Rwanda: Adopted NCSA Minimum Cybersecurity Standards for Essential Service Providers, including baseline cybersecurity requirements

On 28 July 2023, the National Cyber Security Authority (NCSA) issued the Minimum Cybersecurity Standards for Essential Service Providers (ESPs) as the implementation of its authority under Article 9(3) and Article 10(1) of Law No. 26/2017 of 31 May 2017. ESPs should comply with the standard's requirements by 27 July 2024. These standards define baseline cybersecurity requirements to ensure the confidentiality, integrity, and availability of critical infrastructure, ICT systems, and stakeholders’ data handled by ESPs in Rwanda. The regulation applies to ESPs operating within Rwanda and introduces a tiered approach, dividing requirements into three categories based on service criticality and user impact. The policy imposes mandatory security practices, including risk assessments, system integrity measures, and access control protocols. It categorises ESPs into tiers based on service scope and criticality, requiring advanced measures for those handling essential national infrastructure. The NCSA retains the authority to determine the categorisation of ESPs and requires periodic reviews of compliance with the standards.