Africa's Cybersecurity Laws Are Catching Up. But The Gap With Global Standards Is Still Real

The numbers are not reassuring. Two-thirds of INTERPOL’s African member countries now report that cyber-related crimes account for a medium-to-high share of all criminal activity on their territory. In West and East Africa, that figure rises to 30 percent. Ransomware detections surged in 2024, with South Africa recording nearly 18,000 incidents and Nigeria logging over 3,000. Suspected scam notifications, driven largely by phishing, climbed by as much as 3,000 percent in some African countries, according to data cited in INTERPOL’s 2025 Africa Cyberthreat Assessment Report.

Against that backdrop, the question of whether African cybersecurity laws are fit for purpose is no longer theoretical. It has become operational.

A Continent Legislating at Speed

The pace of legal reform across Africa over the past three years has been notable. As of the end of 2025, 44 African countries have enacted data protection laws, covering 80 percent of African Union member states. Thirty-eight of those countries now have functioning data protection authorities, up from 34 just a year earlier.

Several countries have gone further. Burkina Faso passed legislation in July 2024 codifying responses to ransomware and online fraud. Kenya amended its Computer Misuse and Cybercrimes Act in 2024 to introduce Critical Information Infrastructure regulations. South Africa’s Cybercrimes Act of 2020 already mandates incident reporting and criminalises a range of offences. And in Nigeria, the Nigeria Data Protection Act of 2023 introduced data localisation requirements while the Cybercrimes Act of 2015, now over a decade old remains the country’s primary statutory instrument against cybercrime.

This represents genuine legislative momentum. But the architecture of that legislation, and how it compares to the frameworks that govern cybersecurity in Europe, the United States, and parts of Asia-Pacific, reveals a more complicated story.

ALSO READ Building Cyber Readiness Early: Why Youth Education Is a Security Imperative in Africa

What Global Standards Actually Require

The benchmark most frequently cited in comparative discussions is the European Union’s regulatory model. The EU’s NIS2 Directive, Digital Operational Resilience Act (DORA), and Cyber Resilience Act collectively create horizontal obligations across critical sectors, with mandatory risk management, incident reporting timelines, supply-chain due diligence, and penalties reaching up to €15 million or 2.5 percent of global annual turnover. They are backed by supervisory institutions with the independence and resources to enforce them.

The Budapest Convention on Cybercrime, the only binding international treaty in this space, establishes procedural standards for investigation, digital evidence handling, and cross-border cooperation. Most African cybercrime laws reference its provisions. But ratification remains thin. Rwanda’s accession marked a positive step, and 21 African countries signed the UN Convention against Transnational Organised Crime in 2025. The Malabo Convention, the African Union’s own framework on cybersecurity and personal data protection entered into force in May 2023 but has been ratified by only 15 of 55 AU member states, a figure that limits its practical reach considerably.

Where African Frameworks Hold Up and Where They Don’t

The ITU’s Global Cybersecurity Index 2024 places seven African nations in Tier 1, meaning they demonstrate comprehensive commitments across legal, technical, organisational, capacity-building, and cooperative dimensions. Nigeria sits in Tier 3, with a score of 82.40, ranked 13th on the continent. The assessment credits Nigeria’s legal and technical frameworks while flagging weaknesses in capacity building and international cooperation.

That characterisation applies broadly across the continent. The laws, in many cases, are sound on paper. The gaps appear at implementation.

ALSO READ The Sentinel of Security: Facial Recognition’s Role in Securing Data Centers

Enforcement capacity is uneven. Several African data protection authorities operate on donor funding, which creates institutional fragility. A regulator whose budget is controlled by a ministry it is meant to oversee cannot easily pursue politically sensitive enforcement actions. A 2025 analysis by Code for Africa noted plainly that “even countries with the most active enforcement records have publicly flagged concerns about insufficient and unpredictable funding.”

The contrast with, say, Ireland’s Data Protection Commission, which levied billion-euro fines against Meta and has a full-time professional staff is stark. That comparison is not entirely fair given the resource disparities involved, but it matters when multinational technology companies are calibrating their compliance posture across jurisdictions.

Nigeria’s Particular Challenges

Nigeria’s position in the cybersecurity landscape is worth examining separately, given the scale of its digital economy and its ambitions as a technology hub. The NDPA 2023 brought meaningful data protection obligations, and the country’s participation in the Global CBPR Forum signals an intention to align with international data transfer standards. But the Cybercrimes Act of 2015 has not been comprehensively revised in over a decade, even as the threat landscape has shifted fundamentally.

More structurally, Nigeria has yet to establish a dedicated national cybersecurity agency with the operational mandate and resourcing comparable to the UK’s National Cyber Security Centre or Singapore’s Cyber Security Agency. The National Information Technology Development Agency and the Central Bank’s cybersecurity directives cover portions of the challenge. What remains missing is a unified command structure with clear legal authority over critical infrastructure protection.

The Enforcement Turn

The most consequential development of 2025 was not legislative. It was the shift toward active enforcement. Uganda secured its first criminal conviction under its data protection law. South Africa imprisoned a former bank employee for enabling a ransomware attack. Uganda’s regulator ordered Google to comply with local registration requirements within 30 days.

ALSO READ New cybersecurity format threatens hybrid workplace

These cases matter not because of their scale, but because of what they signal. They demonstrate that African regulators are willing to apply their laws against both local actors and global technology companies. That shift in posture, if sustained, could do more to close the gap with global standards than the passage of additional legislation.

The Road Ahead

The launch of the African Network of Cybersecurity Authorities (ANCA) in February 2025 is a meaningful institutional development. A continent-wide body coordinating threat intelligence and policy alignment is a structural response to a threat that does not respect national borders. Whether it develops into a substantive operational entity or remains a coordination forum will depend on political will and sustained funding.

The African Union’s Continental AI Strategy and Ghana’s proposed amendments expanding cybersecurity oversight to emerging technologies suggest that at least some governments are thinking beyond the current cycle of threats. But for most countries, the work is more immediate: filling in enforcement gaps, resourcing regulators adequately, and building the forensic and investigative capacity that makes legal frameworks credible.

Africa’s cybersecurity laws are no longer absent. In many countries, they are substantively comparable to frameworks elsewhere. The challenge is now institutional, building the machinery that makes those laws function in practice, not just on the statute books.