Rwanda: Implemented NCSA Minimum Cybersecurity Standards for Essential Service Providers, including baseline cybersecurity requirements

On 28 July 2024, the Minimum Cybersecurity Standards for Essential Service Providers (ESPs) entered into force. These standards define baseline cybersecurity requirements to ensure the confidentiality, integrity, and availability of critical infrastructure, ICT systems, and stakeholders’ data handled by ESPs in Rwanda. The regulation applies to ESPs operating within Rwanda and introduces a tiered approach, dividing requirements into three categories based on service criticality and user impact. The policy imposes mandatory security practices, including risk assessments, system integrity measures, and access control protocols. It categorises ESPs into tiers based on service scope and criticality, requiring advanced measures for those handling essential national infrastructure. The NCSA retains the authority to determine the categorisation of ESPs and requires periodic reviews of compliance with the standards.