President Salva Kiir Mayardit has signed the Cybercrime and Computer Misuse Act 2026 into law, introducing a wide-ranging framework to safeguard South Sudan’s digital infrastructure while expanding state oversight of key systems.
Signed on February 18, 2026, the legislation sets out strict rules for what it defines as “critical national infrastructure,” detailing how vital computer systems and networks are identified, protected and monitored.
Chapter 5 establishes the core framework, giving the government broad supervisory powers while placing significant compliance obligations on infrastructure owners.
Under Section 26, the competent minister, acting on the advice of the designated authority, may classify a computer system or network as critical infrastructure if it is considered essential to national security or to the country’s economic and social well-being.
In making that determination, the minister must assess whether the system is vital to national stability — including security, defence and international relations — as well as economic activity such as banking and financial services, public services like utilities, transport, health and emergency response, core government functions across the executive, legislature and judiciary, and communications linked to international business involving South Sudan.
Once designated, the authority is required under Section 27 to formally register the infrastructure and set out procedures governing that process. Owners must notify the authority within seven days of any change in legal ownership, with administrative penalties for non-compliance.
The law also provides for removal from the list. Section 28 allows the minister to withdraw a designation if a system no longer meets the criteria, with such decisions to be published in the official gazette.
Oversight is further strengthened under Section 29, which mandates the minister to prescribe minimum standards for the management and protection of critical systems. The authority is empowered to conduct periodic audits and inspections to ensure compliance.
Section 30 imposes strict duties on infrastructure owners, including a requirement to report any cybersecurity incident within 24 hours of detection. Owners must also ensure regular audits are carried out and submit reports to the authority. Breaches of these obligations may result in administrative penalties set by the minister.
The legislation also tightens access controls. Section 31 prohibits any person from obtaining or attempting to obtain unauthorised access to designated systems. Additional provisions under Chapter VII empower the authority to issue guidelines on data transfer, control and archiving within critical infrastructure.
Under Section 32, the authority is designated as the lead national responder to cyber threats and is required to establish a National Computer Incident Response Team Coordination Centre (SS-CIRT/CC).
The centre will provide technical analysis of incidents, issue alerts and advisories on emerging threats, conduct public awareness and training, coordinate responses with trusted public and private partners, and operate a platform for reporting cyber incidents.