Cybersecurity regulation in Rwanda (2026)

Law No. 26/2017 established the National Cyber Security Authority with administrative and financial autonomy to advise the President, protect critical information infrastructure (CII), and operate Rwanda's CSIRT (Rw-CSIRT). Critical information infrastructure operators are designated by Presidential Order.

Law No. 60/2018 criminalises unauthorised system access, data interception, and related offences. Electronic communications service providers must immediately report cyber incidents to NCSA; failure to report is itself a criminal offence carrying imprisonment and fines. A new cybercrime law was adopted by Rwanda's Chamber of Deputies in January 2025, updating these provisions.

Under Law No. 058/2021 on Personal Data Protection and Privacy, data controllers must notify the Data Protection and Privacy Office within 48 hours of becoming aware of a personal data breach; data processors must notify the controller within 48 hours. Where the breach poses high risk to data subjects, written or electronic notification to affected individuals is also required. Non-compliance attracts fines of RWF 2–5 million or 1% of global turnover.

The Rwanda Utilities Regulatory Authority issued Cybersecurity Regulation No. 010/R/CR-CSI imposing cybersecurity obligations on regulated ICT and telecommunications operators. RURA has historically enforced compliance, including a RWF 7.03 billion fine against MTN Rwanda in 2017 for hosting IT services outside the country.

NCSA released sector-specific minimum cybersecurity standards in 2023 for public institutions, the financial sector, and essential service providers, operationalising security-by-design and risk management requirements across critical sectors.

Launched in August 2024, Rwanda's five-year strategy sets seven pillars: governance, CII protection, risk management, capacity building, international cooperation, cybercrime combat, and cybersecurity culture. Rwanda has also acceded to the Budapest Convention on Cybercrime.