Cybersecurity - South Africa

Signed into law 26 May 2021; most operative provisions (offences such as unlawful access, interception and cyber-fraud, plus investigation powers) commenced 1 December 2021 by Proclamation R42 of 2021. Several chapters (e.g. Part VI on certain malicious-communications/structures and capacity provisions) remain not yet in force.

Section 22 of the Protection of Personal Information Act requires responsible parties to notify the Information Regulator and affected data subjects of any 'security compromise' as soon as reasonably possible after discovery; there is no risk threshold, so all compromises must be reported.

From 1 April 2025 the Information Regulator requires all public and private bodies to submit security-compromise notifications via its online eServices Portal; email submissions are no longer accepted. Non-compliance can attract enforcement, including administrative fines up to R10 million.

The FSCA and Prudential Authority published Joint Standard 2 of 2024 on Cybersecurity and Cyber Resilience on 16 May 2024, effective 1 June 2025, setting minimum cybersecurity governance, risk-management, control and resilience requirements for banks, insurers, retirement funds, CIS managers, market infrastructures and certain third-party IT providers.

Enacted November 2019 (replacing the National Key Points Act), CIPA covers infrastructure including ICT/'critical information infrastructure', mandates risk assessments, security plans, inspections and a Critical Infrastructure Council; the Cybercrimes Act separately creates aggravated offences (up to 10–20 years' imprisonment) for unlawful interference with critical-infrastructure systems.

The NCPF, adopted by Cabinet in 2012 and gazetted in December 2015, is the overarching coordination policy (led historically by the State Security Agency). South Africa's national CSIRT, the Cybersecurity Hub, was established in October 2015 to coordinate incident response across sectors.