GDPR-aligned obligations including extraterritorial scope, mandatory breach notification, explicit consent requirements, and stronger Data Protection Commission enforcement powers; data controllers were given a 12-month grace period for full compliance.
Botswana Laws (Government of Botswana) ↗Botswana's first dedicated cybersecurity law establishes a National Cybersecurity Commission, mandates identification and protection of Critical National Information Infrastructure (CNII) across electricity, water, and healthcare sectors, and formalises the BWCIRT mandate. It introduces binding cybersecurity obligations on CNII operators and imposes penalties for cyber-extortion and creation of harmful fake social media profiles.
Botswana Laws (Government of Botswana) ↗Three years after assent, the Data Protection Act 2018 formally came into force via the Data Protection Act (Commencement) Order 2021, obliging all data controllers and processors to implement security safeguards; a one-year grace period set full compliance as mandatory from 15 October 2022.
BOCRA (Botswana Communications Regulatory Authority) ↗Botswana's first National Cybersecurity Strategy was approved and published, establishing objectives for a secure and resilient cyberspace, mandating a Critical National Information Infrastructure (CNII) risk assessment, directing creation of a national CIRT, and providing the policy foundation for the eventual Cybersecurity Act.
BOCRA (Botswana Communications Regulatory Authority) ↗BOCRA established BwCIRT under the Ministry of Transport and Communications as Botswana's first official national CIRT, tasked with 24/7 monitoring of threats to critical information infrastructure, coordinating incident response, and acting as the national point-of-contact for international cybersecurity cooperation.
BOCRA (Botswana Communications Regulatory Authority) ↗Botswana enacted its first standalone data protection law, requiring lawful processing of personal data, imposing security obligations on data controllers to prevent unauthorised access, and establishing the Data Protection Commission — filling a critical gap in the cybersecurity and privacy legal framework.
BOCRA (Botswana Communications Regulatory Authority) ↗A comprehensive overhaul of the 2007 Act, enacted following a 2015 reform decision and Bill No. 33 of 2017, expanded criminal offences to cover unauthorised system access, data interception, identity theft, electronic fraud, and cyber-harassment, while strengthening Botswana's alignment with international cybercrime standards.
BOCRA (Botswana Communications Regulatory Authority) ↗BOCRA issued implementing regulations under the 2014 Electronic Records Act designating itself as Certifying Authority, establishing the approved certification process for electronic record systems, and ensuring that certified electronic records produced from those systems are admissible as evidence in cybercrime prosecutions.
BOCRA (Botswana Communications Regulatory Authority) ↗Botswana's foundational cybercrime law (Chapter 08:06) first criminalised unauthorised computer access, data interference, and computer-related fraud, establishing the baseline legal framework and jurisdictional rules that all subsequent cybersecurity legislation has built upon; it was repealed and replaced by the 2018 Act.
UNODC (UN Office on Drugs and Crime) ↗Botswana - other topics
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →