The Cybercrimes Act 19 of 2020 is South Africa’s primary legislation for combating cybercrime. The Act was signed into law in June 2021 and key sections commenced on 1 December 2021. It replaces outdated provisions in the Electronic Communications and Transactions Act (ECTA) and provides a modern, comprehensive framework for addressing cyber-related offences.
Offences Under the Cybercrimes Act
The Cybercrimes Act defines a wide range of offences, including:
- Unlawful access to a computer system, data, or network (commonly referred to as hacking);
- Unlawful interception of data;
- Unlawful interference with data or computer programs;
- Cyber fraud — unlawful and intentional misrepresentation through a computer system to obtain a benefit;
- Cyber forgery and uttering;
- Cyber extortion;
- Theft of incorporeal property (for example, data or digital assets);
- The unlawful distribution of malicious software (malware).
The Act also makes it an offence to disclose intimate images without consent (sometimes called “revenge porn”) and criminalises certain harmful data messages, including messages inciting violence or property damage.
Investigation and Prosecution
The Act empowers the South African Police Service (SAPS) to investigate cybercrimes, including provisions for the search and seizure of electronic evidence and the issuing of preservation-of-evidence directions. Designated SAPS members receive specialised training to handle these cases. Courts may also issue orders compelling electronic communications service providers to assist with investigations.
Penalties
Penalties under the Cybercrimes Act vary depending on the severity of the offence and can include substantial fines, imprisonment, or both. For more serious offences such as cyber extortion or attacks on critical infrastructure, the penalties are more severe.
Reporting Obligations
The Cybercrimes Act places obligations on electronic communications service providers and financial institutions to report certain cybercrimes to the SAPS. However, these reporting obligations (contained in sections of Chapter 4) have not yet been proclaimed into force and are still pending commencement.
The Cybercrimes Act and Data Protection
The Cybercrimes Act works alongside the Protection of Personal Information Act (POPIA) to protect South Africans in the digital space. While POPIA regulates how organisations collect, process, and store personal information, the Cybercrimes Act criminalises the unlawful access to or interference with that information. For businesses, understanding both laws is essential — read more in our article on data protection law in South Africa and our guide to the application of POPIA in the workplace.
In conclusion, the Cybercrimes Act 19 of 2020 is an important piece of legislation that provides South Africa with a modern legal framework for addressing cybercrime. As additional sections of the Act are proclaimed into force, its reach and impact will continue to expand.
Updated 14 April 2026 — Corrected the legislative reference to the Cybercrimes Act 19 of 2020 (commenced 1 December 2021), expanded the coverage of offence categories, and added detail on reporting obligations and the pending commencement of certain sections.