AS we close the chapter on 2025, one of the most consequential legal developments of the year aside Bill 7 was the enactment of revised cyber legislation aimed at strengthening digital security and protecting citizens from online crime.
On April 8, 2025, President Hakainde Hichilema assented to the Cyber Security Act No. 3 of 2025 and the Cyber Crimes Act No. 4 of 2025, which marked a significant update to the country’s legal framework governing cyberspace.
The two Acts replaced the Cyber Security and Cyber Crimes Act of 2021, which had attracted criticism for being broad and potentially open to abuse.
The revised approach taken this year, sought to address those concerns by separating the law into two focused statutes, each with a clear mandate.
The 2021 law, enacted under the previous administration, was widely viewed as lacking clarity, particularly in relation to enforcement powers and safeguards for civil liberties.
In response, the UPND led administration opted to retain the objective of digital regulation while refining the structure and scope of the legislation.
As a result, the cyber law was divided into two distinct Acts, with contentious provisions amended or removed following parliamentary debate.
Both the Cyber Security Act and the Cyber Crimes Act underwent the full legislative process, including readings, committee scrutiny and amendments, before being passed by Parliament and signed into law.
The Cyber Security Act No. 3 of 2025 focuses on the protection of Zambia’s critical information infrastructure.
It provides measures to prevent, detect and respond to cyber threats targeting key sectors such as banking, healthcare, telecommunications, mobile money services and government systems.
The Act establishes institutions responsible for managing national cyber security, including the Zambia Cyber Security Agency and a Cyber Incident Response Team, mandated to coordinate responses to cyber incidents.
It also provides for sector-specific response teams in areas such as finance, health and communications, ensuring that cyber threats are addressed by specialised personnel.
The Act sets out a coordinated national framework to ensure preparedness and resilience in the event of cyber attacks.
And the Cyber Crimes Act No. 4 of 2025 is designed to protect individuals from criminal activity conducted through digital platforms.
It criminalises offences including cyber bullying, online harassment, threats, fraud, identity theft and offences relating to child online protection.
The objective of the law is to ensure that citizens can use digital platforms safely and with confidence, while holding offenders accountable for harmful online conduct.
According to the Act, it is intended to “provide for offences relating to computers and computer systems; provide for the protection of persons against cyber crimes; provide for child online protection; and provide for matters connected with, or incidental to, the foregoing.”
One of the notable provisions under the Cyber Security Act is the criminalisation of tracking or sharing a person’s geolocation information without their consent.
Section 31 prohibits the use of electronic, mechanical or other devices to acquire, disclose or intercept another person’s location data without clear and informed permission, as defined under the Data Protection Act of 2021.
The offence attracts a penalty of up to 500,000 penalty units, imprisonment for a term not exceeding five years, or both.
The provision applies to individuals, employers, investigators or any other parties who unlawfully monitor or disclose location information.
It is also aimed at protecting children from harmful online acts.
By Catherine Pule
Kalemba, December 31, 2025
