Authored By: Betelhem Tikue Hailu
Abstract
Ethiopia‟s “Digital Ethiopia 2025” agenda is accelerating digital transformation, but cyber security law and institutions remain underdeveloped. While the Personal Data Protection Proclamation No. 1321/2024 marks progress, key gaps persist. The Computer Crime Proclamation No. 958/2016 is outdated, no comprehensive cyber security law exists, critical infrastructure lacks protection, and incident response mechanisms are weak. This article argues that closing these gaps through legal and institutional reform is essential to safeguard citizens, businesses, and state systems, and to secure the success of Ethiopia‟s digital ambitions.
- Introduction
Ethiopia’s rapid digital growth, driven by telecom liberalization, mobile money, and digital ID programs, is central to its “Digital Ethiopia 2025” strategy.1 However, this progress has also increased exposure to cyber threats like ransom ware, data breaches, and infrastructure attacks. Recent incidents, including attempted cyber-attacks on the Grand Ethiopian Renaissance Dam2 and a major data breach at the Commercial Bank of Ethiopia3, highlight the critical gap between technological adoption and legal readiness.
While Ethiopia has foundational laws such as the Computer Crime Proclamation No. 958/2016, its legal framework remains fragmented and reactive. The recent Personal Data Protection Proclamation No. 1321/2024 marks significant progress but addresses only one aspect of cyber security. This article argues that Ethiopia‟s current legal regime lacks the comprehensive and proactive measures needed to ensure digital security. It will analyze legislative developments, identify key vulnerabilities, and propose a clear path forward to safeguard Ethiopia‟s digital future.
- Research Methodology
This article employs a doctrinal and analytical research methodology. The analysis is grounded in a systematic review of primary legal sources, including Ethiopian proclamations and official government reports. The approach integrates case studies of recent cyber incidents to bridge theory with practice.
3.1. The Existing Legal Framework: A Patchwork of Provisions
Ethiopia‟s digital law landscape has evolved from a narrow focus on criminal sanction towards a more nuanced, though still incomplete, regulatory approach.
The cornerstone of cybercrime regulation remains the Computer Crime Proclamation No. 958/2016.4This law criminalizes essential offences such as unauthorized access5, data interference6, and system interference7. While a significant improvement over its 2001 predecessor, the proclamation functions primarily as a penal code. It lacks detailed provisions on emerging threats like ransom ware-as-a-service and creates no positive obligations for organizations to implement cyber security measures.
The most significant recent development is the Personal Data Protection Proclamation No. 1321/2024.This landmark legislation establishes a legal basis for data security. It imposes a direct obligation on data controllers and processors to implement “appropriate technical and organizational measures” to ensure a level of security commensurate with the risk.8This creates a statutory duty of care for data security, violation of which could lead to administrative sanctions from the newly established Ethiopian Data Protection Commission.
3.2. Critical Analysis: Identifying the Legislative Gaps
3.2.1. The Absence of a Comprehensive Cyber security Law
Ethiopia‟s most significant weakness is the lack of a dedicated, overarching cyber security law. There is no legislation that establishes a national cyber security strategy, defines the roles and responsibilities of different government entities, or mandates the creation of a formal national Computer Emergency Response Team (CERT).9This contrasts with regional peers like Kenya, which enacted a specific Cyber security Act in 2024.10The current approach spreads responsibilities thinly across various laws without central coordination, leading to inefficiency and gaps in national defense.11
3.2.2. Inadequate Protection for Critical Information Infrastructure (CII) A profound vulnerability is the lack of a legal process for identifying and securing CII. Vital systems such as national power grids, financial market infrastructures, and telecommunications networks operate without legally mandated, risk-based cyber security standards. The 2022 attempted cyber-attacks on the GERD12 exemplify this threat. The Data Protection Proclamation applies to personal data, but it does not cover the operational technology and industrial control systems that underpin CII, leaving a crucial aspect of national security unregulated.
3.2.3. Weak Mandatory Incident Reporting and Response
While the Data Protection Proclamation introduces a data breach notification requirement to the Data Protection Commission, a broader, mandatory incident reporting system for significant cyber-attacks across all sectors is absent. The lack of a centralized CERT (Computer Emergency Response Team) means there is no single, specialized body to coordinate national responses to major cyber incidents, share threat intelligence, or provide technical assistance to vulnerable entities. This hinders national situational awareness and a cohesive response.
3.3. Bridging Theory and Practice: Case Studies in Legislative Inadequacy
Case Study : The Commercial Bank of Ethiopia Data Incident (2024) In 2024, the CBE publicly disclosed the names and photographs of individuals allegedly involved in unauthorized withdrawals following a system glitch.13 This action sparked widespread condemnation as a violation of customer privacy. It is crucial to note that this incident occurred before the enactment of the Personal Data Protection Proclamation No. 1321/2024. Therefore, it does not demonstrate a failure of that new law but rather serves as a powerful illustration of the legal vacuum that existed and the pressing need for a robust data protection regime. It highlights the practical consequences of unclear accountability and the absence of an active data authority.
- Suggestions / Way Forward
To effectively secure its digital ecosystem, Ethiopia should pursue the following reforms:
Enact a Dedicated Cyber security Law: This law should establish a national cyber security agency, define and create a registry for CII, and mandate the creation of a national CERT as a central hub for incident response and threat intelligence sharing.14
Develop Sector-Specific Regulations: Sector regulators (e.g., National Bank of Ethiopia for finance) should be empowered to issue detailed cyber security regulations based on the risk profiles of their industries, building on the model of the Payment System Proclamation.
Operationalize the Data Protection Commission: The government must ensure the newly established Data Protection Commission receives adequate funding and technical expertise to effectively monitor compliance and enforce the data security mandates of Proclamation No. 126/2024.
Modernize Criminal Procedure: The Criminal Procedure Code and laws of evidence should be updated to explicitly address the collection, preservation, and admissibility of digital evidence, enhancing the judiciary’s capacity to handle cybercrime cases.
- Conclusion
Ethiopia‟s digital ambition is promising but fragile. Despite progress with the Data Protection Proclamation, the legal framework remains fragmented and unfit for 21st-century cyber threats. Gaps in strategy, critical infrastructure protection, and incident response pose systemic risks to “Digital Ethiopia 2025.” The priority now is a cohesive, proactive framework to secure the digital future, protect the economy, and uphold citizens‟ rights.
- References
„CBE reports massive cyber-attack attempts amid internal glitch causing loss of millions of birr‟ Addis standard (March 19, 2024)
Computer Crime Proclamation No. 958/2016, Federal Negarit Gazeta of the Federal Democratic Republic of Ethiopia, 21st Year No. 56 (2016).
‘Cyber-attack Attempts on Grand Ethiopian Renaissance Dam Thwarted’ Ethiopian Monitor (3 May 2022).
Cybersecurity Act, No. 18 of 2024 (Kenya).
‘Digital Ethiopia 2025 Strategy’ (Ethiopian Ministry of Innovation and Technology, 2020). ‘INSA Foils Over 6,700 Cyber-attack Attempts’ Ethiopian Monitor (24 July 2023). Kibreab A Dane, ‘The Current Status of Cyber Security in Ethiopia’ (ResearchGate, 12 May 2022)
Markos, Yabets, Cyber Security Challenges that Affect Ethiopia‟s National Security (Addis Ababa University School of Graduate Studies, Department of Political Science and International Relations,
Personal Data Protection Proclamation No. 1321/2024, Federal Negarit Gazeta of the Federal Democratic Republic of Ethiopia, 30th Year No. 14 (2024).
The Invisible Battlefield: Analyzing Cybersecurity Threats and Their Implications on Ethiopian National Security (2013-2023)
1‘Digital Ethiopia 2025 Strategy’ (Ethiopian Ministry of Innovation and Technology, 2020).
2‘From Megawatts to Malware: Why cybersecurity holds key to securing Ethiopia’s GERD’ Addis Standard (September 2025
3‘Rights groups challenge CBE’s ‘name and shame’ policy, describe it as a ‘violation of privacy law” Addis Standard (13 June 2024).
4Computer Crime Proclamation No. 958/2016, Federal Negarit Gazeta of the Federal Democratic Republic of Ethiopia, 21st Year No. 56 (2016).
5Article 4 of Computer Crime Proclamation No 958/2016
6Article 5 of Computer Crime Proclamation No 958/2016
7Article 6 of Computer Crime Proclamation No 958/2016
8Article 16 and 17 of the Personal Data Protection Proclamation No. 1321/2024.
9Kibreab A Dane, ‘The Current Status of Cyber Security in Ethiopia’ (12 May 2022)
10 Cyber security Act, No. 18 of 2024 (Kenya).
11 Kibreab A Dane, ‘The Current Status of Cyber Security in Ethiopia’ (ResearchGate, 12 May 2022)
12‘Cyber-attack Attempts on Grand Ethiopian Renaissance Dam Thwarted’ Ethiopian Monitor (3 May 2022).
13 ‘CBE reports massive cyber-attack attempts amid internal glitch causing loss of millions of birr’ Addis standard (March 19, 2024)
14 INSA’s mission is to protect Ethiopia’s national interest by building a capability that enables to safeguard the country’s information and information infrastructures. All of it, within the values of Resilience, Making Difference, Integrity, Respect for the people and Respect for the law.
