WHEN Hakainde Hichilema was inaugurated as the seventh president of Zambia in August 2021 following the country's watershed elections, the nation founded by liberation icon Kenneth Kaunda began a new journey of hope and prosperity.

The eyes of the SADC region, Africa and the world were on the country whose slogan "One Zambia, One Nation" resonates with many Africans at home and in the diaspora. 

Zambia was beginning a new chapter and taking a trajectory that would bring the country back from the brink of political, economic and social crises.

His election and subsequent inauguration brought Zambia a lot of goodwill from across the world.

But while his government begins the arduous work of rebuilding the country and making it one of the SADC region's economic powerhouses and the destination of choice for international investors, they must think carefully about some of the legislation they are pushing through or risk sending conflicting messages to the world.

One of these is the proposed Cyber Security and Cyber Crimes (Critical Information Infrastructure) Regulations 2022 supposedly developed to give effect to the critical information infrastructure requirements under the Cyber Security and Cyber Crimes Act No.2 of 2021, which, on paper, is envisaged to deal with national security, threats of sabotage, espionage and other cyberspace risks in the post-Covid era.

The unintended consequence of this proposed legislation by the Ministry of Technology and Science is that it will hurt current investors and scare those who have been listening to Hichilema's message that country is open for business. 

Cybersecurity experts warn that Zambia will be throwing the baby with the bath water if it goes ahead with the proposed legislation, which will force multinationals operating in the country to store customer data locally or pay hefty fees to keep the information outside Zambia's jurisdiction.

Experts say while the Zambian government steams ahead with the proposed new legislation, they must be wary of the fact that no other African country has done this before.

This therefore means there is no best practice and the risk it too much to take for a new government in a country without the capacity to store this data on its shores.

While several African countries have enacted new legislation to fight cybercrimes in recent years, their focus has been to make sure companies commit to protecting their data and reporting any breaches to authorities as quickly as they happen.

According to a recent report by Afriwise, with Africa's internet penetration the highest in the world, there has been an increase in cybercrime, costing the continent billions in lost GDP ($4.12 billion in 2021).

The continent is projected to have 1 billion users by 2023, accelerated by Covid-19, which has seen many people working from home and accessing work systems remotely.

 And with this growth comes an increase in cybercrime as criminals cash in on the burgeoning digital landscape.

This has forced African governments to act by enacting new legislation to protect citizens. But only 29 of 54 countries have done so, and only 10 African countries have "national cybersecurity strategies to ensure the protection of their CII (critical information infrastructure) sectors".

And although the new legislation is a necessary evil, the new terrain has seen companies falling foul of the law in some of these countries, where the new legislation is "complex and difficult to navigate".

This legislation is broken in two: laws targeting cybercriminals and laws regulating and enforcing cybersecurity practices of businesses. It appears that in all African countries included in the study by Afriwise, none have forced companies to localise CII, and none are fined for externalization.

And this is precisely why Zambia finds itself facing a pushback from both local and multinational businesses who accuse the government of heavy-handedness in its approach.

In Ghana, for example, businesses are only required to report cybercrime to government within 24 hours of the incident, or be liable to a fine of between 3000 - 120,000 Cedis

In Mauritius, one of the best cybersecure countries in Africa, the Act passed in 2021 makes it mandatory for all businesses identified to have CII to be subjected to an annual independent IT- security audit.

Those who don't comply face a fine of MUR100 000 and the responsible official may be imprisoned. 

In South Africa, used as a case study by Afriwise, businesses that fail to report cyberattacks in accordance with the law face fines of up to R50,000. 

South Africa, the economic hub of the region, has the third highest number of cybercrime victims in the world, costing its economy R2.2 billion a year.

The research by Afriwise also makes a startling observation: although many African countries have enacted cybersecurity laws, they lack the capacity and infrastructure to enforce these legislations. 

Further, there is a dire shortage of critical skills, with far few professionals in the sector, and too few in decision-making positions in the regulatory industry.

"Therefore we have people making laws without the expertise needed and, simultaneously, lawyers without the expertise needed to enforce the laws that have been passed," Afriwise found.

It looks likely that Zambia isn't any different from other African countries. But the Zambian government is keen on protecting essential services by making sure it "uplifts the security and resilience of infrastructure on which critical information lies".

"As the threats and risks to Zambia's CII evolve in a post Covid world, so too must the approach for ensuring the ongoing security and resilience of CII and the essential services they support," says the Zambia Information, Communication and Technology Authority (ZICTA) in a concept note explaining the rationale and motivation around the proposed regulations. 

The document identifies 19 areas as "essential services". Among them are aviation, payment gateway, internet banking, digital financial services, data centres, broadcasting, payment switch services and tax collection.

Eleven sectors have been named: banking and finance; health; transport; communication; defence and national security; energy; insurance; education; taxation; mining and public body.

Under the proposed legislation, which will most likely be signed quickly by the Minister of Technology and Science in the current political power balance in Zambia, data must be stored locally.

If a company wants to keep the data abroad or outside the country, as is the case with multinationals across the continent, they have to apply to the minister, who will either approve or reject the application- "within 30 days of receipt of the application".

The proposal further says that companies will be required to localise their data within 24 months "from the date the SI is published in a gazette". 

Most companies will need more than just two years to move copious amounts of data, and even then, there are no guarantees that Zambia has capacity and expertise to keep this data locally without turning to global data storage giants such as Amazon and Microsoft, as is the case in Europe, Britain and the US. 

Zambia has about four known data storage companies, but they are either too small or have no capacity to store such an amount of data, the hurried localization strategy also make these centres instant targets since, per this strategy, only four centres will hold all of the banking sector, mining and other named industry critical data.

There is no provision in the current proposal to have these companies work with known global giants such as Microsoft or Amazon.

The Zambian government believes it can do it, and in the process empower local data storage companies and develop local skills in this critical sector.

And while this sounds plausible, on paper, it is not based on any best practice model anywhere in the world and is much more complicated than ZICTA imagines.

ZICTA believes using local cloud service providers "will help grow the Zambia cloud service industry and investments in the ICT sector", and that this will help create jobs and boost opportunities in the space. 

Further, ZICTA believes that it will be easier to investigate and resolve cyber attacks if the data compromised is within Zambia's jurisdiction, an assertion based purely on not understanding cybercrimes in a world where the concept of a global village is real and where we are all connected.

Although ZICTA suggests that governments worldwide are moving in the same direction, there is no evidence of this.

Widespread consultations have been held, and some investors have made submissions pointing out the weaknesses around the approach by the government, and arguing for self -regulating safeguards that businesses apply to counter concerns raised by ZICTA.

Industry stakeholders have also made submissions on why the hefty fee approach will hurt investment and cause operation crises for multinationals operating in the country. 

But while most companies would prefer to keep their data in the cloud where it currently sits, the problem is that they will have to pay 0.5% of their gross annual turnover if they chose this option.

Many feel this fee, which would run into billions of kwacha for some, is punitive, makes no business sense and will force them to look for alternative markets. 

In case companies want to externalise data, their fate lies in the hands of the Minister of Technology and Science.

The minister will consult ZICTA, the National Cyber Security Advisory Coordination Council and other agencies and only approve if the firm proves security measures are adequate, whether it is necessary to do so, and if national security won't be compromised.

Further, companies must make submissions and have consent from "data subjects” and "any other factors the minister may consider necessary".

Experts say this is open to political manipulation and that politicians may use their power to harass investors and milk multinationals as we have seen with the tax issues in markets such as Nigeria, where big some multinationals have found themselves facing unexplained and unreasonable charges almost overnight.

Cybersecurity expert Kudakwashe Charandura of SNG Grant Thornton, speaking at the ITWeb Security Summit 2022, said incidents of attacks are better handled with cyber resilience strategies by businesses, bringing cyber security, incident response, disaster recovery and business continuity under one roof.

"Cyber resilience puts the business at the centre of everything. The goal of cyber resilience is to ensure the business resumes operations immediately with minimal impact, so that the business remains sustainable," he told the summit.

If the Zambian legislation is pushed through, it will affect multinationals operating in the country.

And for a country like Zambia, which is buoyant with the Hichilema government firmly in charge, such legislation will harm efforts to woo investors to the Southern African country.