Authored By: Ntando Madonsela
North West University
Abstract:
This article critically analyses Section 54 of the Cybercrimes Act 19 of 2020, placing it within the wider context of cybersecurity regulations in South Africa, which encompass the Protection of Personal Information Act (POPIA) and the Regulation of Interception of Communications Act (RICA). It assesses whether the obligations imposed are sufficiently clear, constitutionally valid, and capable of being enforced. Particular attention is paid to the ambiguous standard of “awareness” that initiates reporting, the conflict between the obligations and data protection duties, and the absence of comprehensive implementing regulations.
Through doctrinal analysis, comparative insights, and references to judicial precedent, this article argues that Section 54 suffers from definitional ambiguity, institutional fragmentation, and regulatory unpredictability. Although the provision moves South Africa closer to international best practices, its ambiguity compromises constitutional rights and hinders effective enforcement.
The article concludes with recommendations for improving statutory definitions, aligning Section 54 with POPIA and RICA, and creating robust oversight systems. In the absence of these reforms, Section 54 could create legal uncertainty and risk without meaningfully enhancing South Africa’s ability to enforce cybercrime.
Introduction
Cybercrime represents a critical legal and policy challenge in the 21st Century. South Africa, recognised for its advanced digital economy within Africa, has become a hub for online financial transactions and a primary target for cybercrime. The Cybercrimes Act 19 of 2020 was enacted to address this issue by unifying cybercrime offenses and equipping law enforcement with necessary prosecutorial and investigative resources. 1 Within this framework, Section 54 establishes legal obligations for electronic communications service providers (ECSPs) and financial institutions to report cybercrime incidents and preserve relevant data. These institutions play an important role, they serve as intermediaries between cybercriminals and their victims and often have in their possession the evidence required for effective prosecution.
However, the responsibilities outlined in Section 54 pose complex issues. What does it mean for a service provider to “become aware” of a cybercrime? Should awareness rely on suspicion, or must it be supported by conclusive evidence? How can institutions reconcile their obligations to preserve and disclose information with the strict privacy and security standards set by the Protection of Personal Information Act (POPIA)? And, importantly, does Section 54 align with constitutional values and protections, especially the right to privacy in terms of Section 14 of the Constitution of the Republic of South Africa2 and the right to trial in terms of Section 35?
This article analyses Section 54 not as an isolated statutory provision but as an integral component of the evolving cybersecurity framework in South Africa. The analysis will progress through multiple facets, the doctrinal framework and legislative context of the section, the constitutional and practical challenges stemming from its obligations, the regulatory ambiguity resulting from delayed proclamation and insufficient guidance, and the judicial precedent related to cybercrime issues.
The central argument is that Section 54 may prove ineffective and constitutionally vulnerable unless statutory definitions are clarified, related legislation is harmonised, and robust oversights are strengthened. By critically evaluating the potential impact of Section 54, the article identifies deficiencies in its formulation and implementation, and provides recommendations for reform, thereby contributing to broader academic and policy discussions.
Legal Framework:
Overview of Section 54 of the Cybercrime Act 19 of 2020
Section 54 establishes an obligation for electronic communications service providers (ECSPs) and financial institutions to report specified cybercrimes and preserve evidence relevant to investigations. The provision requires that, upon becoming “aware” that their systems or services are being used in criminal activities listed under chapter 2 of the Act, the service providers must report such activities to the South African Police Services without undue delay.3 Service providers are also required to preserve any information pertinent to the offence.4
Non-compliance with Section 54 constitutes a punishable offence by a fine not exceeding R50,000.5 However, the provision also clarifies that ECSPs and financial institutions are not obliged to proactively search for evidence of unlawful activities.6 This exemption seeks to balance investigatory assistance with respect for constitutional protections such as privacy in terms of Section 14.
Section 54 (2) empowers the Minister of Police, in consultation with the Minister of Justice, to prescribe by regulation the categories of criminal offences subject to mandatory reporting and the procedures that should be followed in such reporting.7 As of 2024, these requirements had not been fully promulgated, creating a degree of uncertainty regarding the precise scope of reporting obligations.
Interaction with Related Legislation
The Protection of Personal Information Act (POPIA)
POPIA imposes strict data protection and breach notification requirements on all entities processing personal information.8 As mandated by Section 22, organisations must notify both the Information Regulator and affected data subjects promptly after identifying a security compromise.9 This requirement closely mirrors the 72-hour notification window in Section 54, creating potential overlaps and conflicting obligations.10 For instance, a financial institution experiencing a data breach due to hacking may be required to report to both the South African Police Service under the Cybercrimes Act and the Information Regulator under the Protection of Personal Information Act.
The coexistence of these regulatory frameworks may result in compliance challenges. The Protection of Personal Information Act11 focuses on the safeguarding of personal data and the maintenance of consumer trust, whereas Section 54 of the Cybercrimes Act focuses on criminal enforcement. In the absence of clear coordination mechanisms, regulated entities risk duplicating mandatory reports or unintentionally violating confidentiality requirements.
The Regulation of Interception of Communications and Provision of Communication-Related Information Act (RICA)
RICA governs the interception and monitoring of communications, mandating judicial authorisation for surveillance activities.12 The Act aims to ensure that investigatory powers do not infringe the constitutional right to privacy in section 14 of the Constitution of the Republic of South Africa.13 Consequently, the obligations under Section 54 must therefore be interpreted consistently with RICA’s protections. A service provider preserving information pursuant to Section 54 may, in certain contexts, be at risk of inadvertently engaging in unauthorised interception if the preservation process captures ongoing communication instead of solely stored data.
The 2015 National Cybersecurity Policy Framework14 established, delineates responsibilities for institutions including the State Security Agency (SSA), the South African Police Service, and the Council for Scientific and Industrial Research (CSIR).15 Section 54 operationalises this policy objective by promoting information exchange between private and public sectors. Nevertheless, the absence of a central coordinating authority has resulted in fragmented implementation.
Constitutional Rights Implicated by Section 54:
Section 14 of the Constitution – The Right to Privacy
The right to privacy extends beyond the home to include digital communications and data protection.16 Section 54’s reporting and preservation obligations require the handling of personal and sensitive information. While the non-monitoring clause protects against routine surveillance, the absence of judicial oversight in preservation processes may present constitutional risks.
Courts have consistently held that state access to private information must occur within a clear and predictable framework.17
Section 35(3) of the Constitution – Right to a Fair Trial
The preservation and disclosure of digital evidence can affect the fairness of criminal proceedings. In S v Ndiki (2022), the Eastern Cape High Court emphasised that evidence obtained without judicial authorisation, even in cybercrime cases, may be deemed inadmissible.18 This highlights the need for Section 54 reporting to occur within appropriate procedural safeguards to maintain the integrity of evidence and protect the rights of accused persons.
The Rule of Law and Legal Certainty
The principle of legality, central to the rule of law, requires that legislation be clear and predictable.19 The use of undefined terms such as “becomes aware,” “without undue delay,” and “where feasible” in Section 54 raises concerns regarding vagueness and the risk of arbitrary enforcement.20 The Constitutional Court in Affordable Medicines Trust v Minister of Health21 determined that vague laws violate the rule of law by failing to provide sufficient guidance to those subject to them. Consequently, the lack of precision in Section 54 could render it constitutionally questionable if its enforcement leads to disproportionate or arbitrary liability
Synthesis of the Legal Framework
Section 54 operates at the intersection of three legal imperatives: effective law enforcement, data protection, and constitutional rights. While the provisions aim to foster cooperation between private entities and the state, ambiguities and the absence of implementing regulations have limited its operational readiness. Consequently, the statutory obligation is progressive in principle yet uncertain in practice. Its effectiveness depends on harmonisation with POPIA and
RICA, the development of clear reporting procedures, and consistent judicial interpretation that safeguards fundamental rights while ensuring accountability for cybercrime.
Recent Development and Judicial Interpretation
Legislative and Policy Development
South Africa’s cybercrime enforcement landscape has undergone a significant transformation, since the Cybercrimes Act 19 of 2020 came into operation.22 The Act repealed overlapping provisions in the Electronic Communications and Transactions Act (ECTA) of 200223, consolidating offences and aligning domestic law with the Budapest Convention on Cybercrime24, to which South Africa acceded in 2022. This alignment represented a substantial policy advancement, demonstrating South Africa’s commitment to international cooperation in the investigation and prosecution of cybercrimes.
The implementation of Section 54 has encountered significant regulatory and institutional challenges. Although enacted, the Ministerial regulations required under Section 54(2), which are intended to specify reporting procedures, offence categories, and timeframes, remain largely unpromulgated as of 2025. This regulatory omission has resulted in inconsistent compliance across sectors. Financial institutions typically interpret Section 54 conservatively, frequently reporting incidents through internal risk channels or to the South African Reserve Bank’s Prudential Authority rather than directly to the South African Police Service (SAPS). In contrast, telecommunications entities primarily depend on internal cyber incident response teams and the guidance of the National Cybersecurity Hub, which offers only limited coordination with public law enforcement.
These regulatory omissions have prompted ongoing discussions within the Department of Justice and Constitutional Development concerning the necessity for harmonised incident-reporting regulations. Industry bodies have expressed concerns regarding operational uncertainty and have cautioned that excessive compliance could expose entities to liability under the Protection of Personal Information Act due to unnecessary data disclosure.
Judicial Development and Interpretative Trends
Although Section 54 has not yet been directly interpreted by the judiciary, several South African court decisions provide insight into how its operative terms and constitutional implications may be construed.
Awareness and Reporting Obligations
The phrase “becomes aware” in Section 54(1) is pivotal. Although the Act does not define this term, courts are likely to interpret it according to the principle of constructive awareness, meaning that a reasonable provider in similar circumstances should have known that a cybercrime was occurring. The decision in Global Technology Systems v State (2023, GP High Court)25, while not directly addressing the Cybercrimes Act, is instructive. The court determined that corporate liability for electronic fraud may arise from negligence in maintaining secure systems, even without direct intent. This reasoning may inform the assessment of awareness under Section 54, indicating that entities cannot rely on ignorance when system alerts or anomalies suggest potential offences.
Preservation and Admissibility of Digital Evidence
Several cases, including S v Ndiki (2022, ECHC)26, have addressed the handling and admissibility of digital evidence. In this case, the court excluded evidence obtained through unauthorised interception, stressing the need for law enforcement to comply with RICA and constitutional safeguards. In S v Ndlovu (2021, KZP)27, the court highlighted the importance of maintaining a proper chain of custody and verifying the integrity of electronic data. These precedents are relevant to Section 54, as they show that information must be preserved and handled lawfully to remain admissible.
Judicial standards for admissibility reflect a commitment to constitutional requirements in complex technological cases. Section 54 is effective only if statutory requirements are met and robust procedures for preserving digital evidence are in place.
Privacy and Surveillance Concerns
The Constitutional Court’s decision in AmaBhungane Centre for Investigative Journalism NPC v Minister of Justice (2021)28 further clarifies the context of Section 54. The Court found RICA’s surveillance framework unconstitutional because it lacked post-surveillance notification and independent oversight. While Section 54 does not directly authorize surveillance, its data preservation requirements could impact privacy rights if institutions are required to retain user data longer than necessary. The AmaBhungane ruling highlights the need for oversight and accountability in any legislation that allows indirect data retention.
Comparative Developments
Internationally, Section 54’s model aligns with data breach and cyber incident reporting frameworks in the European Union (EU) and the United States. The EU’s NIS2 Directive (2023)29 requires essential entities to report cybersecurity incidents within 72 hours to competent authorities. Similarly, the U.S. Cyber Incident Reporting for Critical Infrastructure Act (2022)30 mandates a 72-hour reporting period. However, these frameworks are supported by detailed guidance and explicit institutional mandates, which are currently absent from South Africa’s regulatory environment.
Compared to other frameworks, South Africa’s Section 54 has a solid foundation but is not fully developed in practice. Without a single cyber incident response authority, like an independent Computer Security Incident Response Team (CSIRT) with legal powers, enforcement remains fragmented. The National Cybersecurity Hub moves in the right direction, but it does not have the authority or resources needed to be fully effective.
Recommendations:
The analysis above shows that Section 54 of the Cybercrimes Act 19 of 2020 is a major step toward bringing South Africa’s domestic law in line with international cybercrime standards. However, it suffers from conceptual vagueness, regulatory incompleteness, and institutional fragmentation.
The following reforms are suggested to strengthen its constitutional soundness and practical impact:
Promulgate clear implementing regulations:
The Minister of Police, in consultation with the Minister of Justice, should urgently detailed regulations under Section 54(2). These should outline specific categories of cybercrimes that must be reported, the reporting procedure, and the exact form and time frame for compliance. The term “become aware” should be defined to mean “reasonably believes based on identifiable indicators of compromise.”
Introduce Judicial or Independent Oversight:
A dedicated judicial or quasi-judicial mechanism should supervise the preservation and use of data obtained under Section 54. This would align the provision with AmaBhungane’s constitutional standard for privacy protection and reduce the risk of arbitrary or disproportionate data retention.
Establish a Centralised Cyber Incident Response Authority:
A statutory body similar to a Computer Security Incident Response Team (CSIRT) should be created under the National Cybersecurity Policy Framework31 to serve as the primary recipient and processor of cyber incident reports. This body should liaise with SAPS, the State Security Agency, and the Information Regulator to ensure coordinated responses.
Harmonise Section 54 with POPIA and RICA:
Legal coherence requires that Section 54’s reporting and preservation obligations be cross referenced with data protection and interception laws. Institutions should not face conflicting obligations under different statutes.
Conclusion:
Section 54 of the Cybercrimes Act 19 of 2020 remains an important but not fully developed component of South Africa’s evolving cybersecurity framework. It aims to operationalise public– private cooperation in the prevention, detection, and prosecution of cyber offences. However, as this article has shown, its current formulation is doctrinally ambiguous, constitutionally precarious, and practically uncertain.
In terms of doctrine, its key terms lack the precision demanded by the principle of legality, which results in entities being unsure of when and how to report. Constitutionally, it treads a fine line between legitimate law enforcement and unjustified privacy intrusion. Institutionally, it operates within a fragmented cyber-governance architecture, limiting its effectiveness.
If enacted with clear regulations, backed by oversight systems, and aligned with current data protection laws, Section 54 could serve as a foundation for cyber resilience. Its potential resides in creating a cooperative structure where private entities and public agencies collaborate to safeguard the digital space while preserving constitutional rights.
In its current state, Section 54 embodies the larger difficulty of South Africa’s digital legal framework: advanced in theory, cautious in practice. The future of cybersecurity law in South Africa depends on transforming this latent legislative intent into real institutional measures.
Bibliography
Cases
Affordable Medicines Trust and Others v Minister of Health and Another [2005] ZACC 3; 2006 (3) SA 247 (CC); 2005 (6) BCLR 529 (CC) (Constitutional Court)
Minister of Health and Another v New Clicks South Africa (Pty) Ltd and Others 2006 (2) SA 311 (CC)
S v Ndiki and Others (case involving digital evidence, Eastern Cape Division, 2022) AmaBhungane Centre for Investigation Journalism NPC v Minister of Justice 2021 (CC) Global Technology Systems v State 2023
Legislation
Cybercrimes Act 19 of 2020
Protection of Personal Information Act 4 of 2013
Regulation of Interception of Communications and Provision of Communication-Related Information Act 70 of 2002
Constitution of the Republic of South Africa, 1996
Electronic Communications and Transactions Act 25 of 2002
Cyber Incident Reporting for Critical Infrastructure Act of 2022(US)
Policy Instruments and Regulations
Republic of South Africa, National Cybersecurity Policy Framework (2015) Government Gazette No 39475 (4 December 2015)
Information Regulator (South Africa), Guidelines on Completing a Security Compromise Notification in Terms of Section 22 of the Protection of Personal Information Act
Websites and blogs
VDT Attorneys, “Data breaches in terms of POPIA: what you need to know” (VDT, 16 April 2021)
“An overview of cybercrime law in South Africa” (PMC Journal, 2023)
Constitutional Law of South Africa (2nd edn, Juta 2018) ch 11 (Rule of Law and the Principle of Legality).
International Instruments:
Budapest Convention on Cybercrime, opened for signature 23 November 2001, ETS No 185 (entered into force 1 July 2004)
Directive (EU) 2023/2555 of the European Parliament and of the Council of 13 December 2023 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 [2023] OJ L 333/1.
1 Cybercrimes Act 19 of 2020.
2 Section 14 of the Constitution of the Republic of South Africa, 1996
3 Ibid, section 54(1).
4 Ibid, section 54(1)(b).
5 Ibid, section 54(3).
6 Ibid, section 54(4).
7 Ibid, section 54(2).
8 Protection of Personal Information Act 4 of 2013, ss 1-4.
9 Ibid. ss 21(1)-(2); see also Guidelines on completing a Security Compromise Notification under section 22, para 7.
10 VDT Attorneys, “Data breaches in terms of POPIA” 2021.
11 Protection of Personal Information Act.
12 RICA 70 of 2002.
13 Section 14 of the Constitution of the Republic of South Africa.
14 National Cybersecurity Policy Framework for South Africa No. 39475(67).
15 PubMed Central “An overview of cybercrime law in South Africa” section on chapter 8 and institutional roles.
16 POPI Act 4 of 2013.
17 Minister of Health v New Clicks South Africa [2005] ZACC 14; 2006 (8) BCLR 872 (CC); 2006 (2) SA 311 (CC). 18 S v Ndiki and others [2007] 2 All SA 185 (Ck)
19 AƯordable Medicines Trust v Minister of Health [2005] ZACC 3; 2006 (3) SA 247 (CC); 2005 (6) BCLR 529 (CC).
20 Ibid.
21 Ibid.
22 Cybercrime Act 19 of 2020.
23 Electronic Communications and Transactions Act 25 of 2002.
24 Budapest Convention on Cybercrime and European Union.
25 Global Technology Systems v State (2023).
26 S v Ndiki (2022, ECHC).
27 S v Ndlovu (2021, KZP).
28 AmaBhungane Centre for Investigative Journalism NPC v Minister of Justice (2021).
29 Directive (EU) 2023/2555 of the European Parliament and of the Council of 13 December 2023.
30 Cyber Incident Reporting for Critical Infrastructure Act of 2022.
31 National Cybersecurity Policy Framework for South Africa No. 39475(67).
