Zambia: regulatory developments on cyber security

In April 2021, a new law with wide-ranging implications for all businesses was passed in Zambia, the Cyber Security and Cyber Crimes Act, 2021. With just a year post enactment of the act, which represents an explosion in the landscape of the rules around data protection, the Zambia Information and Communications Technology Authority (ZICTA), together with the Minister, has proposed new regulations – the Cyber Security and Cyber Crimes (Critical Information Infrastructure) Regulations, 2022 (CII Regulations).

The CII Regulations are intended to uplift the security and resilience of critical infrastructure on which critical information lies and which government deems necessary for the protection of essential services relied on by the public.

Critical information and infrastructure

Under the CII Regulations, the following information has been declared critical information:

·        information processed by a public body;

·        information processed by operators of electronic communications networks and the providers of electronic communications services;

·        information relating to the following sectors: banking and financial services; health; transport and communication; defence and national security; energy; insurance; education; taxation or mining;

·        location based or mapping data;

·        sensitive personal data;

·        information processed by sector computer incident response teams; and

·        configuration settings of critical information.

The CII Regulations propose to declare the infrastructure on which critical information is contained as critical information infrastructure (CII).

In addition, infrastructure that is vital to the provision of essential services has also been declared as CII. Essential services have been described as including, among others, generation, supply or distribution of electricity; medical or hospital; water supply and sewerage; agriculture; digital financial services; automatic teller machines; payment gateway; data centres; payment switch services; and mineral mining and operation.

The above declaration of what constitutes critical information and CII has the effect of broadening the application of cyber security legislation to businesses that would not have previously been subject to this regulation. 

Localisation and externalization

Perhaps the greatest change from the Act, and echoed by the CII Regulations, is the requirement that all CII must be located in Zambia. Affected businesses who intend to externalise critical information may apply to the Minister for approval. This decision to approve the externalization of critical information will be settled by the Minister in consultation with ZICTA, the National Cyber Security Advisory Coordinating Council [ST1] and relevant security agencies.

While the CII Regulations provide an option for the externalization of critical information, the current proposed model includes an externalization fee of 0.5 per cent of the applicant’s previous year’s annual turnover. The fee is proposed to be an annual fee. According to ZICTA, the proposed externalisation fee model is intended to encourage affected businesses to host their infrastructure in Zambia as there is already existing capacity for hosting.

Further, the CII Regulations will require all affected businesses to localise critical information that was externalized within 12 months following the issuance of the CII Regulations. 

For affected businesses that will opt to retain their critical information on infrastructure outside Zambia, externalization will largely depend on the adequacy of the security measures being applied to the information and infrastructure on which the information is contained; whether it is necessary for the information to be stored outside Zambia; national security; consent by the data subject; and any other factors that the Minister considers necessary.

Mandatory breach notification

The CII Regulations are proposing a mandatory data breach notification requirement in respect of CII. Where an affected business suffers a security breach leading to destruction, loss, alteration, unauthorised disclosure, or access to personal data, it must report that breach to the supervisory authority, ZICTA. This mandatory breach notification is in addition to the monthly cyber security incident and threat report, which affected businesses will be required to submit within one month following the issuance of the CII Regulations.

Particularly difficult for affected businesses will be the additional rule that security breaches need to be notified to ZICTA within two hours of an organisation becoming aware of the breach.

This means affected businesses will need to have robust and reliable systems for identifying and reporting security breaches, especially where such breaches are caused by human error. Further, the CII Regulations provide for a two-month window for affected businesses to implement the incident detection and reporting mechanisms.