The 2026 Shift: Stricter Mandates Under Zimbabwe’s Cybersecurity Law

The Cyber and Data Protection Act [Chapter 12:07] now governs Zimbabwe’s digital landscape with rigid enforcement. As of January 2026, the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) mandates that all organizations processing personal data must register as data controllers. Failure to appoint a certified Data Protection Officer or report breaches within 24 hours results in heavy administrative fines or license revocation. Criminal provisions impose sentences up to ten years for cyberbullying, data theft, and the distribution of "fake news." This centralized framework prioritizes state-led surveillance and strict corporate compliance, fundamentally altering how data flows across the nation’s borders.
Zimbabwe

's primary cybersecurity legislation is the Cyber and Data Protection Act [Chapter 12:07], which was enacted in December 2021 and came into full effect on March 11, 2022. Entering 2026, the government has shifted toward stricter enforcement of these laws, particularly regarding data handling and online conduct. 
Key Legislative Framework

The law consolidates several areas of digital regulation, including data privacy, cybersecurity, and cybercrime. 
•    Regulatory Authority: The Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) is designated as the official Data Protection Authority and oversees the Cyber Security Centre.

•    National Cybersecurity Strategy: As of October 2025, Zimbabwe completed its National Cybersecurity Strategy, a framework designed to protect digital assets and strengthen national resilience against emerging threats.

•    Mandatory Licensing: Under Statutory Instrument 155 of 2024, all data controllers (such as banks, schools, and hospitals) were required to register with POTRAZ and appoint a qualified Data Protection Officer (DPO) by late 2024 or early 2025. Unlicensed processing in 2026 is subject to severe penalties. 

Criminalized Offences and Penalties 
The Act amends the Criminal Law (Codification and Reform) Act to introduce specific cyber-related crimes and penalties: 
•    Cyberbullying and Harassment: Sending threatening data messages or messages inciting violence can lead to imprisonment.
•    Social Media Misuse: Posting intimate images without consent (revenge porn) or spreading harmful "fake news" is criminalized, with sentences of up to 10 years in prison.

•    Hacking and Data Theft: Unlawful acquisition of, or interference with, data and computer systems can attract custodial sentences of 10 to 15 years.

•    Online Fraud: Identity theft and online misrepresentation are punishable by up to 5 years in prison. 
2026 Enforcement Outlook

Following a period focused on collaboration and registration in 2025, 2026 marks a shift toward aggressive enforcement. 
•    Routine Inspections: POTRAZ is authorized to conduct audits and investigations triggered by consumer complaints or whistleblowers.

•    Escalated Fines: Non-compliant organizations face hefty fines scaled by the severity of the violation, and repeat offenders risk losing their operating licenses.

•    Data Breaches: Organizations must report data breaches to POTRAZ within 24 hours and notify affected individuals within 72 hours if there is a high risk to their rights.