INSA Inks Proclamation To Bolster Cybersecurity Defenses | The Reporter Ethiopia

Draft proposes third-party cyber security service providers, under review in Parliament

Experts at the Information Network Security Administration (INSA) have tabled a draft proclamation as a framework to guide efforts to curb increasingly frequent cyber threats on Ethiopia’s growing digital visibility of sensitive national data and information.

The ‘Critical Infrastructure Cybersecurity Proclamation,’ which has been under legal review at the Ministry of Justice for more than two years, was tabled to Parliament this week.

The legislation comes as more and more of Ethiopian citizens’ data is being uploaded to the cloud via the National ID program, banking and mobile money platforms, electronic procurement process, single window government services and others.

These fast growing databases become more vulnerable to cyber threats as they expand in size. The Administration reported 8,000 cyberattacks on Ethiopia in 2023/4, up from under 100 attacks a year on average two decades ago.

In order to avoid complications during implementation, the proclamation identifies 11 sectors as key areas that should be protected as key infrastructure. At present, INSA primarily focuses on cybersecurity relating to financial institutions and electric power infrastructure.

The draft proposes to expand its purview to include transport, health, education, water, agriculture, trade, government services, and communications.

If approved, institutions categorized as critical infrastructure will be subject to periodic cybersecurity audits by INSA. Both public and private institutions can qualify as critical infrastructure, which the draft defines as “any infrastructure or institution the disruption or compromise of which due to a cyberattack would have a significant negative impact on national security or national interests.”

A key provision added in the final drafting stages proposes to allow third-party IT firms to provide cyber security services and conduct these audits in addition to INSA itself.

However, third-party service providers will need to fulfil several stringent requirements and pass a screening process before they can offer their services.

Anyone who provides cybersecurity services without proper licensing will face penalties of up to two million Birr, while repeat offenders can be fined three times as much, according to the draft.

Lawmakers are currently reviewing the proclamation, which is widely expected to be ratified in the near future.