Cybersecurity · Mozambique
Cybersecurity regulation in Mozambique (2026)
Mozambique shaded by its cybersecurity status
Mozambique's parliament cleared the Cyber Security Act and Cybercrimes Act at first reading on 16–17 April 2026, establishing a dedicated legal framework and a new National Cyber Security Authority, but the laws had not yet completed full parliamentary passage and presidential promulgation as of May 2026. Prior to this, cybersecurity obligations rested on a 2021 National Cybersecurity Strategy, limited provisions in the 2019 Penal Code and 2017 Electronic Transactions Law, and a 2023-established national CSIRT. A general breach-notification obligation does not yet exist outside the banking sector.
Key points
The Assembleia da República approved the Cyber Security Act and Cybercrimes Act 'na generalidade' (first/general reading) in April 2026. The Cyber Security Act covers protection of critical information infrastructure, national alert levels, incident coordination, and empowers a new National Cyber Security Authority to issue binding standards and sanctions. Further parliamentary stages and presidential assent are still required before it enters into force.
Mozambique's first National Cybersecurity Policy and Strategy were approved by the government and officially published in 2021 (covering the 2017–2021 cycle). The strategy set objectives to protect critical information infrastructure, establish a legal framework, promote information sharing, build technical capacity, and foster a national cybersecurity culture.
Before the 2026 bills, cybersecurity obligations derived from the revised Penal Code (Law 24/2019), Law 3/2017 on Electronic Transactions, and a Council of Ministers-approved draft from 2024. The Penal Code criminalises unauthorised system access and electronic-payment fraud (1–3 year sentences). No cross-sector cyber-incident reporting duty exists in current enacted law.
The only operative breach-notification obligation is sector-specific: Central Bank Notice 1/GBM/2014 (4 July 2014) requires banks to notify clients of security incidents involving personal data and to take all measures to prevent resulting harm. No equivalent general obligation applies to other sectors under current enacted law.
Mozambique launched its Computer Security Incident Response Team (CSIRT) in April 2023 under INTIC, with a nationwide mandate for cyber-incident detection and response. The CSIRT operates the national alert function pending formal statutory powers under the forthcoming Cyber Security Act.
A standalone Personal Data Protection Bill was published for public consultation on 5 September 2025. Mozambique subsequently consulted the Council of Europe (7 October 2025) to align the bill with international standards; it remains unenacted as of May 2026.
Mozambique - other topics
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →