Regulatory Environment

Cybersecurity Regulations, Laws and Standards in South Africa

Cybersecurity regulations and compliance illustration showing protected business systems and digital risk controls.

Regulatory Environment: South Africa

Cybersecurity-related laws, regulations, and codes are becoming more relevant—and in many cases, compliance is now a formal expectation.

This page gives you a clear, practical overview of the Acts, Standards, and Codes that may apply to your organisation.

For each one, we show:

  • What the law or standard is about
  • Who it applies to
  • What your main obligations are
  • What happens if you don’t comply
  • And where ARMD.digital’s products can help support compliance

Please note:

The summaries provided on this page reflect our own interpretations and are for informational purposes only. They do not constitute legal advice.

Understanding Different Types of Regulation

Not all regulatory instruments work the same way. Some tell you what outcomes to achieve. Others tell you exactly how to do it. Some are industry-specific frameworks that guide governance and ethical leadership.

Here’s how they differ:

Principle-Based Laws

These set broad goals or outcomes (e.g. “protect personal data”) and give organisations the flexibility to decide how to meet them.

Rules-Based Laws

These are prescriptive. They set out specific steps, controls, and procedures you must follow.

Codes

Codes are best-practice frameworks for governance, leadership, and risk management.
The King IV™ Code, for example, is mandatory for companies listed on the Johannesburg Stock Exchange (JSE), and recommended best practice for others.

Regulatory Environment: South Africa

The Protection of Personal Information Act (POPIA)

The main purpose of POPIA is to protect people from harm by protecting their personal information.

The Financial Advisory and Intermediary Services Act (FAIS)

The FAIS Act regulates and guides how Financial Service Providers (FSPs) should conduct their business activities and everyday relations with their customers.

Joint Standard 2 of 2024 | Cybersecurity and Cyber Resilience Requirements For Financial Institutions

The Joint Standard 2 sets out the minimum standards for financial institutions to implement best practices.

Joint Standard 1 of 2023 | IT Governance and Risk Management for Financial Institutions

The Joint Standard 1 sets out the principles for information technology (IT) risk management that financial institutions must comply with to achieve sound practices and processes in managing IT risks.

King V Code on Corporate Governance for South Africa 2025

King V is the latest evolution of South Africa’s governance framework – guiding organisations to achieve ethical, effective leadership and responsible value creation through principle-based governance.

The Cybercrimes Act

The Act is a criminal law which aims to reduce and prevent cybercrime in South Africa.

Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS mandates enhanced security measures, including risk management, flexible control implementation, assessment, and reporting, to protect cardholder data and address evolving threats in the payment industry.

National Credit Act (NCA)

The NCA Act’s primary goal is to establish a fair and transparent credit market by regulating consumer credit and protecting consumers from unfair practices. 

Electronic Communications and Transactions Act (ECTA)

The Act is a cornerstone of South Africa’s digital legislation, establishing the legal framework for electronic communications and transactions.

Consumer Protection Act (CPA)

The CPA Act aims to promote fair and sustainable consumer markets, protect consumers from unfair practices, and provide redress for those who have been harmed by such practices.

Companies Act

The Act regulates the formation, operation, and management of companies, including incorporation, registration, governance, and winding up.