Cybersecurity regulation in Zambia (2026)

Act No. 3 (Cyber Security Act) governs regulatory obligations — licensing of cybersecurity service providers, CII designation, and incident response — while Act No. 4 (Cyber Crimes Act) handles criminal offences. Both repeal and replace the unified 2021 Act.

The ZCSA is established within the Office of the President and is the primary authority for coordinating cybersecurity, designating critical information and CII by sector, and supervising compliance. ZICTA retains licensing and standards functions for cybersecurity service providers.

Controllers of designated CII must register with the ZCSA, store critical information within Zambia (data-localisation) unless the Agency grants an exception, submit to compliance audits and regular inspections, and notify the Agency of any perceived or actual cybersecurity incident affecting CII or interconnected systems.

CII controllers must notify the ZCSA immediately upon awareness of a cybersecurity incident. Under broader data-protection rules, a data controller must notify the Data Protection Commissioner within 24 hours of a personal-data security breach, and organisations must submit monthly cyber-incident and threat reports once CII Regulations are in force.

Any entity offering cybersecurity services in Zambia must obtain a licence from ZICTA. Operating without a licence carries penalties of up to ZMW 100,000 or up to one year's imprisonment, or both.

Under the Cyber Crimes Act 2025, unauthorised access, disclosure, or possession of data relating to critical information or CII carries enhanced penalties of up to 1,000,000 penalty units or 25 years' imprisonment, reflecting the elevated threat to national security infrastructure.