Ethiopia: NBE Requirements for Information Technology Management of Microfinance Institution (Directive No. MFI/33/2022) including cybersecurity requirements entered into force

On 2 April 2025, the National Bank of Ethiopia (NBE)'s Requirements for Information Technology (IT) Management of Microfinance Institution Directive No. MFI/33/2022 enter into force. Microfinance institutions were required to implement the requirements for automation of core business processes (Article 5) and set up a disaster recovery site with adequate detachment from the main IT site (Article 6.7). The directive mandates that institutions must develop IT risk management programmes, including risk assessments, incident response, disaster recovery, and business continuity plans, and prepare annual IT security awareness plans. Alignment with the Information Network Security Agency (INSA) requirements is mandatory, along with regular IT risk assessments and updates to the IT risk register, reported to the NBE. High-impact IT incidents must be reported within two working days, with quarterly updates on incident handling. Training programmes are required to enhance awareness of IT strategies and risk management among stakeholders, including board members and senior management.