Zambia: regulatory developments on cyber security

Bwalya Chilufya-Musonda looks at how new regulations will impact businesses in Zambia
In April 2021, a new law with wide-ranging implications for all businesses was passed in Zambia, the Cyber Security and Cyber Crimes Act, 2021. With just a year post enactment of the act, which represents an explosion in the landscape of the rules around data protection, the Zambia Information and Communications Technology Authority (ZICTA), together with the Minister, has proposed new regulations – the Cyber Security and Cyber Crimes (Critical Information Infrastructure) Regulations, 2022 (CII Regulations).
The CII Regulations are intended to uplift the security and resilience of critical infrastructure on which critical information lies and which government deems necessary for the protection of essential services relied on by the public.
Critical information and infrastructure
Under the CII Regulations, the following information has been declared critical information:
· information processed by a public body;
· information processed by operators of electronic communications networks and the providers of electronic communications services;
· information relating to the following sectors: banking and financial services; health; transport and communication; defence and national security; energy; insurance; education; taxation or mining;
· location based or mapping data;
· sensitive personal data;
· information processed by sector computer incident response teams; and
· configuration settings of critical information.
The CII Regulations propose to declare the infrastructure on which critical information is contained as critical information infrastructure (CII).
In addition, infrastructure that is vital to the provision of essential services has also been declared as CII. Essential services have been described as including, among others, generation, supply or distribution of electricity; medical or hospital; water supply and sewerage; agriculture; digital financial services; automatic teller machines; payment gateway; data centres; payment switch services; and mineral mining and operation.
The above declaration of what constitutes critical information and CII has the effect of broadening the application of cyber security legislation to businesses that would not have previously been subject to this regulation.
Localisation and externalization
Perhaps the greatest change from the Act, and echoed by the CII Regulations, is the requirement that all CII must be located in Zambia. Affected businesses who intend to externalise critical information may apply to the Minister for approval. This decision to approve the externalization of critical information will be settled by the Minister in consultation with ZICTA, the National Cyber Security Advisory Coordinating Council [ST1] and relevant security agencies.













