The Cybercrime and Computer Misuse Act 2026, signed into law on February 18 by President Salva Kiir, establishes a broad legal framework governing digital activity in South Sudan.
Chapter Six of the law details a wide range of offences, introducing penalties that target online conduct from harassment to attacks on critical infrastructure. Below is a breakdown of key provisions.
Cyberstalking and harassment
The law introduces specific offences addressing harmful online behaviour:
- Cyberstalking: Repeated use of electronic communication to track or monitor a person with intent to harass or cause fear is punishable by up to four years in prison.
- Cyberbullying: Individuals or groups found guilty face up to ten years in prison.
- Offensive communication: Sending messages deemed harmful, abusive or inappropriate carries up to two years.
- Cyber harassment: Using digital platforms to threaten or demean others, causing emotional harm, is punishable by up to five years in prison.
- Pornography: Publishing or causing the publication of pornographic photos, videos, books, magazines, films, or other media through a computer system or any information and communication technology. Upon conviction, a person is liable to a fine, imprisonment for a term not exceeding ten years, or both.
- Incitement: It is a crime to use a computer system to incite another person or group of persons to commit violence or discrimination. A person convicted of this offense shall be sentenced to imprisonment for a term not exceeding ten years, a fine, or both.
- Section 72 of the Act specifically addresses the hacking of electronic payment devices.
- The provision defines the offense and sets the following legal consequences:
- Prohibited Acts: It is an offense to intentionally and without authorization access, tamper with, alter, manipulate, or interfere with any electronic payment device.
- Targeted Devices: This includes, but is not limited to, point-of-sale (POS) machines, mobile money terminals, ATMs, or any digital financial transaction system.
- Penalties: Upon conviction, a person is liable to a fine, imprisonment for a term not exceeding seven years, or both.
Content moderation and false information
The Act places obligations on platform administrators and criminalises certain forms of online content:
- Failure to moderate: Administrators who do not remove “undesirable content” — including deceptive information, public health threats, or material promoting tribalism or racism — within a prescribed period after notice face up to five years.
- Publication of false information: Knowingly spreading false information that leads to panic, violence or economic loss is punishable by up to five years in prison.
Intellectual property and identity protection
The legislation imposes penalties for misuse of digital identities and protected works:
- Copyright infringement: Unauthorised use or distribution of copyrighted material for gain carries up to two years in prison for a first offence and up to seven years for repeat offences.
- Cybersquatting: Unauthorised use of business names, trademarks or domain names is punishable by up to three years.
- Disclosure of passwords: Sharing passwords, biometric data or multi-factor authentication tokens without authorisation carries up to five years.
System integrity and technical interference
Chapter Six also targets actions that disrupt computer systems:
- Unauthorised interference: Damaging or altering data to hinder system functionality carries up to ten years in prison. Where such interference results in injury, death or threats to national security, courts may impose fines of up to 75 million South Sudan pounds.
- Unauthorised modification: Altering computer data without permission is punishable by up to eight years in prison.
- Spreading viruses: Deliberately distributing malware that damages systems in public or private institutions carries up to three years in prison.
Serious and financial crimes
The law increases penalties for cyber-enabled financial and infrastructure-related crimes:
- Cyber extortion: Punishable by up to ten years.
- Cyberattacks: Launching attacks such as ransomware or denial-of-service operations against critical infrastructure carries penalties of up to 15 years in prison.
- Electronic message fraud: Unlawfully destroying emails or manipulating systems to alter payments is punishable by up to three years in prison.
- Phishing: Sending unsolicited or falsified electronic messages, including spoofed headers, carries up to five years.
- Fake accounts: Creating fraudulent email or social media accounts for deception or financial gain is punishable by up to five years in prison.
Article 78 of the Act establishes that every offence defined under this Act is classified as an extraditable crime. This means that individuals accused of cybercrimes—ranging from hacking and cyber espionage to child pornography—cannot simply avoid justice by crossing borders, provided an extradition agreement or applicable law is in place
General penalty clause
Section 74 provides a catch-all provision: any offence under the Act for which no specific penalty is outlined is punishable by up to five years in prison.