A close-up of Rwanda’s regulatory approach to data governance, content moderation, competition, artificial intelligence, and more.
The “DPA Digital Digest” series provides concise summaries of each economy’s digital policy. Based on the Digital Policy Alert database, we outline rules and enforcement cases in data governance, content moderation, competition, artificial intelligence, and domestic points of emphasis.
Rwanda is emerging as a digital leader in Africa. The Information and Communication sector contributed RWF 67 billion to the GDP in Q3 2024, a 19% year-on-year growth, according to the National Institute of Statistics. The government aims to increase this share to 35% by 2030. To support digital transformation, the government introduced initiatives such as the Economy Digitalization Program, the National Strategy for Transformation, and the Rwanda Innovation Fund. Internationally, Rwanda is engaging in digital trade under the African Union and other international initiatives. Recently, Rwanda established partnerships with Starlink, Google, and Alibaba.
But what do Rwanda’s domestic digital policies stand for? Our DPA Digital Digest provides a succinct overview of the latest policy and enforcement developments in major policy areas and Rwanda-specific points of emphasis.
Data governance: Rwanda implemented the Personal Data Protection Law, established cybersecurity rules, and participated in international frameworks on data governance.
Content moderation: Rwanda established frameworks to protect children online and combat illegal content.
Competition policy: Rwanda applied its competition law to the digital economy and announced sectoral competition rules for telecommunications and e-commerce.
Artificial Intelligence: Rwanda released the National AI Policy and participated in various international AI governance initiatives.
Rwanda’s points of emphasis include the taxation of the digital economy and licensing requirements.
Jump directly to the section that interests you most:
Discover the details of Rwanda's regulatory approach on our dedicated country page.
Remain up-to-date on new and upcoming developments with our free notification service.
Written by Maria Buza and Sherif Taha. Edited by Tommaso Giardini.
In October 2021, Rwanda implemented the Law Relating to the Protection of Personal Data and Privacy (DPP Law). The Law applies to data controllers and processors and introduces obligations to uphold accuracy, accountability, and data minimisation. For the processing of sensitive personal data, explicit consent or legitimate justification are required. Individuals are granted rights to access, correct, and object to data processing. Controllers and processors must implement security measures and notify data breaches within 48 hours. Additionally, the Law requires data controllers and processors to register with the National Cyber Security Authority (NCSA), as well as designate a local representative if based outside of Rwanda. The NCSA, established in July 2017, oversees data governance and established its Data Protection Office in 2022.
In August 2024, Rwanda launched its National Cybersecurity Strategy. It outlines seven objectives to strengthen cybersecurity, including improving risk management, protecting critical infrastructure, and fostering international collaboration. The main cybersecurity framework is the 2018 Law on the Prevention and Punishment of Cyber Crimes. It criminalises offences, including unauthorised system access and data interception, and establishes obligations to report cybercrimes and inform customers about cyber threats. Additional obligations apply to critical infrastructure providers, including data integrity measures and disaster recovery plans. Further infrastructure cybersecurity obligations were established by the NCSA in July 2023 and the Rwanda Utilities Regulatory Authority in May 2020. Finally, the National Bank of Rwanda issued cybersecurity rules for financial institutions in June 2022.
On the international level, Rwanda participates in initiatives related to data governance.
In October 2024, Rwanda endorsed the International Counter Ransomware Initiative Joint Statement reinforcing commitments to combat ransomware.
In August 2024, Rwanda joined negotiations for the United Nations Cybercrime Convention.
In February 2024, Rwanda joined the Pall Mall Process on regulating spyware.
In January 2024, Rwanda acceded to the Budapest Convention on Cybercrime.
In February 2022, Rwanda adopted the African Union Data Policy Framework, which includes provisions on data protection, cybersecurity, and cross-border data transfers.
In November 2019, Rwanda ratified the African Union Convention on Cyber Security and Personal Data Protection, which covers data subject rights and cybersecurity, among others.
Rwanda maintains several data localisation requirements. The DPP Law generally requires personal data to be stored within Rwanda, unless the data controller or processor obtains a certificate from the supervisory authority. The 2017 National Data Revolution Policy requires critical government data to be hosted in a national data centre, allowing foreign storage of personal data only with prior approval. Regulations governing telecommunications network security from 2016 prohibit the transfer, storage, or processing of subscriber information outside of Rwanda.
The DPP Law outlines three mechanisms for cross-border data transfers: authorisation from the supervisory authority (with proof of safeguards), consent from the data subject, or specific exceptions for necessary transfers, such as contract performance or public interest. Generally, the transferor and recipient must sign a contract, for which the Data Protection Office issued standard contractual clauses in February 2024.
The NCSA Data Protection Office (DPO) oversees data governance and regularly issues guidelines.
In July 2024, the DPO issued guidance on designating representatives for data controllers and processors based outside Rwanda, to address data subject requests, collaborate with the NCSA, and maintain records.
In April 2024, the DPO issued guidance on contractual provisions for data processing, outlining the scope of processing, security measures, and data subject rights.
In June 2023, the DPO issued guidance on registration for data controllers and processors, including an online application form with details about the entity, personal data processed, data processors involved, data transfer practices, and security measures.
Previously, the DPO published guidance on data protection principles, data portability, and the role of data controllers and processors.
There are currently no public, official sources on enforcement action by the NCSA or the DPO. In May 2017, the Rwanda Utilities Regulatory Authority, responsible for the telecommunications sector, fined MTN Rwanda FRW 7.03 billion (approx. USD 6.8 million) for hosting its IT services outside the country.
Rwanda's content moderation framework is built on several regulatory frameworks, ranging from measures to protect children online to obligations to address illegal content.
In January 2024, the Minister of Information, Communication, Technology and Innovation adopted the order on the protection of children online, building on the Child Online Protection Policy. The order mandates the use of content filtering tools, parental controls, and age verification to restrict minors' access to harmful content. Harmful content is defined as material that could negatively impact a child's development, such as child sexual abuse content or explicit sexual content. Digital content providers must implement measures to identify, manage, and filter inappropriate material while ensuring that age-suitability indicators are displayed. Internet service providers are required to block harmful content, particularly related to child abuse and explicit material.
The 2018 Law on Prevention and Punishment of Cyber Crimes prohibits the distribution of illegal content, which includes content related to child exploitation, terrorism, human trafficking, and drug trafficking. It also addresses harmful content, such as indecent information and rumours that may incite fear or violence. Service providers, including firms that process or store computer data on behalf of users, must provide user reporting mechanisms and remove content notified as illegal or harmful by the authorities. Additionally, the Law on Genocide Ideology and Related Crimes criminalises the denial, minimisation, or justification of genocide, including online.
The 2016 Law Governing Information and Communication Technologies prohibits the dissemination of content deemed "grossly offensive," "indecent," or intended to cause "annoyance, inconvenience, or needless anxiety" via public electronic communication networks. It grants authorities the power to suspend or restrict network or service operations to safeguard public safety or national security.
Rwanda also participates in international online safety initiatives. In May 2024, Rwanda adopted the Child Online Safety and Empowerment Policy as part of the African Union The policy establishes guidelines to ensure the protection of children's rights within the digital sphere. In February 2024, Rwanda endorsed the Association of African Election Authorities guidelines for the responsible use of digital and social media in elections. The guidelines focus on accountability, preventing disinformation, and protecting election integrity.
There are currently no public, official sources on enforcement action or guidelines related to Rwanda's content moderation framework.
Rwanda has not adopted specific rules for digital competition and instead applies the 2012 Law on Competition and Consumer Protection. The Law prohibits the abuse of a dominant position by enterprises, defining such abuse as conduct that restricts market entry, prevents competition or eliminates competitors. Additionally, the Law regulates mergers, requiring enterprises to notify acquisitions and obtain approval if they meet specific thresholds. The Rwanda Competition and Consumer Protection Authority (RCCA), established in August 2017, oversees these competition rules and protects consumer rights. As of now, the RCCA has yet to issue these thresholds.
In September 2023, the Cabinet approved the revised Competition and Consumer Protection Policy. Under the Policy, RICA is tasked with regulating mergers and acquisitions as well as addressing challenges posed by the digital economy. RICA must monitor market competition, identify regulatory and government barriers to competition, and work alongside sector-specific regulators and other government bodies to address related challenges.
The Rwanda Utilities Regulatory Authority (RURA) issued sectoral frameworks related to competition. In March 2021, RURA implemented the regulation on promotion by telecommunication operators which includes provisions to prevent anti-competitive behaviour. Operators are prohibited from engaging in predatory pricing and discrimination. RURA can restrict promotions and impose fines, with decisions binding unless overturned by a court. In February 2021, RURA announced regulations for the e-commerce sector and delivery companies.
There are currently no public, official sources on enforcement action or guidelines related to Rwanda's content moderation framework.
Rwanda has not yet adopted laws or regulations specifically governing the development and use of Artificial Intelligence (AI). In April 2023, the Ministry of Information Communication Technology and Innovation (MINICT) released the National AI Policy, which serves as the country’s primary AI framework and outlines a roadmap to maximise AI benefits while mitigating risks. The policy includes provisions for establishing a Responsible AI Office under MINICT and empowers the Rwanda Information Society Authority to oversee national AI initiatives and draft measures on AI.
In October 2022, the MINICT conducted an AI readiness assessment to evaluate Rwanda's preparedness for AI adoption as part of the “AI for Africa” blueprint. It assessed the AI development landscape and proposed strategies to enhance Rwanda’s global AI standing.
On the international level, Rwanda has engaged in multiple initiatives on AI:
In February 2025, Rwanda joined representatives from the African Union, European Union, G20, G7, and the United Nations in signing the Statement on Inclusive and Sustainable Artificial Intelligence for People and the Planet during the AI Action Summit in Paris. At previous AI Action Summits, Rwanda participated in the Seoul Declaration on Commitments to Address Severe AI Risks and the Bletchley Declaration on AI Safety.
In September 2024, Rwanda collaborated with Singapore to issue an AI Playbook for Small States, providing guidance on AI governance.
The African Union, of which Rwanda is a member, adopted the Continental AI Strategy, the AI Governance Framework, the AI for Sustainable Youth Development framework, and the cooperation on AI research and development with China.
In February 2024, the Digital Trade Protocol to the African Continental Free Trade Area was adopted. It requires parties to facilitate the adoption and regulation of emerging and advanced technologies, aligning with public policy and security interests, and developing governance frameworks ensuring ethical, trusted, safe, and responsible use.
There are currently no public, official sources on enforcement action or guidelines related to Rwanda's artificial intelligence framework.
In February 2025, the Ministry of Finance and Economic Planning announced that the Cabinet plans to introduce a 1.5% Digital Services Tax for foreign companies providing online services in Rwanda. No further detail is available at present. The Rwanda Revenue Authority previously published a report outlining challenges in implementing a DST, particularly concerning the financial impact on unprofitable businesses. In addition, in October 2022, Rwanda expanded the scope of its income tax to cover revenue from digital services, including online advertising, data supply, search engines, social media, digital content, online gaming, cloud computing, and online teaching.
Concerning indirect taxes, in September 2023, Rwanda implemented an 18% value-added tax (VAT) on e-commerce imports and digital services. Additionally, businesses with an annual turnover exceeding RWF 20 million (approx. USD 15.000) must register for and charge VAT.
Rwanda has established several licensing requirements.
In November 2021, Rwanda implemented the Law Governing the Payment System, which establishes licensing requirements for payment providers, including cryptocurrency services. The National Bank of Rwanda issued a regulation specifying licensing procedures and local operations requirements for digital payment providers in September 2023. Previously, the National Bank implemented licensing rules for electronic money issuers.
In February 2021, licensing regulations for infrastructure providers in electronic communication were implemented.
In May 2020, a licensing framework for multimedia services was established, covering streaming services and platform intermediaries.
In January 2025, the Ministry of Trade and Industry issued an order that establishes five-year validity periods for licenses across regulated sectors.