African Vulnerability Disclosure Policy Map
Explore vulnerability disclosure policy requirements and recommendations across African countries. Understand the regulatory landscape and compliance requirements for implementing responsible vulnerability disclosure programs.
Last updated November 11, 2025
Required
0
Jurisdictions with required requirements.
Recommended
12
Jurisdictions with recommended requirements.
Coming Soon
2
Jurisdictions with coming soon requirements.
None
5
Jurisdictions with none requirements.
Tracking 19 African jurisdictions with public information on vulnerability disclosure expectations.
Displaying 19 of 19 jurisdictions.
Required
Formal regulation requires organizations to maintain a vulnerability disclosure channel.
Recommended
Legislation or regulators encourage vulnerability disclosure as part of security obligations.
Coming Soon
Draft legislation or government announcements indicate forthcoming mandates.
None
No explicit policy requirement identified in available regulations.
Africa-wide overview
Click on a country to focus the table or use the filters to refine results.
Select a jurisdiction
Use the map or filters to explore where vulnerability disclosure expectations exist across the continent. The side panel surfaces the regulatory summary for the country you select.
No highlighted data yet? That jurisdiction does not currently have a published requirement in our research.
| Jurisdiction | Requirement | Policy | Applies To | Details |
|---|---|---|---|---|
Algeria North Africa June 10, 2018 | Recommended | Law No. 18-07 on the Protection of Individuals in the Processing of Personal Data Articles 24-26 - Security and Confidentiality Obligations | Data controllers processing personal data in Algeria National Authority for the Protection of Personal Data (ANPDP) | |
Description Algeria's data protection framework requires controllers to implement appropriate technical and organizational security measures. Establishing a vulnerability disclosure workflow is recommended to demonstrate compliance with confidentiality and breach response obligations. Effective Date June 10, 2018 Lead Regulator National Authority for the Protection of Personal Data (ANPDP) | ||||
Botswana Southern Africa October 15, 2021 | Recommended | Data Protection Act, 2018 Section 47 - Security Measures | Data controllers and processors handling personal data in Botswana Data Protection Commission (DPC Botswana) | |
Description Botswana's Data Protection Act requires controllers to adopt safeguards that include identifying and addressing system vulnerabilities. The Data Protection Commissioner encourages the introduction of structured reporting channels and timelines for remediation. Effective Date October 15, 2021 Lead Regulator Data Protection Commission (DPC Botswana) | ||||
Cameroon Central Africa December 21, 2010 | None | Law No. 2010/012 on Cybersecurity and Cybercrime General Cybersecurity Provisions | All organizations in Cameroon Agence Nationale des Technologies de l'Information et de la Communication | |
Description Cameroon's cybersecurity law addresses cybercrime but does not explicitly require vulnerability disclosure programs. However, organizations are encouraged to implement security measures and establish processes for handling security vulnerabilities responsibly. Effective Date December 21, 2010 Lead Regulator Agence Nationale des Technologies de l'Information et de la Communication | ||||
Egypt North Africa October 13, 2023 | Coming Soon | Personal Data Protection Law - Cybersecurity Framework Article 25 - Security Measures | Organizations processing personal data in Egypt Egyptian Data Protection Authority | |
Description Egypt's Personal Data Protection Law, which came into effect in 2023, requires organizations to implement security measures to protect personal data. The law is currently being implemented, and guidelines for vulnerability disclosure programs are expected to be published. Organizations are encouraged to establish vulnerability reporting processes as part of their cybersecurity framework. Effective Date October 13, 2023 Lead Regulator Egyptian Data Protection Authority | ||||
Ethiopia East Africa June 23, 2016 | None | Computer Crime Proclamation No. 958/2016 Part IV - Critical Infrastructure Protection | All organizations operating information systems in Ethiopia Information Network Security Administration (INSA) | |
Description Ethiopia's computer crime legislation criminalizes unauthorized access and mandates protective measures for critical systems, yet it does not currently provide a formal vulnerability disclosure process. Organizations are advised to craft internal guidelines for working with vetted researchers. Effective Date June 23, 2016 Lead Regulator Information Network Security Administration (INSA) | ||||
Ghana West Africa May 16, 2012 | Recommended | Data Protection Act, 2012 - Security Requirements Section 30 - Security of Personal Data | Data controllers and processors in Ghana Data Protection Commission | |
Description Ghana's Data Protection Act requires data controllers to implement appropriate technical and organizational measures to protect personal data. While vulnerability disclosure programs are not explicitly mandated, they are considered best practice for maintaining security. The Data Protection Commission encourages organizations to establish vulnerability reporting channels. Effective Date May 16, 2012 Lead Regulator Data Protection Commission | ||||
Ivory Coast West Africa June 19, 2013 | None | Law No. 2013-450 on the Protection of Personal Data Article 28 - Security Obligations | Data controllers in Ivory Coast Autorité de Protection des Données Personnelles | |
Description Ivory Coast's data protection law requires data controllers to implement security measures. While vulnerability disclosure programs are not explicitly required, organizations are encouraged to establish processes for handling security vulnerabilities as part of good cybersecurity practices. Effective Date June 19, 2013 Lead Regulator Autorité de Protection des Données Personnelles | ||||
Kenya East Africa November 25, 2019 | Recommended | Data Protection Act, 2019 - Security of Personal Data Section 41 - Security of Personal Data | Data controllers and processors in Kenya Office of the Data Protection Commissioner | |
Description The Data Protection Act requires data controllers and processors to implement appropriate technical and organizational measures to ensure the security of personal data. Vulnerability disclosure programs are recommended as part of an organization's security framework. The Office of the Data Protection Commissioner encourages organizations to establish clear processes for handling security vulnerabilities. Effective Date November 25, 2019 Lead Regulator Office of the Data Protection Commissioner | ||||
Mauritania West Africa Pending Parliamentary Review | Coming Soon | Draft Law on the Protection of Personal Data (2023) Draft Chapter IV - Security and Breach Notification | Data controllers processing personal information in Mauritania Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI Mauritanie) | |
Description Mauritania has announced a draft personal data protection law that introduces security and breach notification duties. The National Agency for Information Systems Security has indicated that vulnerability reporting guidance will accompany the final regulation. Effective Date Pending Parliamentary Review Lead Regulator Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI Mauritanie) | ||||
Mauritius Southern Africa January 15, 2018 | Recommended | Data Protection Act 2017 Part VI - Security of Processing | Data controllers and processors established in Mauritius Data Protection Office of Mauritius | |
Description The Data Protection Act requires organizations to maintain appropriate security safeguards, including the ability to detect and respond to vulnerabilities. The Data Protection Office encourages clear reporting channels and incident response playbooks that incorporate vulnerability disclosure handling. Effective Date January 15, 2018 Lead Regulator Data Protection Office of Mauritius | ||||
Morocco North Africa February 18, 2009 | Recommended | Law No. 09-08 on the Protection of Individuals with regard to the Processing of Personal Data Article 17 - Security Measures | Data controllers in Morocco National Commission for the Control of Personal Data Protection (CNDP) | |
Description Morocco's data protection law requires data controllers to implement appropriate security measures. While vulnerability disclosure programs are not explicitly required, they are recommended as part of comprehensive security practices. The National Commission for the Control of Personal Data Protection (CNDP) encourages organizations to establish processes for handling security vulnerabilities. Effective Date February 18, 2009 Lead Regulator National Commission for the Control of Personal Data Protection (CNDP) | ||||
Nigeria West Africa January 25, 2019 | Recommended | Nigeria Data Protection Regulation (NDPR) - Cybersecurity Guidelines Section 2.6 - Security Measures | Organizations processing personal data in Nigeria National Information Technology Development Agency (NITDA) | |
Description The Nigeria Data Protection Regulation recommends that organizations implement security measures including vulnerability disclosure processes. While not explicitly mandated, the NDPR encourages organizations to establish processes for handling security vulnerabilities and data breaches responsibly. Organizations are encouraged to have clear channels for reporting security issues and to respond to vulnerabilities in a timely manner. Effective Date January 25, 2019 Lead Regulator National Information Technology Development Agency (NITDA) | ||||
Rwanda East Africa October 15, 2021 | Recommended | Law Relating to the Protection of Personal Data and Privacy Article 28 - Security Measures | Data controllers and processors in Rwanda National Cyber Security Authority | |
Description Rwanda's data protection law requires data controllers to implement appropriate security measures. Vulnerability disclosure programs are recommended as part of comprehensive security practices. The National Cyber Security Authority encourages organizations to establish processes for handling security vulnerabilities responsibly. Effective Date October 15, 2021 Lead Regulator National Cyber Security Authority | ||||
Senegal West Africa January 25, 2008 | Recommended | Law No. 2008-12 on Personal Data Protection Article 31 - Security Measures | Data controllers in Senegal Commission for Personal Data Protection (CDP) | |
Description Senegal's data protection law requires data controllers to implement security measures to protect personal data. While vulnerability disclosure programs are not explicitly mandated, they are recommended as part of an organization's security framework. The Commission for Personal Data Protection (CDP) encourages responsible vulnerability reporting. Effective Date January 25, 2008 Lead Regulator Commission for Personal Data Protection (CDP) | ||||
South Africa Southern Africa July 1, 2021 | Recommended | Protection of Personal Information Act (POPIA) - Security Safeguards Section 19 - Security Measures | Organizations processing personal information in South Africa Information Regulator of South Africa | |
Description POPIA requires responsible parties to implement appropriate technical and organizational measures to secure personal information. While vulnerability disclosure programs are not explicitly required, they are recommended as part of comprehensive security measures. Organizations should establish processes for receiving and handling security vulnerability reports to comply with data protection obligations. Effective Date July 1, 2021 Lead Regulator Information Regulator of South Africa | ||||
Tanzania East Africa September 1, 2015 | None | Cybercrimes Act, 2015 General Cybersecurity Provisions | All organizations in Tanzania Tanzania Communications Regulatory Authority | |
Description Tanzania's Cybercrimes Act addresses various cybercrime offenses but does not explicitly require vulnerability disclosure programs. However, organizations are encouraged to implement security measures and establish processes for handling security vulnerabilities as part of good cybersecurity practices. Effective Date September 1, 2015 Lead Regulator Tanzania Communications Regulatory Authority | ||||
Tunisia North Africa July 27, 2004 | Recommended | Organic Law No. 2004-63 on the Protection of Personal Data Article 43 - Security Obligations | Data controllers in Tunisia National Authority for the Protection of Personal Data (INPDP) | |
Description Tunisia's data protection law requires data controllers to implement security measures to protect personal data. Vulnerability disclosure programs are recommended as part of an organization's security framework. The National Authority for the Protection of Personal Data (INPDP) encourages responsible vulnerability reporting. Effective Date July 27, 2004 Lead Regulator National Authority for the Protection of Personal Data (INPDP) | ||||
Uganda East Africa February 25, 2019 | None | Data Protection and Privacy Act, 2019 Section 26 - Security of Personal Data | Data controllers and processors in Uganda Personal Data Protection Office | |
Description Uganda's Data Protection and Privacy Act requires data controllers to implement security measures. While vulnerability disclosure programs are not explicitly required, they are considered best practice. The Personal Data Protection Office encourages organizations to establish vulnerability reporting processes. Effective Date February 25, 2019 Lead Regulator Personal Data Protection Office | ||||
Zimbabwe Southern Africa December 3, 2021 | Recommended | Cyber and Data Protection Act, 2021 Part IV - Cybersecurity Standards | Data controllers and information infrastructure operators in Zimbabwe Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) | |
Description Zimbabwe's Cyber and Data Protection Act directs operators of critical information infrastructure to implement security safeguards and coordinate incident reporting. Regulators encourage responsible disclosure processes so that vulnerabilities can be submitted and remediated without legal exposure. Effective Date December 3, 2021 Lead Regulator Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) | ||||