It’s a Friday afternoon, a Nigerian tech founder has just taken a 20-minute break to have lunch, and while at it, an email notification comes in.
She stops eating and opens the email to read. It’s a notification from one of the tech newsletters she’s subscribed to about the National Digital Economy and E-Governance Bill, which is on the floor of the National Assembly. Immediately, she calls a meeting with her other co-founders to weigh what this means for the business. For many techpreneurs in Africa, this is the reality as policies and regulatory frameworks are being churned out in rapid succession.
Across the continent, governments and regulatory bodies are introducing frameworks on AI, Fintech, Cybersecurity, and data protection, indicating a shift towards a more structured digital governance.
Key policies from Africa
The wave of tech regulation sweeping across Africa must indeed be applauded as the digital economy grows. Governments that once watched the sector grow with little to no interference are now writing the rules on data, AI, cybersecurity, and fintech.
From Abuja to Nairobi, to Johannesburg, to Gaborone, to Luanda, regulators are no longer passive in digital governance. They are rewriting the laws, determining the players, how strictly, and who gets to set the terms. These activities have been seen in many areas; however, a bulk of the policies are geared towards fintech, AI, data protection, and cybersecurity.
Data Protection
This is the most mature of the four. According to Data Protection Africa, about 44 African countries have some form of data protection. The models vary, with some countries drawing from the European Union’s General Data Protection Regulation, GDPR, and others reflecting local priorities, state access, and national security.
Nigeria Data Protection Act (2023), one of the continent’s most comprehensive acts, introduced a mandatory data protection compliance framework for organisations processing the personal data of Nigerian citizens, regardless of where those organisations are headquartered.
South Africa’s Protection of Personal Information Act (POPIA) goes further, giving the country’s information regulators enforcement powers with serious consequences, including criminal liability for senior executives.
Similar stricter laws can be found in Ethiopia’s Personal Data Protection Proclamation, PDPP, which was passed in 2024 but modified in 2025 to cover more laws. It defines personal data broadly. It’s not just names and ID numbers; it goes further to cover any information that could identify someone, directly or indirectly.
This includes things like location data and online identifiers. Even more interestingly, these rights don’t die with the person. The PDPP says privacy rights survive for 10 years after death. This means companies need to be prepared to handle requests from deceased individuals’ legal heirs.
Beyond national provisions, cross-border cooperation is also gaining momentum. On February 26, 2026, Morocco’s National Commission for the Protection of Personal Data (CNDP) and Portugal’s National Data Protection Commission signed an MOU in the field of Personal data protection.
AI Regulation
Although Artificial Intelligence may be the newest “kid on the block”, Africa has not been taken unaware.
In South Africa, even though there may not be a standalone AI law yet, there are already existing laws that cover this. The country’s proposed National AI Policy framework, which will be publicly gazetted soon, presents an early blueprint for what future legislation will look like. The governance model is built on several pillars, such as transparency, security, responsible data alliance, fairness, and ethical AI.
Many experts have praised the human-centered AI direction it takes, which borrows from the African Union 2024 Continental AI Strategy. However, concerns regarding regulatory overlap exist, and arguments that there really isn’t a need for a standalone AI Act, as the country has the POPPIA, Electronic Communications and Transactions Act (2002), and others.
Moving east, Kenya is positioning itself as a leading AI hub in Africa, and has a 5-year national AI strategy, Kenya Artificial Intelligence Strategy (2025-2030), which establishes a structured framework to harness artificial intelligence-driven innovation for socio-economic development.
Centered on three pillars, AI Digital Infrastructure, Data, and AI Research & Innovation, the Strategy marks a pivotal, proactive step in the country’s digital transformation journey. It provides a forward-looking framework for addressing regulatory uncertainty and responsible innovation.
Neighbouring Rwanda has a similar goal to be Africa’s centre of excellence in Artificial Intelligence. The National AI Policy is in line with the country’s larger goal of digital transformation. Building on the mission of the Vision 2050, Smart Rwanda Master Plan, and other key national plans and policies, it equips Rwanda to harness AI for sustainable and inclusive growth. The policy emphasises education, research fellowships, and curriculum updates to equip learners with STEM and AI skills.
Nigeria’s proposed AI Bill, The Artificial Intelligence Control and Regulation Bill (2023), has been called ‘’ambitious’’ by many experts. The proposed AI bill introduces mandatory registration for AI developers, establishes a National Artificial Intelligence Council, and adopts a risk-based framework for regulating high-impact systems.
It also includes transparency requirements, data protection alignment, and enforcement provisions, aiming to promote responsible innovation while strengthening oversight of AI technologies. Elsewhere, countries such as Angola have proposed bills that are equally comprehensive. Angola’s proposed Artificial Intelligence bill (2025) outlines a legal framework to “regulate the development, deployment, and use of artificial intelligence” in the country.
Drawing on international best practices, including principles from the Organisation for Economic Co-operation and Development and the risk-based model of the European Union AI Act, the bill seeks to navigate the challenges of modern technology regulation.
While it aims to actively promote and build a domestic AI industry to influence economic value and assert technological sovereignty, it also ensures that there are human-centric safeguards to prevent harm to fundamental rights and ensure consumer safety.
Cybersecurity
As AI adoption grows and the African governments’ digitisation of public services, tax collection, identity systems, and health records, the attack surface expands. Ghana, Kenya, Nigeria, and Botswana have all published national cybersecurity strategies. In South Africa, they strengthened their Cybercrimes Act in 2025 and introduced updated obligations for platforms to protect users, improve breach-notification protocols, and implement stronger security-by-design measures.
Some countries have fully moved from just passing laws to putting structures in place for enforcement. Take Ghana, for instance, in early January 2026, Ghana’s Cyber Security Authority announced a stern warning to unregistered cybersecurity service providers, cybersecurity professionals, and establishments that heavy sanctions await anyone practising without a licence. The CSA’s warning was part of moves to enforce the 2020 Ghana Security Act, underscoring its commitment to regulating the cybersecurity sector.
Fintech regulation
This remains one of the most active areas of policy development. In late 2025, debates intensified regarding Nigeria’s National Fintech Regulatory Commission Bill, which seeks to require “Fintech companies to secure either specific or category-based licences” aligned with the services they provide, such as payments, digital lending, cryptocurrency, crowdfunding, or regulatory technology. Failure to meet licensing requirements or renew approvals could result in penalties, including suspension, withdrawal of authorisation, or significant fines.
The proposed framework also introduces stricter compliance expectations. Firms may need to establish formal compliance functions, engage legal advisors, conduct regular technology audits, and show meaningful local involvement in both ownership and management structures. With digital payments and mobile money driving financial inclusion, regulators in different African nations are refining licensing regimes, introducing sandbox environments, and strengthening consumer protection rules. These measures aim to support innovation while mitigating risks related to fraud, systemic stability, and market concentration.
Balancing Innovation and Accountability Through Sandboxes and Compliance Frameworks
Across Africa, governments are increasingly turning to regulatory sandboxes and structured compliance frameworks to manage the tension between encouraging innovation and maintaining oversight. These mechanisms allow regulators to observe emerging technologies in controlled environments before introducing full-scale regulation, reducing risk while supporting experimentation. According to the Datasphere Initiative report, at least 25 sandbox programs are operating in 15 African countries, covering fintech, data governance, and emerging technologies such as AI.
In Nigeria, the Central Bank of Nigeria has expanded its fintech regulatory sandbox as part of broader reforms aimed at strengthening digital payments and financial inclusion. The initiative allows innovators to test new financial products under regulatory supervision before market launch, helping authorities refine rules while ensuring consumer protection. The central bank has also linked sandbox expansion to open banking and contactless payment initiatives, highlighting a coordinated approach to innovation governance and to cross-border payments.
Yemi Cardoso, CBN Governor, at the 2026 G-24 Technical Group Meetings (TGM) held on February 26, in Abuja, said, “We have also embraced fintech innovation to drive the next generation of secure, instant cross‑border payments. Our Regulatory Sandbox now allows payment‑focused fintechs to test new cross‑border solutions under close CBN supervision, ensuring innovation proceeds without compromising stability,” -Cardoso.
Similarly, in Kenya, the Capital Markets Authority operates a regulatory sandbox that permits live testing of capital markets and fintech solutions under a less onerous regulatory regime. The framework is designed to attract technology-driven financial innovations while allowing regulators to monitor risks related to investor protection and financial stability.
These frameworks are complemented by broader compliance mechanisms. Governments are issuing clearer data protection guidelines, strengthening licensing requirements for fintech operators, and promoting collaborative consultations between regulators and industry stakeholders.
For startups and investors, these initiatives provide opportunities to test products without facing immediate full regulatory burdens. For regulators, they offer valuable insights into emerging risks. Together, they illustrate how African governments are increasingly adopting somewhat flexible policy tools to encourage innovation while maintaining accountability in rapidly evolving digital markets.
The African Union & Regions
The African Union has spent the better part of a decade trying to build a coherent framework for digital governance across 55 member states. The move is not unreasonable. If the regulatory landscape is fragmented, then it is a direct obstacle to the kind of cross-border digital trade that the African Continental Free Trade Area is meant to encourage.
As it stands, a Fintech company that wants to operate in ten African markets currently faces ten different licensing regimes, ten different data residency requirements, and ten different definitions of what a payment service provider actually is. The cost of that fragmentation falls hard on African-born companies trying to scale across the continent, while better-resourced multinationals with experienced compliance teams absorb it as a cost of doing business. Thankfully, countries in the eastern region, like Kenya and Rwanda, are now collaborating to ensure that cross-border payments are simplified between the two markets.
A memorandum of understanding between the Central Bank of Kenya and the National Bank of Rwanda was signed on March 12, 2026, to establish a licensing passporting framework that will allow licensed payment service providers to access both jurisdictions more efficiently.
What this means is that the framework creates a structured method through which a payment institution already authorised in one country may operate in another without repeating a full license process. Although regulators would still oversee companies operating in their markets while coordinating supervision.
This is a tremendous win for the East African nations as it helps to reduce the burden associated with getting into a neighbouring market, labour and administrative costs. It’s imperative to note that this initiative forms part of broader efforts within the East African Community Cross Border Payment System Masterplan to improve the efficiency of regional financial infrastructure. The East African Community has moved toward harmonised digital financial rules. ECOWAS has established data protection principles that member states are expected to reflect in national legislation.
The Southern African Development Community has developed its own cybersecurity framework and, a few years ago, established the cybersecurity centre for Southern Africa, which represents the first comprehensive assessment of cybersecurity maturity across member states. These different regional efforts will contribute to the overall cohesiveness of regulatory laws on the continent.
Impact on Businesses, Startups, and Consumers
For all the policy language about enabling digital growth, the effects of Africa’s evolving tech regulatory landscape are felt most by three groups: the businesses trying to build within it, the startups trying to survive it, and the consumers it is designed to protect.
For established businesses, the regulatory shift has created both costs and opportunities. Companies that invested early in compliance infrastructure, data management systems, privacy teams, and legal counsel familiar with the new frameworks are finding that their investment has become a competitive advantage.
For startups, the picture is more complicated. Compliance costs remain the most frequently cited barrier to growth among early-stage African tech companies. The 2023 ICPA Journal of Public Administration, Law and Humanities states that for small businesses and SMEs, compliance costs and administrative complexities discourage full adherence to policy regulations. It suggests that the regulatory environment, even where well-intentioned, is generating friction that is redirecting entrepreneurial energy away from growth and toward compliance management.
For consumers, the new frameworks carry genuine promise. Data protection laws give African users rights they did not previously have on paper: the right to know what data is collected about them, the right to request its deletion, and the right to withhold consent. The gap is enforcement. In most African markets, the mechanisms for an individual to exercise those rights remain cumbersome, underpublicised, and slow, which will discourage users from seeking redress in the event of data theft or compromise.
Remaining Challenges
Africa’s digital governance momentum is real. But momentum is not the same as arrival, and the distance between the two is where the continent will have challenges over the next decade.
The first challenge is enforcement. A law without enforcement is a signal, not a system. Across much of Africa, data protection authorities, cybersecurity agencies, and fintech regulators are operating with budgets and headcounts that bear no relationship to the size of the markets they are meant to oversee. Nigeria’s data protection commission covers a digital economy of over 200 million people. South Africa’s Information Regulator handles complaints from one of the continent’s most sophisticated consumer markets. The workload is not matched by the resources.
The second challenge is skills. Effective digital regulation requires regulators who understand the technology they are governing, not just its commercial surface but its technical architecture, its failure modes, its capacity for harm. That expertise is scarce everywhere in the world. In Africa, where the competition for digital talent between the public sector and a well-funded private sector is particularly lopsided, building and retaining that expertise inside government institutions is among the hardest problems the governance agenda faces.
The third challenge is coherence. Policy inconsistency, rules that change without notice, guidelines that contradict each other across agencies, and enforcement that appears selective will diminish the trust that functional regulation depends on. Several African markets have seen regulatory reversals that scared investors and disrupted business models that had been built in good faith around earlier guidance. The cost of that inconsistency is not just commercial. It is reputational, and reputation, once lost in a competitive investment environment, will be slow to rebuild.
The fourth challenge is inclusion. The most sophisticated data protection frameworks in the world mean little if the people they are meant to protect cannot read them, cannot navigate the complaints process, and have never been told their rights exist.
Conclusion
Digital policies in Africa have, so far, seemed to be largely a conversation between governments, regulators, and the private sector.
Take Nigeria’s new tax law as an example, most citizens, especially the non-internet users, estimated at 130 million, according to a 2025 report by GSMA, a global telecoms industry group, may not fully understand what the new law says and therefore stand the risk of defaulting, which will amount to serious fines.
Therefore, for the ambitious, comprehensive, human-centred policies from East to North Africa to succeed, it needs to move beyond these players and get to the people on the streets, the everyday person whose digital rights exist but know nothing of it.
