Mozambique Passes Sweeping Cybersecurity and Cybercrime Laws to Combat Rising Digital Threats

Executive Summary

The Assembly of the Republic of Mozambique has passed two foundational pieces of legislation: the Cybersecurity Law and the Cybercrime Law. This legislative package is a direct response to the escalating cyber threats facing the nation, which saw 173,770 cyberattacks in 2024. The laws will establish a national cybersecurity regulatory body, impose security obligations on all public and private organizations, and create a penalty framework for non-compliance. This represents a major advancement in Mozambique's national strategy to build a secure and resilient digital ecosystem, protecting critical infrastructure, businesses, and citizens.

Regulatory Details

The new legal framework introduces a comprehensive, top-down approach to national cybersecurity governance.

• National Regulatory Authority: The law provides for the creation of a new regulatory body responsible for supervising national cybersecurity. Its key functions will include issuing binding instructions, setting national cyber threat alert levels, and enforcing compliance.
• Broad Applicability: The laws apply to all public and private entities that use data communication networks within Mozambique. This ensures a wide scope covering government agencies, critical infrastructure operators, and commercial businesses.
• Cybersecurity Fund: A dedicated fund will be established to support the initiative. It will be financed through the state budget, as well as fees and fines collected under the new laws, ensuring resources are available for critical incident response.

Affected Organizations

• All government bodies and public sector institutions in Mozambique.
• All private sector companies operating in Mozambique, regardless of industry.
• Operators of critical national infrastructure (e.g., energy, telecommunications, finance).

Compliance Requirements

The new legislation imposes several key obligations on affected organizations:

1. Technical and Organizational Security Measures: Private sector entities will be legally required to adopt and implement appropriate security measures to protect their networks and data.
2. Institutional Information Security Policy: Organizations must establish and maintain a formal, documented information security policy.
3. Cooperation with Regulatory Authority: All entities must comply with instructions and directives issued by the new national cybersecurity authority.

Implementation Timeline

While the laws have been approved by Parliament, the specific timeline for the establishment of the regulatory body and the enforcement of penalties has not yet been detailed. However, organizations are expected to begin preparing for compliance immediately.

Impact Assessment

The introduction of these laws will have a significant operational and financial impact on businesses in Mozambique. Organizations will need to invest in cybersecurity technologies, personnel, and processes to meet the new legal standards. This will likely drive demand for cybersecurity services and solutions within the country. While this presents a compliance burden, the long-term goal is to create a more stable and secure business environment, reducing the economic damage caused by cybercrime and enhancing trust in Mozambique's digital economy.

Enforcement & Penalties

Non-compliance with the new regulations will result in financial penalties. The law specifies fines ranging from one to 160 times the minimum wage in the public sector. This penalty structure is designed to be scalable and applicable to organizations of different sizes. The regulatory authority will be empowered to levy these fines and conduct audits to ensure compliance.

Compliance Guidance

Organizations in Mozambique should take the following steps to prepare:

1. Conduct a Gap Analysis: Perform a comprehensive assessment of current security posture against internationally recognized frameworks like the NIST Cybersecurity Framework or ISO 27001. This will identify gaps that need to be addressed to comply with the new laws.
2. Develop an Information Security Policy: If one does not already exist, create a formal, board-approved information security policy that outlines the organization's commitment to security and defines roles and responsibilities.
3. Budget for Security Investments: Allocate budget for necessary security controls, such as firewalls, endpoint protection, employee training, and vulnerability management tools.
4. Appoint a Security Lead: Designate an individual or team responsible for overseeing the organization's cybersecurity program and acting as the point of contact for the new regulatory authority.