Cybersecurity - Ethiopia

The foundational cybersecurity/cybercrime law in force since July 2016 criminalises unauthorised access, interception, data interference, and system damage; it imposes enhanced penalties (up to 20 years and ETB 500,000 fine) for offences targeting critical infrastructure, and requires service providers to retain computer data for at least one year.

Ethiopia's first comprehensive data-protection law (enacted April 2024, gazetted July 2024) mandates 72-hour breach notification to the Ethiopian Communications Authority (ECA), mirrors GDPR security principles, and imposes fines of ETB 60,000–100,000 or 1–3 years' imprisonment for failure to notify breaches or implement required safeguards.

The Information Network Security Administration (INSA) serves as Ethiopia's primary cybersecurity authority, operating a 24/7 National Cybersecurity Operations Center, setting Critical Mass Cybersecurity Standards (CMCSS), and currently focusing mandatory audit and oversight obligations on financial institutions and the electric power sector.

A Draft Critical Infrastructure Cybersecurity Proclamation, drafted by INSA after more than two years of review at the Ministry of Justice, is before parliament as of 2024–2025. It would designate 11 critical sectors (finance, telecoms, transport, health, education, water, agriculture, trade, government services, electric power, communications) and subject them to mandatory INSA cybersecurity audits.

Under PDPP 1321/2024, data controllers and processors must notify the ECA within 72 hours of becoming aware of a personal data breach. Under the 2016 Proclamation, service providers must disclose retained traffic and content data on court or prosecutor order; emergency real-time surveillance without a warrant is permitted when an imminent attack is suspected.

Ethiopia was ranked the world's most cyberattack-targeted country in 2024, with INTERPOL's 2025 Africa Cyberthreat Assessment reporting it leads globally in malware detections; INSA handled 8,854 data breach cases in 2024. Despite the PDPP entering force in 2024, as of early 2025 the ECA has not published implementing guidelines or taken public enforcement actions.