The Cybercrimes Act

The Cybercrimes Act came into operation in December 2021. The Act is a criminal law which aims to reduce and prevent cybercrime in South Africa. It also helps law enforcement to enforce the law and protect the people of South Africa from criminals. The Act creates many new offences too. Some offences are related to data, messages, computers, and networks.

Base of law

Rule-based

ARMD.digital product match

No current product matches

Objectives of the Act

The objectives of the Cybercrimes Act are to:

  • create offences which have a bearing on cybercrime;
  • criminalise the disclosure of data messages which are harmful and to provide for interim protection orders;
  • further regulate jurisdiction in respect of cybercrimes;
  • regulate the powers to investigate cybercrimes;
  • further regulate aspects relating to mutual assistance in respect of the investigation of cybercrimes;
  • provide for the establishment of a designated Point of Contact; to further provide for the proof of certain facts by affidavit;
  • impose obligations to report cybercrimes;
  • provide for capacity building; and
  • provide that the Executive may enter into agreements with foreign States to promote measures aimed at the detection, prevention, collaboration, and investigation of cybercrimes.
Who does it affect?

The Cybercrimes Act is a criminal law that has a high impact on all organisations and all individuals. The Act impacts anyone who processes data or uses a computer. Some examples are individuals, parents, journalists, organisations, banks, and many others will probably commit many offences daily. People involved with IT (or data protection) regulatory compliance.

The Act especially impacts financial institutions and electronic communications service providers (ECSPs) by creating certain reporting obligations on them. For example, financial institutions and ECSPs must report cybercrimes to the police, and store evidence about cybercrimes that someone may have committed.

Relevant sections

Chapter 2 | Cybercrimes

These are some of the cybercrimes that someone can commit:

What happens if you don’t comply with the Act?

The Cybercrimes Act is a criminal law so there are criminal sanctions against anyone who commits a cybercrime.

There are compliance obligations on financial institutions and ECSPs if they have a cyber-attack. For example, financial institutions and ECSPs must:

  • report cybercrimes to the police within 72 hours, and
  • preserve any information that relates to the cybercrime.

If they do not comply with the above two conditions, they may be liable on conviction to a fine of R50 000. (See Section 54)

How does our product help you comply with this Act?

While our current product doesn’t directly help you comply with the Act, we’ve included it since it sits within the cyber landscape and may be a helpful insight and summary.

Useful resources

Explore More Regulations

The Protection of Personal Information Act (POPIA)

The main purpose of POPIA is to protect people from harm by protecting their personal information.

The Financial Advisory And Intermediary Services Act (FAIS)

The FAIS Act regulates and guides how Financial Service Providers (FSPs) should conduct their business activities and everyday relations with their customers.

Joint Standard 2 of 2024 | Cybersecurity and Cyber Resilience Requirements For Financial Institutions

The Joint Standard sets out the minimum standards for financial institutions to implement best practices.

Joint Standard 1 of 2023 | IT Governance and Risk Management for Financial Institutions

The Joint Standard sets out the principles for information technology (IT) risk management that financial institutions must comply with to achieve sound practices and processes in managing IT risks.

The King IV Report and King Code

The King IV Report and King Code (King IV) is an important instrument that governs the leadership of an organisation through principles of ethics and good governance.