Cybersecurity regulation in Zimbabwe (2026)

The Cyber and Data Protection Act, 2021 (Chapter 12:07) serves as Zimbabwe's single overarching statute covering cybersecurity offences, data protection, and the institutional framework; it entered into force in 2022 and applies to all public and private organisations regardless of size.

POTRAZ functions as both the telecommunications regulator and the Data Protection Authority; the Act also mandates a Cyber Security Centre within POTRAZ responsible for policy advice, research, and cross-border cybersecurity cooperation.

Data controllers must notify POTRAZ within 24 hours of becoming aware of a data breach; where the breach poses a high risk to individuals' rights and freedoms, affected data subjects must also be notified within 72 hours.

Gazetted in September 2024, SI 155 requires all data controllers to obtain an annual licence from POTRAZ (deadline 12 March 2025) and to appoint a qualified Data Protection Officer (deadline 12 December 2024); non-compliance can attract fines up to Level 11 or up to seven years' imprisonment.

The Act criminalises a broad set of cybercrimes including unauthorised system access, phishing, identity theft, cloning, malware deployment, and interception of data; penalties range from fines to custodial sentences depending on severity.

As of 2025–2026 Zimbabwe has not published a formal national cybersecurity strategy and has not established a dedicated national CIRT; the National Cyber Security Index ranks Zimbabwe 129th–131st globally, reflecting significant capacity and implementation deficits relative to the legislative framework.