Cybersecurity regulation in Lesotho (2026)

Bills introduced in 2021, 2022, and 2023 each stalled or were sent back due to constitutional concerns, particularly around surveillance provisions and criminal defamation clauses. The 2022 bill passed the National Assembly but did not complete the Senate and royal-assent stages to become law.

The Computer Crime and Cyber Security Bill, 2024 — tabled in the National Assembly on 23 May 2024 — would criminalise unauthorised access, data interference, cyber terrorism, and cyberbullying, and would establish a National Cyber Security Advisory Council and a Computer Incident Response Team with formal legal mandates.

Because no cybersecurity statute has been enacted, there is currently no statutory incident-reporting or breach-notification obligation in Lesotho. The 2024 Bill would introduce such duties for operators of critical information infrastructure, but they remain prospective.

The Data Protection Act, 2013 is the principal in-force instrument that touches on data security, establishing obligations around personal data handling. It does not constitute a cybersecurity framework but provides some protection against unlawful data processing.

The LCA, established under the Lesotho Telecommunications Authority Act, 2000, exercises sector-level oversight of electronic communications and has undertaken cybersecurity awareness initiatives and a partnership with digital-risk firm CTM360, but has no published binding cybersecurity regulations beyond subscriber-registration rules.

The 2022–2023 Cybersecurity Capacity Maturity Model (CMM) review conducted by C3SA/GCSCC found Lesotho at an early/formative stage across all five cybersecurity dimensions, citing the absence of enacted legislation and limited technical and institutional capacity as the primary gaps.