Ethiopia: Computer Crime Proclamation (No. 958/2016) including cybersecurity regulation entered into force

On 7 July 2016, the Computer Crime Proclamation No. 958/2016 entered into force. It defines "critical infrastructure" as computer systems, networks or data whose compromise would significantly affect public safety or national interests. The law provides specific protections for such infrastructure, including enhanced penalties for offences such as illegal access, interception, interference or data damage. Penalties range from 5 to 15 years of imprisonment and fines between 50,000 and 200,000 Birr, with more serious cases attracting up to 20 years of imprisonment and fines up to 500,000 Birr. Authorities are granted emergency powers to conduct real-time surveillance or data collection without a court warrant if there are reasonable grounds to believe an attack is imminent. Article 26 enables preventive measures to safeguard threatened systems. Service providers, defined as entities offering data processing, communication services or alternative infrastructure, are required to retain traffic data for at least one year, maintain confidentiality unless disclosure is court-ordered, and report computer crimes or illegal content. They must also cooperate with authorised surveillance activities. The law establishes a National Executing Task Force comprising the Federal Attorney General, Federal Police Commission and other relevant bodies to coordinate preventive and enforcement efforts. It also includes provisions to support international cooperation, such as information exchange, joint investigations and extradition, addressing the cross-border nature of computer crimes.