Cybersecurity regulation in Malawi (2026)

Act No. 33 of 2016, commenced June 2017, is the omnibus cybersecurity law. It criminalises unauthorised access/interception, cyber harassment, offensive communication, and child pornography online, and provides rules for electronic evidence and digital signatures.

The Malawi Computer Emergency Response Team (mwCERT) was established by the ETCSA 2016 and operates under MACRA. It coordinates national responses to cybersecurity incidents and protects critical information infrastructure.

The Data Protection Act 2024 (commenced May 2024) requires data controllers to notify MACRA within 72 hours of discovering a personal-data breach; affected data subjects must also be notified within 72 hours where the breach poses a high risk. Processors must notify the controller within 72 hours. MACRA is the designated Data Protection Authority.

Malawi adopted a National Cybersecurity Strategy (final draft published via ITU/PPPC) setting a vision for critical-infrastructure protection, legal and regulatory strengthening, and international cooperation. A national cyber-risk assessment identifying critical-information-infrastructure sectors was conducted in 2019–2020 with UK FCDO support.

MACRA serves as both the telecommunications/ICT regulator (licensing, monitoring compliance) and the designated Data Protection Authority under the 2024 Act, consolidating cybersecurity oversight in a single body alongside mwCERT.

Malawi's ITU Global Cybersecurity Index score improved from 36% (2020) to 80% (2024), reflecting measurable advances in legal, technical, and organisational cybersecurity capacity, though implementation gaps and enforcement capacity remain areas for development.