On 11th August 2023, the Minister for Information, Communications and Information Technology passed new Regulations on computer emergency response team which amend the 2018 Regulations. Below are the key highlights on the amendments with a view of drawing attention to the important regulatory and compliance requirements.
Requirement to the Constituencies
The 2023 Regulations add more duties to the constituency, among others, to engage in licenced security penetration testers, perform independent information security assessments at least once a year to know and apply remedial measures against its security weaknesses, share key findings of the security weaknesses, and protect the organization’s domain names by applying secure protocols.
Licensing of cybersecurity service providers
The Regulations impose a mandatory requirement on a person who intends to provide cybersecurity services within the United Republic of Tanzania to obtain a licence from the Tanzania Communications Regulatory Authority (TCRA). The said licence is granted to either an individual or a business entity upon complying with the requirements set out in the Regulations.
Duties and obligations of cyber security service providers
The Regulations require the cybersecurity service providers not to make any false representation in the course of advertising or providing its cybersecurity services, to comply with all applicable laws in the course of providing its cybersecurity service and all obligations relating to confidentiality and data protection, not to use or disclose information for other purposes unless appropriate written consent has been obtained, and not to act where there is a conflict of interest between his interest and that of the person procuring or receiving the cybersecurity service.
Further, the cybersecurity service provider is obliged to notify the TCRA of any change or inaccuracy in the licence-related information and particulars that the entity or its key employees provide to the TCRA, including but not limited to changes to or inaccuracies in the licenced or its key employees’ names, designations, addresses, and contact particulars, criminal convictions or civil judgements entered against the licensee or its key employees, and where the licence has been declared bankrupt or gone into voluntary liquidation.
Importation, distribution, supply and sell of cybersecurity tools
The Regulations impose a requirement for persons not to acquire, import, distribute, supply, or sell cybersecurity tools without obtaining approval from the TCRA, save for law enforcement organs.