The wave of distributed denial‑of‑service (DDoS) attacks that hit South African hosting providers last week has laid bare a stark gap between the country’s legislative framework and its on‑the‑ground capacity to tackle nation‑scale cyber incidents. More than half a dozen ISPs – including 1‑Grid, Xneelo, Network Platforms, Host Africa and Domains.co.za – were knocked offline, leaving tens of thousands of businesses scrambling for connectivity while traffic on the Seacom undersea cable also suffered.
Industry voices are split on whether the state should intervene. A senior networking specialist told TechCentral that a swift, government‑led task team would have been in place if the attacks had unfolded in the UK, the US or Australia, complete with international intelligence sharing and public technical advisories within 24 hours. Conversely, Athena Turner, head of marketing at Xneelo, argued that the issue belongs squarely to the private sector, insisting her company has not yet sought government assistance and is deliberating its own response strategy.
Communications Minister Solly Malatsi has now stepped into the fray, confirming he is consulting with Minister in the Presidency Khumbudzo Ntshavheni to forge a coordinated, whole‑of‑government approach. The minister stressed that any action would be anchored in existing legislation, notably the Cybercrimes Act 19 of 2020, which places the onus of cyber‑crime response on the Presidency’s portfolio.
Strengthening South Africa’s cyberattack response framework
The Cybercrimes Act offers a solid legal scaffolding: it criminalises unauthorised access, data interception, system interference and extortion, while also establishing tools such as expedited preservation directions and mandatory reporting duties for electronic communications service providers and financial institutions. Yet, the real weakness, according to cybersecurity advocate Samantha Moloi of Thulamela Chambers, is capacity.
Section 55 of the act obliges the minister responsible for policing to maintain sufficient human and operational resources to detect, prevent and investigate cybercrimes. Since its enactment, SAPS has not created a dedicated cyber division, leaving investigations fragmented across units. The government’s Cybersecurity Hub, intended as the first technical coordination point for incidents, currently offers only an email address, with its website “on hold” according to Moloi.
| Key Legislation | Primary Mandate | Current Operational Status |
|---|---|---|
| Cybercrimes Act 19 of 2020 | Defines cyber offences, reporting obligations, fast‑track preservation | Legal framework in place; no dedicated SAPS cyber unit |
| Protection of Personal Information Act (POPIA) | Regulates processing of personal data | Enforced by Information Regulator; limited cyber‑incident integration |
| Electronic Communications and Transactions Act | Governs e‑commerce and electronic communications | Active regulator (ICASA); coordination gaps |
| Critical Infrastructure Protection Act | Protects essential services | Oversight bodies exist; siloed response |
| Regulatory Improvement of the Telecommunications Sector Act (RICA) | Licencing and compliance for telecoms | Functioning; no cyber‑incident command centre |
The table highlights that while South Africa boasts a comprehensive legislative suite, the operational silos across departments impede a unified reaction to large‑scale attacks.
Moloi points to the UK’s National Cyber Security Centre (NCSC) as a practical model: a single hub that triages incidents, orchestrates cross‑government response and provides direct support to victims. Similar centralised structures exist in Australia (Cyber Security Centre), Canada (Centre for Cyber Security) and the United States (Cybersecurity and Infrastructure Security Agency).
In practice, a single DDoS episode can trigger multiple statutory triggers: SAPS for criminal investigation, the Cybersecurity Hub for coordination, the Information Regulator for data breach compliance, ICASA for electronic communications oversight, and the Critical Infrastructure framework for any impact on essential services. Without a clear national incident command structure, agencies risk operating in parallel rather than as a cohesive front.
The fragmented legislative landscape compounds the problem. The Cybercrimes Act sits alongside POPIA, the Electronic Communications and Transactions Act, RICA, the Critical Infrastructure Protection Act, and soon an AI Act, each assigning responsibilities to different bodies. This dispersion means that a coordinated response requires not only political will but also a robust, cross‑agency command centre that can mobilise forensic investigators, threat analysts and technical responders in real time.
A pragmatic path forward, according to Moloi, would involve establishing a central cyber incident response centre staffed with trained investigators, forensic labs and a 24/7 intelligence feed. Coupled with a dedicated cyber court or prosecutorial unit, such an entity could accelerate the detection‑to‑prosecution pipeline that currently drags due to resource shortages.
The current cabinet‑level dialogue between Minister Malatsi and the Presidency signals that the issue has reached the highest echelons of government. Yet, as Moloi warns, the deeper challenge lies in building and maintaining the capacity that the Cybercrimes Act explicitly demands. Until Pretoria can deliver a functional, well‑resourced cyber command structure, South Africa will remain vulnerable to the kind of disruptive DDoS floods that recently crippled hosting providers and rattled businesses nationwide.
The urgency is clear: legislative tools are ready, but without the human and technical firepower to wield them, the country’s cyberdefence remains an unfinished promise.
© 2026 NewsCentral Media