Cybersecurity - Botswana

Act 21 of 2025 is Botswana's primary, standalone cybersecurity statute. It regulates cybersecurity activities, provides for the designation of Critical Information Infrastructure, mandates mandatory incident reporting, and penalises offences such as cyber-extortion and creation of harmful fake profiles.

The Cybercrime and Computer Related Crimes Act 2018 (No. 18 of 2018) previously criminalised unauthorised access, data interference, cyber fraud, harassment, and stalking. It has been repealed and is now superseded by the 2025 Act.

BOCRA is the principal cybersecurity regulator, responsible for administering the Cybersecurity Act 2025, overseeing BwCIRT operations, and implementing the National Cybersecurity Strategy across public and private sectors.

The Botswana Computer Incident Response Team (BwCIRT), established in 2019 under BOCRA, is the national point of contact for cyber incident coordination covering government departments, ISPs, and the broader internet community; it handles incidents confidentially with a dedicated hotline.

The Cybersecurity Act 2025 mandates identification and declaration of CNII across sectors including finance, energy, water, health, communications, emergency services, and e-government, with mandatory cybersecurity protocols and incident-reporting duties for designated operators.

The Data Protection Act 2024, effective 14 January 2025, complements the cybersecurity regime by imposing obligations on personal data processors and controllers, reinforcing breach-notification duties alongside the Cybersecurity Act.