Subscribe to regular updates:

Share

DPA Digital Digest: Rwanda [2025 Edition]

A close-up of Rwanda’s regulatory approach to data governance, content moderation, competition, artificial intelligence, and more.

Report Image

The “DPA Digital Digest” series provides concise summaries of each economy’s digital policy. Based on the Digital Policy Alert database, we outline rules and enforcement cases in data governance, content moderation, competition, artificial intelligence, and domestic points of emphasis.

Authors

Maria Buza, Sherif Taha

Date Published

12 Mar 2025

Rwanda is emerging as a digital leader in Africa. The Information and Communication sector contributed RWF 67 billion to the GDP in Q3 2024, a 19% year-on-year growth, according to the National Institute of Statistics. The government aims to increase this share to 35% by 2030. To support digital transformation, the government introduced initiatives such as the Economy Digitali­zation Program, the National Strategy for Transformation, and the Rwanda Innovation Fund. Internationally, Rwanda is engaging in digital trade under the African Union and other international initiatives. Recently, Rwanda established partnerships with Starlink, Google, and Alibaba.

But what do Rwanda’s domestic digital policies stand for? Our DPA Digital Digest provides a succinct overview of the latest policy and enforcement developments in major policy areas and Rwanda-specific points of emphasis.

  • Data governance: Rwanda implemented the Personal Data Protection Law, established cybersecurity rules, and participated in international frameworks on data governance.

  • Content moderation: Rwanda established frameworks to protect children online and combat illegal content.

  • Competition policy: Rwanda applied its competition law to the digital economy and announced sectoral competition rules for telecommunications and e-commerce. 

  • Artificial Intelligence: Rwanda released the National AI Policy and participated in various international AI governance initiatives.

  • Rwanda’s points of emphasis include the taxation of the digital economy and licensing requirements.

Jump directly to the section that interests you most:


Discover the details of Rwanda's regulatory approach on our dedicated country page.

Remain up-to-date on new and upcoming developments with our free notification service

Written by Maria Buza and Sherif Taha. Edited by Tommaso Giardini.


Data governance

Policy developments

In October 2021, Rwanda implemented the Law Relating to the Protection of Personal Data and Privacy (DPP Law). The Law applies to data controllers and processors and introduces obligations to uphold accuracy, accountability, and data minimisation. For the processing of sensitive personal data, explicit consent or legitimate justification are required. Individuals are granted rights to access, correct, and object to data processing. Controllers and processors must implement security measures and notify data breaches within 48 hours. Additionally, the Law requires data controllers and processors to register with the National Cyber Security Authority (NCSA), as well as designate a local representative if based outside of Rwanda. The NCSA, established in July 2017, oversees data governance and established its Data Protection Office in 2022. 

In August 2024, Rwanda launched its National Cybersecurity Strategy. It outlines seven objectives to strengthen cybersecurity, including improving risk management, protecting critical infrastructure, and fostering international collaboration. The main cybersecurity framework is the 2018 Law on the Prevention and Punishment of Cyber Crimes. It criminalises offences, including unauthorised system access and data interception, and establishes obligations to report cybercrimes and inform customers about cyber threats. Additional obligations apply to critical infrastructure providers, including data integrity measures and disaster recovery plans. Further infrastructure cybersecurity obligations were established by the NCSA in July 2023 and the Rwanda Utilities Regulatory Authority in May 2020. Finally, the National Bank of Rwanda issued cybersecurity rules for financial institutions in June 2022. 

On the international level, Rwanda participates in initiatives related to data governance.

Data localisation/transfer developments

Rwanda maintains several data localisation requirements. The DPP Law generally requires personal data to be stored within Rwanda, unless the data controller or processor obtains a certificate from the supervisory authority. The 2017 National Data Revolution Policy requires critical government data to be hosted in a national data centre, allowing foreign storage of personal data only with prior approval. Regulations governing telecommunications network security from 2016 prohibit the transfer, storage, or processing of subscriber information outside of Rwanda.

The DPP Law outlines three mechanisms for cross-border data transfers: authorisation from the supervisory authority (with proof of safeguards), consent from the data subject, or specific exceptions for necessary transfers, such as contract performance or public interest. Generally, the transferor and recipient must sign a contract, for which the Data Protection Office issued standard contractual clauses in February 2024.

Guidelines and enforcement developments

The NCSA Data Protection Office (DPO) oversees data governance and regularly issues guidelines. 

  • In July 2024, the DPO issued guidance on designating representatives for data controllers and processors based outside Rwanda, to address data subject requests, collaborate with the NCSA, and maintain records.

  • In April 2024, the DPO issued guidance on contractual provisions for data processing, outlining the scope of processing, security measures, and data subject rights.

  • In June 2023, the DPO issued guidance on registration for data controllers and processors, including an online application form with details about the entity, personal data processed, data processors involved, data transfer practices, and security measures.

  • Previously, the DPO published guidance on data protection principles, data portability, and the role of data controllers and processors.

There are currently no public, official sources on enforcement action by the NCSA or the DPO. In May 2017, the Rwanda Utilities Regulatory Authority, responsible for the telecommunications sector, fined MTN Rwanda FRW 7.03 billion (approx. USD 6.8 million) for hosting its IT services outside the country.

Content moderation

Policy developments

Rwanda's content moderation framework is built on several regulatory frameworks, ranging from measures to protect children online to obligations to address illegal content. 

In January 2024, the Minister of Information, Communication, Technology and Innovation adopted the order on the protection of children online, building on the Child Online Protection Policy. The order mandates the use of content filtering tools, parental controls, and age verification to restrict minors' access to harmful content. Harmful content is defined as material that could negatively impact a child's development, such as child sexual abuse content or explicit sexual content. Digital content providers must implement measures to identify, manage, and filter inappropriate material while ensuring that age-suitability indicators are displayed. Internet service providers are required to block harmful content, particularly related to child abuse and explicit material.

The 2018 Law on Prevention and Punishment of Cyber Crimes prohibits the distribution of illegal content, which includes content related to child exploitation, terrorism, human trafficking, and drug trafficking. It also addresses harmful content, such as indecent information and rumours that may incite fear or violence. Service providers, including firms that process or store computer data on behalf of users, must provide user reporting mechanisms and remove content notified as illegal or harmful by the authorities. Additionally, the Law on Genocide Ideology and Related Crimes criminalises the denial, minimisation, or justification of genocide, including online. 

The 2016 Law Governing Information and Communication Technologies prohibits the dissemination of content deemed "grossly offensive," "indecent," or intended to cause "annoyance, inconvenience, or needless anxiety" via public electronic communication networks. It grants authorities the power to suspend or restrict network or service operations to safeguard public safety or national security​.

Rwanda also participates in international online safety initiatives. In May 2024, Rwanda adopted the Child Online Safety and Empowerment Policy as part of the African Union The policy establishes guidelines to ensure the protection of children's rights within the digital sphere. In February 2024, Rwanda endorsed the Association of African Election Authorities guidelines for the responsible use of digital and social media in elections. The guidelines focus on accountability, preventing disinformation, and protecting election integrity. 

Guidelines and enforcement developments

There are currently no public, official sources on enforcement action or guidelines related to Rwanda's content moderation framework.

Competition

Policy developments

Rwanda has not adopted specific rules for digital competition and instead applies the 2012 Law on Competition and Consumer Protection. The Law prohibits the abuse of a dominant position by enterprises, defining such abuse as conduct that restricts market entry, prevents competition or eliminates competitors. Additionally, the Law regulates mergers, requiring enterprises to notify acquisitions and obtain approval if they meet specific thresholds. The Rwanda Competition and Consumer Protection Authority (RCCA), established in August 2017, oversees these competition rules and protects consumer rights. As of now, the RCCA has yet to issue these thresholds.

In September 2023, the Cabinet approved the revised Competition and Consumer Protection Policy. Under the Policy, RICA is tasked with regulating mergers and acquisitions as well as addressing challenges posed by the digital economy. RICA must monitor market competition, identify regulatory and government barriers to competition, and work alongside sector-specific regulators and other government bodies to address related challenges. 

The Rwanda Utilities Regulatory Authority (RURA) issued sectoral frameworks related to competition. In March 2021, RURA implemented the regulation on promotion by telecommunication operators which includes provisions to prevent anti-competitive behaviour. Operators are prohibited from engaging in predatory pricing and discrimination. RURA can restrict promotions and impose fines, with decisions binding unless overturned by a court. In February 2021, RURA announced regulations for the e-commerce sector and delivery companies. 

Guidelines and enforcement developments

There are currently no public, official sources on enforcement action or guidelines related to Rwanda's content moderation framework.

Artificial Intelligence

Policy developments

Rwanda has not yet adopted laws or regulations specifically governing the development and use of Artificial Intelligence (AI). In April 2023, the Ministry of Information Communication Technology and Innovation (MINICT) released the National AI Policy, which serves as the country’s primary AI framework and outlines a roadmap to maximise AI benefits while mitigating risks. The policy includes provisions for establishing a Responsible AI Office under MINICT and empowers the Rwanda Information Society Authority to oversee national AI initiatives and draft measures on AI. 

In October 2022, the MINICT conducted an AI readiness assessment to evaluate Rwanda's preparedness for AI adoption as part of the “AI for Africa” blueprint. It assessed the AI development landscape and proposed strategies to enhance Rwanda’s global AI standing.

On the international level, Rwanda has engaged in multiple initiatives on AI: 

Guidelines and enforcement developments

There are currently no public, official sources on enforcement action or guidelines related to Rwanda's artificial intelligence framework.

Points of emphasis

Taxation

In February 2025, the Ministry of Finance and Economic Planning announced that the Cabinet plans to introduce a 1.5% Digital Services Tax for foreign companies providing online services in Rwanda. No further detail is available at present. The Rwanda Revenue Authority previously published a report outlining challenges in implementing a DST, particularly concerning the financial impact on unprofitable businesses. In addition, in October 2022, Rwanda expanded the scope of its income tax to cover revenue from digital services, including online advertising, data supply, search engines, social media, digital content, online gaming, cloud computing, and online teaching.

Concerning indirect taxes, in September 2023, Rwanda implemented an 18% value-added tax (VAT) on e-commerce imports and digital services. Additionally, businesses with an annual turnover exceeding RWF 20 million (approx. USD 15.000) must register for and charge VAT.

Licensing requirements

Rwanda has established several licensing requirements. 

In January 2025, the Ministry of Trade and Industry issued an order that establishes five-year validity periods for licenses across regulated sectors.

We use cookies and other technologies to perform analytics on our website. By opting in, you consent to the use by us and our third-party partners of cookies and data gathered from your use of our platform. See our Privacy Policy to learn more about the use of data and your rights.