Cybersecurity · Uganda
Cybersecurity regulation in Uganda (2026)
Uganda shaded by its cybersecurity status
Uganda's cybersecurity regime is built around a general cybercrime statute (Computer Misuse Act 2011, last revised 2023) and a data protection law with breach-notification duties (DPPA 2019), supplemented by binding sector rules for finance (Bank of Uganda, effective December 2024) and telecommunications (UCC, June 2025). No single cross-sector comprehensive cybersecurity law analogous to the EU's NIS2 is in force; instead, NITA-U coordinates national cybersecurity through the National Cybersecurity Strategy 2022–2026 and operates the national CERT (CERT.UG). Mandatory incident-reporting obligations exist under the DPPA and the BoU directives, but remain sector-limited rather than economy-wide.
Key points
The foundational cybercrime statute criminalises unauthorised access, computer fraud, and misuse of protected computers (those linked to defence, critical infrastructure, banking, or emergency services). The 2022 amendment added offences for sharing false or malicious information online; the Law Revision (Miscellaneous Amendments) Act 2023 updated the consolidated text.
The DPPA 2019 requires data controllers, collectors, and processors to notify the Personal Data Protection Authority immediately upon discovering an unauthorised data access or acquisition; the Authority then determines whether the affected data subjects must also be notified, via registered mail, email, website notice, or mass media.
NITA-U published the National Cybersecurity Strategy 2022–2026, structured around seven pillars including threat preparedness, critical-infrastructure protection, and international cooperation. It established CERT.UG for national incident coordination and response, and operationalised the National Information Security Advisory Group (NISAG) for governance.
The Bank of Uganda issued Technology and Cyber Risk Management requirements for all supervised financial institutions, effective 1 December 2024. These mandate comprehensive cybersecurity frameworks, designated cybersecurity officers, risk-based supervision, threat-led penetration testing, and enforceable breach-reporting obligations — marking a shift from guidance to binding obligation in the financial sector.
The Uganda Communications Commission issued Minimum Cybersecurity Guidelines (June 2025) binding on all licensed telecom operators. Requirements include cybersecurity governance structures, access controls, encryption, network monitoring, incident detection, secure system configuration, and incident reporting — creating a parallel mandatory regime for the communications sector.
NITA-U enforces the National Information Security Framework (NISF) across all government IT systems, setting policies, standards, and guidelines for information assurance. NITA-U also provides cybersecurity consulting and awareness services to public bodies, but this framework does not extend binding obligations to the private sector beyond regulated industries.
Uganda - other topics
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →