Cybersecurity regulation in Namibia (2026)

A Cybercrime Bill dated 30 January 2026 — covering unauthorised access, cyber fraud, identity theft, critical-infrastructure protection and establishment of a Cybercrime Directorate — was forwarded to Parliament but had not been passed or assented to as of May 2026. It aligns with the SADC Model Law on Cybercrime and the Budapest Convention.

The only in-force ICT statute; provides legal recognition of electronic transactions, admissibility of electronic evidence, consumer protection in e-commerce, and service-provider liability. It does not create general cybersecurity or breach-notification obligations.

The Namibia Cyber Security Incident Response Team (NAM-CSIRT), established under CRAN, serves as the national CSIRT for critical information infrastructure. It issues advisories, publishes quarterly threat reports, and coordinates incident response — but its mandate rests on regulatory authority rather than primary legislation.

Published by NAM-CSIRT in April 2026, these guidelines set out incident detection, reporting, analysis and response processes for CI/CII operators and public/private entities. They align with ISO/IEC 27001 and the NIST Cybersecurity Framework but are operational guidance, not legally binding obligations.

Namibia currently has no enacted law imposing mandatory breach-notification or incident-reporting duties on organisations. The 2026 Incident Management Guidelines encourage reporting to NAM-CSIRT, and a companion Data Protection Bill (draft) remains unenacted. High-profile breaches — Telecom Namibia, Namibia Airports Company, Paratus — have prompted ad hoc CRAN/NAM-CSIRT public advisories rather than statutory enforcement.

The Cybercrime Bill is listed as a flagship deliverable under Namibia's Harambee Prosperity Plan II national development framework, signalling sustained executive commitment to enactment — though the bill has been in development since at least 2013.