Proactive measures needed to mitigate risks under Zambia’s new cyber laws

Zambia has enacted two key pieces of legislation aimed at consolidating and strengthening its digital security regime: the Cyber Security Act 3 of 2025 (CSA) and the Cyber Crimes Act 4 of 2025 (CCA) (collectively, the New Cyber Laws).

The New Cyber Laws repeal and replace the Cyber Security and Cyber Crimes Act, 2021, drawing a clearer distinction between regulatory and criminal law functions. 

The CSA primarily focuses on regulating security service providers and critical information infrastructure. The CCA establishes a framework for cybercrime offences, provides protection against cyber-enabled crimes, and introduces specific provisions for online child protection. The enactment of the New Cyber Laws comes barely five years after Zambia passed its first cyber security law, underscoring the rapid pace of regulatory reform in this area.

Regulation of critical information and critical information infrastructure

The CSA introduces an expanded framework for the classification, regulation, and protection of critical information and critical information infrastructure.

Critical information is defined broadly to include computer data related to public safety, public health, economic stability, national security, international stability, and the sustainability or restoration of critical cyberspace. It includes personal data stored or transmitted through critical information infrastructure, information relating to research and development in critical information infrastructure, and information for risk management and business continuity.

Critical information infrastructure refers to any computer system, device, network, computer program, or computer data set that is essential to the country’s operations, such that its destruction, impairment, or interference would have a severe impact on national security, the economy, public health, public safety, or the continuity of essential services.

Under the CSA, critical sectors include defence and security, the public sector, banking and finance, health, transport, pensions and insurance, information and communications technology, energy, education, and mining. A disruption to critical information or critical information infrastructure in these sectors could significantly affect the economy and the delivery of essential public services.

Registration and compliance obligations for controllers

The CSA establishes the Zambia Cyber Security Agency (Agency), which is tasked with identifying information or information infrastructure deemed critical to specific sectors, and designating such information or information infrastructure as critical information or critical information infrastructure.

Once information or information infrastructure is classified as critical, individuals in control or responsible for it must register as controllers with the Agency within 30 days of such designation.

Controllers are required to store critical information or critical information infrastructure within Zambia unless granted explicit authorisation by the Agency to host it elsewhere. In addition, a controller is required to notify the Agency of any perceived or actual occurrence of a cybersecurity incident relating to critical information or information infrastructure, or to any computer or computer system under the controller’s control that is interconnected with, or communicates with, such critical information or information infrastructure.

Controllers are also subject to ongoing compliance obligations, which include annual audits of critical information and infrastructure, submission of annual cybersecurity situational awareness reports to the Agency, and participation in national cybersecurity exercises as directed by the Agency.

Failure to comply with these obligations under the CSA may result in penalties of up to ZMW 1 200 000 (approximately $50,000 USD) and/or imprisonment for up to 10 years.

Cybercrime offences and penalties

The CCA complements the CSA by addressing a wide range of cyber offences. These include unauthorised access to computer systems and data, unauthorised disclosure of data related to critical information or critical information infrastructure, and the illegal acquisition of data.

Penalties under the CCA range from fines of up to ZMW 600 000 ($25,000 USD) to imprisonment for up to 25 years.

Looking ahead

The enactment of the New Cyber Laws lays a comprehensive foundation for regulating cybersecurity risks, prosecuting cyber offences, and protecting critical information and infrastructure.

By separating regulatory oversight from criminal enforcement, the New Cyber Laws establish a more coherent framework for managing cyber risks, prosecuting offences, and protecting critical information and critical information infrastructure.

For businesses operating in designated critical sectors, these developments signal an urgent need to review existing cyber security policies, systems, and compliance protocols. Proactive measures, particularly timely registration, data localisation and the implementation of robust incident detection and response frameworks will be essential to mitigate regulatory and operational risk under the New Cyber Laws.

Bwalya Chilufya-Musonda is a corporate and finance law partner at Bowmans Zambia and Twaambo Mukuni is an associate in the corporate department of Bowmans Zambia.