Ethiopia: NBE Requirements for Information Technology Management of Microfinance Institution (Directive No. MFI/33/2022) including cybersecurity regulation entered into force with grace period

On 1 April 2022, the National Bank of Ethiopia (NBE)'s Requirements for Information Technology (IT) Management of Microfinance Institution Directive No. MFI/33/2022 entering into force with a grace period. Microfinance institutions must implement the requirements for automation of core business processes (Article 5) and set up a disaster recovery site with adequate detachment from the main IT site (Article 6.7) within three years. All other provisions of the Directive will be effective one year from the effective date. The directive mandates that the institutions must develop IT risk management programmes, including risk assessments, incident response, disaster recovery, and business continuity plans, and prepare annual IT security awareness plans. Alignment with the Information Network Security Agency (INSA) requirements is mandatory, along with regular IT risk assessments and updates to the IT risk register, reported to the NBE. High-impact IT incidents must be reported within two working days, with quarterly updates on incident handling. Training programmes are required to enhance awareness of IT strategies and risk management among stakeholders, including board members and senior management.