Cybersecurity ยท Rwanda
Cybersecurity law & regulation in Rwanda (2026)
Rwanda shaded by its cybersecurity status
Cybersecurity in Rwanda: comprehensive law, anchored by Law No. 26/2017 (NCSA Establishment), Law No. 60/2018 (Prevention and Punishment of Cyber Crimes), Law No. 058/2021 (Personal Data and Privacy Protection), RURA Cybersecurity Regulation No. 010, and National Cybersecurity Strategy 2024-2029, administered by the National Cyber Security Authority (NCSA).
Rwanda operates a multi-layer cybersecurity legal regime anchored by a dedicated authority (NCSA), a standalone cybercrime law, and a data-protection law that doubles as a breach-notification framework. Sector-specific obligations overlay the baseline for telecommunications, finance, public institutions, and essential-service providers. A National Cybersecurity Strategy 2024-2029 sets seven objectives including critical infrastructure protection, risk management, and international cooperation.
Key points
Law No. 26/2017 established the National Cyber Security Authority with administrative and financial autonomy to advise the President, protect critical information infrastructure (CII), and operate Rwanda's CSIRT (Rw-CSIRT). Critical information infrastructure operators are designated by Presidential Order.
Law No. 60/2018 criminalises unauthorised system access, data interception, and related offences. Electronic communications service providers must immediately report cyber incidents to NCSA; failure to report is itself a criminal offence carrying imprisonment and fines. A new cybercrime law was adopted by Rwanda's Chamber of Deputies in January 2025, updating these provisions.
Under Law No. 058/2021 on Personal Data Protection and Privacy, data controllers must notify the Data Protection and Privacy Office within 48 hours of becoming aware of a personal data breach; data processors must notify the controller within 48 hours. Where the breach poses high risk to data subjects, written or electronic notification to affected individuals is also required. Non-compliance attracts fines of RWF 2-5 million or 1% of global turnover.
The Rwanda Utilities Regulatory Authority issued Cybersecurity Regulation No. 010/R/CR-CSI imposing cybersecurity obligations on regulated ICT and telecommunications operators. RURA has historically enforced compliance, including a RWF 7.03 billion fine against MTN Rwanda in 2017 for hosting IT services outside the country.
NCSA released sector-specific minimum cybersecurity standards in 2023 for public institutions, the financial sector, and essential service providers, operationalising security-by-design and risk management requirements across critical sectors.
Launched in August 2024, Rwanda's five-year strategy sets seven pillars: governance, CII protection, risk management, capacity building, international cooperation, cybercrime combat, and cybersecurity culture. Rwanda has also acceded to the Budapest Convention on Cybercrime.
Rwanda - other topics
Cybersecurity in other countries
Last verified 5/24/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ