Part I - Preliminary Provisions

1. Short title and commencement

This Act may be cited as the Cyber Security Act, 2025, and shall come into operation on the date appointed by the President by statutory instrument.

2. Interpretation

In this Act, unless the context otherwise requires—

"access" has the meaning assigned to the word in the Electronic Communications and Transactions Act, 2021;

"Agency" means the Zambia Cyber Security Agency established under section 3;

“article” means a computer, computer data, computer program, computer data storage medium or computer system which—

1. on reasonable grounds, is believed to be concerned with, or connected with the commission of a crime or suspected commission of a crime;
2. may afford evidence of the commission, or suspected commission of a crime; or
3. is intended to be used or is, on reasonable grounds, believed to be intended to be used in the commission of a crime;

“Authority” means the Zambia Information and Communications Technology Authority established under the Information and Communication Technologies Act, 2009;

“bank” has the meaning assigned to the word in the Banking and Financial Services Act, 2017;

“call-related information” means data or details that are associated with a telephone call or communication session and includes—

1. switching, dialling or signalling information that identifies the origin, destination, termination, duration and equipment of each communication generated or received by a customer or user of any equipment;
2. a facility or service provided by a service provider; or
3. where applicable, the location of the user within the telecommunications system;

“Centre” means the Central Monitoring and Co-ordination Centre continued under section 21;

“certificate of registration” means a certificate of registration issued under section 24;

“communication” has the meaning assigned to the word in the Electronic Communications and Transactions Act, 2021;

“communications data” means information relating to the usage of an electronic communications service;

“computer” has the meaning assigned to the word in the Electronic Communications and Transactions Act, 2021;

“computer data” means a representation of facts, concepts or information in a form suitable for processing in a computer or computer system, including a program suitable to cause a computer or computer system to perform a function;

“computer data storage medium” means a device or medium used for storing and retrieving digital data or information from a computer;

“computer system” means a set of integrated devices that input, output, process and store data and information including the internet;

“controller” means a person who controls or is responsible for critical information or critical information infrastructure that is registered under this Act;

“critical information” means computer data that relates to public safety, public health, economic stability, national security, international stability and the sustainability and restoration of critical cyberspace including—

1. personal data that is managed, stored or transmitted through critical information infrastructure or processed by a controller;
2. information relating to any research and development in relation to critical information infrastructure;
3. information needed to operate critical information infrastructure; or
4. information relating to risk management and business continuity in relation to critical information infrastructure;

“critical information infrastructure” means a computer system, device, network, computer program or computer data that—

1. is vital to a country such that the incapacity or destruction of, or interference with, the computer system, device, network, computer program or computer data would have a debilitating impact on national security, economy, public health or safety; or
2. supports the processing of critical information or an essential service;

“cyber attack” means malicious activities targeting the confidentiality, integrity or availability of computer systems, computer data or services rendered by computer systems;

“cyber audit” means a third party audit of an organisation’s cyber security practices, involving the assessment of that organisation’s information security management system, penetration testing and vulnerability assessments for purposes of identifying and mitigating cyber security risks;

“Cyber resilience” means the ability to prepare for, respond to and recover from cyber attacks, ensuring that essential functions continue despite adverse conditions;

“cyber security” means tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurances and technologies used to protect the cyber environment, organisation and user assets;

“cyber security incident” means an unauthorised activity or event which may result in jeopardising or adversely impacting the confidentiality, availability or integrity of information, a computer, a computer system or a network;

“Cyber Security Risk Register” means the Cyber Security Risk Register kept and maintained under section 20;

“cyber security service” means a service listed under section 41;

“cyber security threat” means a potential danger or risk to a computer, computer system, network, or data that may imminently jeopardise or affect adversely, without lawful authority, the cyber security of that computer, computer system or network or another computer, computer system or network;

“cyber security risk assessment” means the process of identifying, analysing, and evaluating potential threats and vulnerabilities in an information system, network or asset;

“cyber security service provider” means a person licensed under section 45 to provide a cyber security service;

“device” means a unit of physical or virtual hardware or equipment that provides one or more computing functions and includes a computer program, application, a component of a computer system, a computer storage component, an input or output device, or an apparatus which can be used to intercept a wire or electronic communication;

“digital forensics” means the practice of collecting, analysing, and preserving electronic data in a manner that maintains electronic data’s integrity and reliability, and is admissible as evidence in a court of law;

“Director-General” means the person appointed as Director-General under section 5;

“electronic communication” has the meaning assigned to the words in the Electronic Communications and Transactions Act, 2021;

“electronic communications service” has the meaning assigned to the words in the Information and Communication Technologies Act, 2009;

“electronic communications system” has the meaning assigned to the words in the Electronic Communications and Transactions Act, 2021;

“electronic communications service provider” means a person licensed to provide an electronic communications service under the Information and Communication Technologies Act, 2009;

“essential service” means a service that is fundamental to the operation of society, ensuring public safety, health, economic stability, national security, international order and the maintenance and recovery of critical cyber space infrastructure;

“financial institution” has the meaning assigned to the words in the Banking and Financial Services Act, 2017;

“fit and proper person” means a person who is of good character, honest, possesses financial integrity, probity, personal integrity, is of good repute, competent, capable and dependable;

“geolocation” means the process or technique of identifying the geographical location of a person or device by means of digital information processed through the internet;

“hosting” has the meaning assigned to the word in the Electronic Communications and Transactions Act, 2021;

“information security audit” means a comprehensive evaluation of information security practices including physical, administrative and technical controls that ensures overall data privacy protection, cyber security, cyber resilience and regulatory compliance;

“inspector” means a person appointed as a cyber security inspector under section 55;

“interception” means an act by a person who is not party to an electronic communication of listening to, monitoring, viewing, reading or recording a private communication in transit, without the knowledge of the person making and receiving the communication, whether such communication is done in real time or otherwise between—

1. persons;
2. a person and a device; or
3. devices;

“internet connection record” means a record which contains information about internet connections made by a particular device and includes—

1. connections which are made automatically by a person, browser or device;
2. a customer account reference such as an account number or identifier of the customer’s device or internet connection;
3. a time stamp of a session log;
4. source and destination internet protocol addresses and the associated identity information;
5. the volume of data transferred in either or both directions;
6. the name of the internet service or the server that the service is connected to;
7. elements of a universal resource locator which constitutes communications data; or
8. any other related meta data;

“information infrastructure” means communication networks and their associated software that support interaction among people and organisations;

“information system” has the meaning assigned to the words in the Electronic Communications and Transactions Act, 2021;

“information technology auditor” means a person who possesses the expertise to examine and evaluate an information security management system as it relates to information technology infrastructure;

“judge” means a judge of the High Court;

“law enforcement officer” means—

1. a police officer;
2. an officer of the Anti Corruption Commission;
3. an officer of the Drug Enforcement Commission;
4. an officer of the Zambia Security Intelligence Service;
5. an officer of the National Anti-Terrorism Centre; and
6. any other person that the President may, by statutory instrument, designate for purposes of this Act;

“legally disqualified” means the absence of legal capacity as provided under section 4 of the Mental Health Act, 2019;

“licence” means a licence issued under section 45;

“licensee” means a person licensed under this Act;

“monitor” means to observe and analyse digital activities including network traffic, system logs, or user behaviour, with the goal of detecting and preventing cyber security threats or cyber security incidences;

“orally” means communication or transmission of information through spoken words whether delivered in person, via real time conversation through recorded media or text based formats that capture the essence of communication;

“penetration testing” means assessing, testing or evaluating the cyber security of a computer or computer system and the integrity of any information stored in or processed by the computer or computer system, by searching for vulnerabilities in, and compromising, the cyber security defences of the computer or computer system with express permission of the system owner;

“personal data” has the meaning assigned to the words in the Data Protection Act, 2021;

“private communication” means an electronic communication which is reasonable for the sender or the intended recipient to expect that the communication shall not be intercepted;

“repealed Act” means the Cyber Security and Cyber Crimes Act, 2021 repealed under section 74;

“service provider” means an entity authorised to—

1. provide or offer an electronic communications system;
2. process or store computer data on behalf of an electronic communications service provider or user of such service; or
3. own an electronic communications system to provide or offer an electronic communications service;

“Staff Board” means the Staff Board Constituted in the Schedule;

“Zambia Cyber Incident Response Team” means the Zambia Cyber Incidence Response Team constituted under section 6; and

“Zambia Security Intelligence Service” means the Zambia Security Intelligence Service continued under the Zambia Security Intelligence Service Act, 1998.