PartnerBowmans Law
Quotation Marks

“Perhaps the greatest change from the Act and echoed by the CII Regulations is the requirement that all CII must be located in Zambia.”

Zambia: regulatory developments on cyber security

Zambia: regulatory developments on cyber security

Bwalya Chilufya-Musonda looks at how new regulations will impact businesses in Zambia

In April 2021, a new law with wide-ranging implications for all businesses was passed in Zambia, the Cyber Security and Cyber Crimes Act, 2021. With just a year post enactment of the act, which represents an explosion in the landscape of the rules around data protection, the Zambia Information and Communications Technology Authority (ZICTA), together with the Minister, has proposed new regulations – the Cyber Security and Cyber Crimes (Critical Information Infrastructure) Regulations, 2022 (CII Regulations).

The CII Regulations are intended to uplift the security and resilience of critical infrastructure on which critical information lies and which government deems necessary for the protection of essential services relied on by the public.

Critical information and infrastructure

Under the CII Regulations, the following information has been declared critical information:

·        information processed by a public body;

·        information processed by operators of electronic communications networks and the providers of electronic communications services;

·        information relating to the following sectors: banking and financial services; health; transport and communication; defence and national security; energy; insurance; education; taxation or mining;

·        location based or mapping data;

·        sensitive personal data;

·        information processed by sector computer incident response teams; and

·        configuration settings of critical information.

The CII Regulations propose to declare the infrastructure on which critical information is contained as critical information infrastructure (CII).

In addition, infrastructure that is vital to the provision of essential services has also been declared as CII. Essential services have been described as including, among others, generation, supply or distribution of electricity; medical or hospital; water supply and sewerage; agriculture; digital financial services; automatic teller machines; payment gateway; data centres; payment switch services; and mineral mining and operation.

The above declaration of what constitutes critical information and CII has the effect of broadening the application of cyber security legislation to businesses that would not have previously been subject to this regulation. 

Localisation and externalization

Perhaps the greatest change from the Act, and echoed by the CII Regulations, is the requirement that all CII must be located in Zambia. Affected businesses who intend to externalise critical information may apply to the Minister for approval. This decision to approve the externalization of critical information will be settled by the Minister in consultation with ZICTA, the National Cyber Security Advisory Coordinating Council [ST1] and relevant security agencies.

While the CII Regulations provide an option for the externalization of critical information, the current proposed model includes an externalization fee of 0.5 per cent of the applicant’s previous year’s annual turnover. The fee is proposed to be an annual fee. According to ZICTA, the proposed externalisation fee model is intended to encourage affected businesses to host their infrastructure in Zambia as there is already existing capacity for hosting.

Further, the CII Regulations will require all affected businesses to localise critical information that was externalized within 12 months following the issuance of the CII Regulations. 

For affected businesses that will opt to retain their critical information on infrastructure outside Zambia, externalization will largely depend on the adequacy of the security measures being applied to the information and infrastructure on which the information is contained; whether it is necessary for the information to be stored outside Zambia; national security; consent by the data subject; and any other factors that the Minister considers necessary.

Mandatory breach notification

The CII Regulations are proposing a mandatory data breach notification requirement in respect of CII. Where an affected business suffers a security breach leading to destruction, loss, alteration, unauthorised disclosure, or access to personal data, it must report that breach to the supervisory authority, ZICTA. This mandatory breach notification is in addition to the monthly cyber security incident and threat report, which affected businesses will be required to submit within one month following the issuance of the CII Regulations.

Particularly difficult for affected businesses will be the additional rule that security breaches need to be notified to ZICTA within two hours of an organisation becoming aware of the breach.

This means affected businesses will need to have robust and reliable systems for identifying and reporting security breaches, especially where such breaches are caused by human error. Further, the CII Regulations provide for a two-month window for affected businesses to implement the incident detection and reporting mechanisms.

Latest News

Parents and carers to be given new employment protections

Fri May 26 2023

Committee finds plans to level up the country risk failure due to funding concerns

Fri May 26 2023

Government consults on enforcement mechanisms for animal health and welfare offences

Fri May 26 2023

Government expands legal aid eligibility

Thu May 25 2023

Council of Europe identifies serious concerns affecting minorities in the UK

Thu May 25 2023

ONS finds international migration to the UK hit new high in 2022

Thu May 25 2023

Government consults on plans to reduce reporting burdens on businesses

Wed May 24 2023

Committee report finds government not taking harms from alcohol seriously enough

Wed May 24 2023

Committee seeks views on the Digital Markets, Competition and Consumers Bill

Wed May 24 2023
A closer look at the trademark dispute between retail giants Lidl and Tesco
The UK maternity care crisis: £5bn in avoidable damages claims
Understanding Chinese underground banking and the risks
The building blocks for a successful collaborative culture
SJ Interview: James Fulforth
Long-awaited reports and controversial bills dominate