The Cybercrimes Act 19 of 2020 creates new offences and significant compliance obligations for South African businesses. This guide explains the framework, the reporting obligations, and the interaction with POPIA breach notification.
A New Cybercrime Framework
The Cybercrimes Act 19 of 2020 was the South African legislature's response to the inadequacy of the predecessor Electronic Communications and Transactions Act 25 of 2002 framework for the modern cybercrime landscape. The Act consolidates and modernises the substantive law of cybercrime, expands law enforcement powers, and creates new compliance obligations for businesses, particularly electronic communications service providers and financial institutions.
The Act commenced in phases following its assent. The bulk of the substantive offences and procedural provisions came into operation on 1 December 2021 by Proclamation in Government Gazette. Subsequent commencements have addressed remaining provisions in stages.
Categories of Cybercrime Offences
The Cybercrimes Act creates a structured catalogue of cybercrime offences. The principal categories include unlawful access offences (unauthorised access to a computer system, computer data storage medium, or data), unlawful interception offences (intercepting data in transmission, including communications metadata), unlawful interference offences (interfering with data, computer programs, or computer systems), forgery and fraud offences in the cyber context (computer-related forgery, computer-related fraud, computer-related extortion), and unlawful possession or supply offences (possessing or making available passwords, access codes, or similar data without lawful authority).
The Act also addresses malicious communications offences, including the unlawful disclosure of intimate images and the dissemination of data messages inciting violence or harm.
The Reporting Obligation Framework
The Cybercrimes Act creates reporting obligations for specified categories of business, principally electronic communications service providers and financial institutions, in respect of cybercrime offences they detect on their systems or affecting their customers. The reporting obligation is mandatory and time-bound, with criminal sanctions for non-compliance.
The reporting framework is structured to give law enforcement timely visibility into significant cybercrime activity and to support the preservation of digital evidence that may otherwise be lost through routine system operations. Operators of regulated entities should ensure that their incident response procedures specifically address the Cybercrimes Act reporting pathway in addition to internal incident response.
Search, Seizure and Investigation Powers
The Cybercrimes Act expands law enforcement powers in respect of cybercrime investigation, including powers to obtain expedited preservation of data, expedited disclosure of traffic data, and search and seizure orders specifically tailored to digital evidence. The framework operates alongside the Criminal Procedure Act 51 of 1977 and reflects the international consensus on the procedural needs of cybercrime investigation.
For businesses, the practical implication is that law enforcement requests for data preservation, disclosure, or production may arrive in unfamiliar form and on short timelines. Procedures for handling law enforcement requests should be embedded in the business's broader information governance framework.
Extra-Territorial Jurisdiction
The Cybercrimes Act extends South African jurisdiction over cybercrime offences in defined circumstances where conduct outside South Africa affects systems or persons inside South Africa. The framework is consistent with the Budapest Convention on Cybercrime approach, although South Africa has not at the time of writing acceded to the Convention itself.
For multinational businesses with South African operations or customer bases, this means that cybercrime conduct affecting South African assets may attract South African jurisdiction even where the conduct itself occurred elsewhere.
Interaction with POPIA
The Cybercrimes Act and the Protection of Personal Information Act 4 of 2013 (POPIA) operate in parallel where a cybercrime event also involves the compromise of personal information. The frameworks address different aspects of the same incident: the Cybercrimes Act addresses the offence and the law enforcement response, while POPIA section 22 addresses notification of affected data subjects and the Information Regulator.
An incident involving the compromise of personal information through cyber-attack typically engages both regimes. The respective notification triggers, timelines, and content requirements are not identical, and businesses should ensure their incident response procedures address both pathways without conflict. POPIA section 22 notification is typically the more time-pressured of the two, with the obligation triggered by reasonable grounds to believe that personal information has been compromised.
Director Liability and Corporate Governance
The Cybercrimes Act framework, taken together with POPIA and the Companies Act 71 of 2008 fiduciary duties, creates a meaningful corporate governance dimension to cybersecurity. Directors who fail to take reasonable steps to protect the company's information assets, fail to ensure compliance with the Act's reporting obligations, or fail to respond appropriately to identified cyber risk may face exposure under the Companies Act fiduciary duty framework.
The King IV Report on Corporate Governance addresses cyber risk explicitly, and the JSE Listings Requirements impose continuous disclosure obligations that can be triggered by material cyber incidents.
Practical Compliance Architecture
Effective Cybercrimes Act compliance integrates with the business's broader information governance and risk management. Material elements include a documented incident response framework with specific Cybercrimes Act and POPIA pathways, defined roles and responsibilities for incident detection, classification, escalation, and external reporting, regular incident response testing through tabletop exercises and red-team scenarios, contractual flow-down of incident response obligations to material vendors and operators, board-level reporting on cyber risk exposure and incident trends, and engagement with industry information-sharing arrangements (sector CSIRTs, banking sector forums) where applicable.
Common Compliance Gaps
Recurring gaps observed in the sector include incident response procedures that do not specifically address the Cybercrimes Act reporting pathway, conflict between Cybercrimes Act and POPIA notification timelines and content, vendor agreements that do not require timely incident notification to the principal, board reporting on cyber risk that does not distinguish between technical risk indicators and legal compliance posture, and law enforcement engagement procedures that have not been tested.
How Mashiane Attorneys Can Assist
Our Digital Economy practice advises businesses on Cybercrimes Act compliance, incident response framework design integrating POPIA and Cybercrimes Act pathways, law enforcement engagement, breach response, and corporate governance for cyber risk. Contact our team for a cyber compliance review.