Cybersecurity regulation in eSwatini (2026)

In force from 4 March 2022, the Act criminalises unauthorised access, data interference, cyberbullying, child exploitation, and cyberterrorism; grants law enforcement search, seizure, preservation, and interception powers; and establishes the NCSIRT and National Cybersecurity Advisory Council (up to 15 members drawn from ICT, law, finance, defence, and civil society).

Data controllers must notify ESCCOM (acting as data-protection authority) and affected individuals of a personal-data breach within 72 hours. Non-compliance carries fines up to E5 million (approx. USD 268,000) or 2% of annual turnover, and imprisonment in severe cases.

The National Cybersecurity Incident Response Team, housed within ESCCOM, is the operational body for cyber-incident coordination; it is a listed active member of FIRST (Forum of Incident Response and Security Teams) and maintains a public portal at ncsirt.org.sz.

The five-year strategy sets six strategic pillars; the first is enhancing the security and resilience of national critical information infrastructure. It mandates creation of sectoral CIRTs in finance, utilities, energy, communications, and transport sectors.

The Eswatini Communications Commission is the designated national cybersecurity authority, overseeing enforcement of the Computer Crime Act, Data Protection Act, and Electronic Communications and Transactions Act, with powers to impose administrative fines and sanctions on non-compliant organisations.

Enacted alongside the cybercrime and data-protection laws, this Act governs lawful electronic transactions and communications; together the three 2022 Acts form eSwatini's integrated digital-regulation package.