What defined African infosec in 2025

CybAfriqué is a space for news and analysis on cyber, data, and information security on the African continent.

If you have read parts one and two, thank you. Part Three looks at the deeper structures now taking shape beneath Africa’s internet. The rules, systems, and power dynamics shaping how data and security is governed, where it lives, who controls it, and whose rights are protected in the process. From children’s digital safety to national data infrastructure, this section traces how policy, technology, and power converged to define the next phase of Africa’s digital transformation.

• Children's digital rights

In 2025, African nations increased their focus on legislating and enforcing Child Online Protection (COP) measures, moving from general data protection to specific safeguards for minors. While no new standalone COP Acts were passed, several countries updated existing laws to strengthen protections. South Africa continued amending the Children’s Act 38 of 2005 to better address digital privacy and data protection rights for children under POPIA. At the continental level, the African Union (AU) and GSMA, in partnership with UNICEF, launched the Africa Taskforce on Child Online Protection in October 2025, creating the first multi-stakeholder platform to drive coordinated implementation of COP frameworks across Africa. This initiative represents a shift from policy discussion to action-oriented strategy following a comprehensive whitepaper.

Conversations around children’s rights online increasingly reflected the principles of the UN’s General Comment No. 25, treating children not just as users to be protected, but as rights-holders in digital spaces. This shift pushed governments and platforms to think beyond access, toward how systems are designed, how data is collected, and how harm is prevented before it occurs. However, the digital divide remains a challenge, with only 53% of African youth aged 15–24 online, limiting the equitable exercise of digital rights.

High-profile cases highlighted the need for platform accountability. In July 2025, the Gauteng Division of South Africa’s High Court ordered Meta to permanently remove dozens of accounts distributing child sexual exploitation material (CSEM) and to disclose subscriber information of over 60 offending accounts to aid prosecution. This ruling marked the first time a South African court compelled a global tech company to comply with local child protection laws, setting a significant legal precedent. In Nigeria, the GAID 2025 reinforces parental consent requirements for data processing, though practical age verification and consent mechanisms remain challenging continent-wide.

The strategic focus has shifted from debating high-level AU policies to establishing concrete, action-oriented mechanisms, exemplified by the Africa Taskforce on COP. The South African court’s direct order against Meta also reflects a broader trend of national judiciaries asserting authority over global platforms to protect children.

Looking ahead to 2026, African countries are expected to develop AI policy frameworks explicitly incorporating children’s rights, moving beyond general data protection to address algorithmic profiling and manipulation risks. Additionally, the implementation and enforcement of the UN Convention against Cybercrime, which opens for signature in 2025 and includes provisions on child sexual abuse and grooming, will strengthen international cooperation and national legal frameworks for prosecuting online child exploitation across Africa.

• DPIs

In 2025, several African countries made significant progress in implementing or expanding Digital Public Infrastructures (DPIs), driven by the need for inclusive economic growth and streamlined public service delivery. Nigeria continued its push to establish the National Identification Number (NIN) as a core DPI, issuing roughly 127 million NINs by year-end and mandating its linkage to telecommunications, corporate, and social services. Kenya advanced its digital ID, Huduma Namba, to unify public service databases and integrate mobile money, where Africa leads global transaction volumes. Morocco pursued its Digital Morocco 2030 strategy, investing heavily to become North Africa’s digital hub and serve the wider region.

The rapid emergence of DPIs has raised critical security concerns, particularly regarding data integrity and foreign infrastructure reliance. Systems like the NIN centralise sensitive biometric and personal data, creating prime targets for cyberattacks, including data breaches and ransomware, which saw a 94% rise in 2024. Partnerships with foreign cloud providers, such as Kenya, Microsoft, and G42, introduce structural risks, including data localisation issues, potential leaks, and dependence on external platforms vulnerable to geopolitical disruptions.

Discussions on DPI governance and security intensified in 2025, emphasising a multi-stakeholder and rights-based approach. The 14th African Internet Governance Forum (AfIGF 2025) in Dar es Salaam, Tanzania, focused on DPIs and data governance, bringing together governments, civil society, the private sector, and academia to enhance resilience, trust, and human-centric design. South Africa’s G20 Presidency elevated DPIs globally, with the 2nd Global DPI Summit in Cape Town in November 2025 highlighting alignment with inclusive growth and AfCFTA objectives. Key recommendations included regulatory sandboxes to test DPIs before full deployment, clarifying rules, revealing privacy risks, and enhancing transparency.

The major shift since 2024 is the focus on governing DPIs, particularly regarding digital sovereignty and ethical AI integration. India contributed $25 million to bolster payment systems in five African nations and promoted its India Stack DPI model at BRICS and GITEX Africa summits, offering a non-Western alternative for digital development. These developments underscore the strategic diversification of digital partnerships in Africa.

Looking ahead to 2026, Africa is expected to accelerate cross-border DPI interoperability through initiatives like the Pan-African Payment and Settlement System (PAPSS) and further pilots under the AU’s Digital Transformation Strategy, vital for unlocking AfCFTA economic benefits. The growing integration of AI within DPI components, particularly in data exchange platforms, will drive the urgent need for African-led AI governance frameworks to ensure ethical, human-rights-compliant technology use.

• Data centers

In 2025, Africa’s data centre market experienced investment and expansion, driven by the adoption of cloud services, 5G networks, and rising data consumption. While South Africa remained the dominant market, holding over a third of operational facilities and the largest live IT capacity (over 100 MW), the most significant growth was seen in emerging regional hubs. Nigeria led planned expansions, with MTN unveiling a major Tier III center and Airtel planning a 38 MW facility. Kenya and Egypt also attracted substantial investment, with Nairobi’s IXAfrica 53 MW hyperscale facility supporting AI deployments, and Egypt leveraging its geographic location to connect Africa, Europe, and Asia.

The rapid expansion of data centers brought critical challenges regarding security, energy, and regulation. Security risks remain high due to the valuable data hosted and the growing prevalence of sophisticated cyberattacks targeting government and financial sectors. Energy constraints are a pressing issue, as many national grids cannot meet the 99.995% uptime required for Tier III/IV facilities, forcing operators to rely on high-carbon diesel generators. This spurred investment in renewable energy solutions, including Teraco’s 120 MW solar PV plant in South Africa and a geothermal-powered centre in Olkaria, Kenya. Regulatory frameworks also matured, with 39 African countries enacting data protection laws, often including data localisation mandates, influencing investment decisions.

Discussions in 2025 focused heavily on data sovereignty and security standards. The Africa Data Sovereignty Conference in Lagos brought regulators and industry leaders together to address mandatory data localization and the protection of continental digital assets. National security benefits from in-country hosting of sensitive financial and government data, were emphasized to improve compliance and digital trust. The Pan-African Parliament warned of a "new age of colonialism" if Africa failed to control its data and promoted decentralised approaches like Federated Learning to ensure local control and ethical AI development.

Since 2024, investment focus has shifted from generalised cloud readiness to AI-specific High-Performance Computing (HPC) facilities. Cassava Technologies committed over $700 million to build an AI-focused HPC facility, deploying 3,000 NVIDIA GPUs in South Africa by mid-2025, highlighting AI as the primary driver for new data centre capacity. This trend reflects the continent’s pivot toward data-intensive applications, advanced analytics, and AI adoption.

Looking toward 2026, the African data centre market is expected to embrace Edge Data Centres, brought on by 5G network expansion, which will localise processing and enhance mobile and IoT services. New data localisation regulations and AI-driven HPC demand are likely to encourage hyperscalers like Microsoft and AWS to establish dedicated facilities beyond South Africa, particularly in Nigeria and Kenya. This evolution underscores a growing emphasis on sovereign digital infrastructure, performance optimisation, and ethical AI alignment across the continent.

• Data sovereignty

In 2025, several African countries reinforced their commitment to data sovereignty by introducing or updating data protection and localisation clauses. Nigeria continued to lead, with the National Information Technology Development Agency (NITDA) requiring cloud service providers to store critical government and financial data domestically, further attracting major data centre investments. Kenya, under its 2019 Data Protection Act, increased judicial and regulatory scrutiny on cross-border data transfers in sensitive sectors like health and digital identity, following concerns highlighted by the WorldCoin scandal in 2024. Botswana and Tanzania advanced their legislative frameworks, contributing to a continental landscape where 39 out of 55 African nations now have some form of data protection law, often incorporating data residency or localisation mandates.

The continental trend increasingly favours strict data sovereignty, aiming to assert digital independence and limit reliance on foreign technological powers, often framed as combating “Digital Colonialism 2.0”. Economically, localisation mandates present a dual effect: they raise operational costs for multinationals and can hinder global data flows for startups, but simultaneously drive massive investment in local data centres and promote indigenous cloud service providers. Local ownership of data is also viewed as essential for training culturally and linguistically relevant AI models, ensuring that Africa captures the economic value of its growing digital ecosystem.

Tech firms, governments, and civil society continued to debate the balance between unrestricted data flow and national control. Forums like FIFAfrica 2025 and continental AI Summits highlighted the divide: governments promoted localization for security and economic growth, while Big Tech raised concerns about fragmented regulations increasing compliance costs. Civil society emphasised that data sovereignty must align with human rights, ensuring transparency, accountability, and protection from expanded government surveillance.

The most notable change since 2024 was the shift from theoretical debate to practical enforcement of localization requirements, directly shaping investment and infrastructure projects in Nigeria and Kenya. The rise of AI as a strategic economic driver further linked data sovereignty to AI sovereignty, emphasising local training of AI models to capture the continent’s digital potential. Multi-million-dollar HPC and data centre projects reflected this growing alignment between policy, infrastructure, and technology development.

Looking ahead to 2026, Africa is expected to accelerate efforts toward regional harmonisation of data protection and cross-border transfer mechanisms, led by the African Union and regional bodies, to overcome the operational challenges posed by the current patchwork of 29 national laws. Additionally, initiatives for regional AI compute centres with enforced local data residency are anticipated to support indigenous AI innovation while maintaining sovereign control over the continent’s digital assets.

• Data policies

In 2025, African countries advanced significantly in data governance, moving from legislative development to active enforcement. The Gambia passed the Personal Data Protection and Privacy Bill in September 2025, while Nigeria fully implemented the Nigeria Data Protection Act General Application and Implementation Directive (NDP Act-GAID) in the same month. Kenya initiated its National Data Governance Policy, and Malawi published draft regulations on data processors and breach notifications for public comment. Egypt adopted an Open Data Policy as a transitional framework pending a comprehensive Data Governance Law.

The continental trend emphasised digital sovereignty and regional harmonisation, with cross-border data transfers restricted to jurisdictions with adequate protection levels to support secure digital trade. Nigeria became an associate member of the Global Cross-Border Privacy Rules (CBPR) Forum to facilitate regulated international data flows. Enforcement capacity strengthened as Data Protection Authorities (DPAs) in Kenya and Nigeria increased fines and launched investigations into major breaches, raising awareness of data subject rights.

Implementation challenges persisted due to the digital divide, limited technical and financial resources within DPAs, and a lack of timely guidance for small businesses. Despite these hurdles, DPAs like Kenya’s conducted physical inspections to assess compliance, signalling a move toward stringent oversight.

A landmark enforcement action was the Meta out-of-court settlement with Nigeria’s Data Protection Commission, resulting in a $32.8 million fine and a directive to revise privacy policies and halt unauthorized data transfers. The settlement, which followed months of legal dispute, included an order for Meta to revise its privacy policies and cease transferring user data without approval, affirming Nigeria's willingness and capacity to hold global tech giants accountable to its domestic laws.

Since 2024, the shift has been from creating legislation to actively enforcing compliance, exemplified by the NDP Act-GAID in Nigeria and increased fines in Kenya. Looking ahead to 2026, efforts will focus on AI-specific governance within existing frameworks and regional harmonisation of data transfer mechanisms, particularly to facilitate the AfCFTA digital trade protocol.

The choices made in 2025 around child protection, data ownership, infrastructure control, and digital sovereignty will shape how power, opportunity, and risk are distributed in the years ahead. The central question in 2026 is no longer whether Africa will be fully digital, but on whose terms that future will be built.

Thank you for reading to this point. You can read part one here and two here.

What do you think about the 2025 African Infosec Roundup? We would like to hear from you. Reply to this email or send an email to [email protected].