Cybersecurity regulation in Ethiopia (2026)

Ethiopia's Information Network Security Administration reported neutralising 27,505 cyberattack attempts in the first six months of FY 2025/26 (July–December 2025), blocking 99.03% of all attacks. The surge reflects AI-driven, multi-vector adversarial techniques and underscores INSA's growing operational tempo.

Ethiopia was ranked the most targeted country for cyberattacks globally, driven by rapid digital-government expansion and e-service rollout. The designation accelerated INSA investment in defensive infrastructure and prompted parliamentary discussion on tightening critical-infrastructure obligations.

INSA began rolling out domestically developed secure applications — Ergamail (email), Serkuni (collaboration), and Debo (data sharing) — across government entities to replace foreign tools such as Gmail and Microsoft Teams, advancing digital sovereignty and reducing foreign supply-chain risk.

INSA's FY 2023/24 report recorded 8,854 cyberattack attempts thwarted (up from 6,959 the prior year) and announced conclusions to multiple public-sector data-breach investigations. INSA also identified 657 risk-level gaps across 123 critical-infrastructure providers, attributing them to financial constraints and insufficient in-house expertise.

Ethiopia's first comprehensive data-protection statute entered into force, establishing consent-based processing rules, data-subject rights (access, rectification, erasure, restriction), a 72-hour breach-notification obligation, and extraterritorial reach over processors of Ethiopian residents' data. The Ethiopian Communications Authority was designated supervisory authority, with direct cybersecurity implications for any organisation handling personal data.

Ethiopia adopted a revised National Cybersecurity Policy structured around eight pillars — legal frameworks, awareness, capacity building, research, digital-identity protection, critical-infrastructure protection, national coordination, and international cooperation — aligning with the Digital Ethiopia 2030 Strategy and INSA's expanded mandate.

INSA's annual report for FY 2022/23 documented more than 6,700 cyberattack attempts blocked against government and financial-sector systems. The report marked the first public disclosure of the scale of attack volume and reinforced calls for mandatory security standards across critical-infrastructure operators.

Ethiopia launched a mandatory biometric digital-identity system ('Fayda'), assigning a unique 12-digit number to all residents using fingerprint, iris, and facial data held in a central database, targeting 90 million enrolments. The system directly expands cybersecurity obligations for public bodies managing biometric infrastructure and intersects with the subsequent Personal Data Protection Proclamation.

Ethiopia's first e-commerce and e-transaction statute granted legal equivalence to electronic signatures and records and established security requirements for electronic contracts and digital financial services, creating a foundational legal environment for secure online transactions and obliging digital-service providers to apply minimum technical safeguards.

Ethiopia's first targeted network-security statute criminalised unauthorised access to, interception of, and interference with telecommunication systems, and outlawed SIM-card cloning and subscriber-data manipulation. Although limited in scope, it established the legislative principle of digital-network protection and foreshadowed the broader 2016 Computer Crime Proclamation.

Ethiopia created INSA as the national signals intelligence and cybersecurity agency, mandated to protect national information infrastructure and serve as the government's technical authority on information security. INSA became — and remains — the institutional cornerstone for all cybersecurity regulation, enforcement, incident response, and technical standard-setting in Ethiopia.