Rwanda - Octopus Cybercrime Community

Back Rwanda

Status regarding Budapest Convention

Status : NA See legal profile

Cybercrime policies/strategies

Rwanda has not yet published a national cybercrime strategy.

However, a cyber security policy was established in 2015. In the policy, it is stated that the Government of Rwanda (GoR) has invested significantly in Information and Communications Technology (ICT) infrastructure and applications, as a cornerstone for National economic growth. ICT is recognized as a key enabler for economic growth and social mobility and is expected to improve Rwandans’ standard of living as part of the Integrated ICT-led Socio-Economic Development Policy and Plan.

Law 27/2016 establishes a National Cyber Security Authority, responsible for:

Advising the President and other public and private institutions on strategies to defend the country's interests in cyberspace;
Conducting cyber intelligence on any national security threat in cyberspace and provide information from such intelligence to the relevant organs;
Establishing guidelines on the basis of national, regional and international ICT security principles;
Coordinating and implementing the national ICT security policy and strategy;
Developing strategies to secure all electronic operations;
Monitoring all national ICT security programs;
Preventing cyber-attacks in order to protect ICT infrastructure in general and critical information infrastructure in particular;
Establishing and promoting national cyber security education programs, foster research and develop industry in the ICT field;
Creating awareness about cyber security;
Collaborating with other public and private institutions and other information technology-related bodies to ensure national ICT security;
Cooperating and collaborating with other regional and international organs in charge of cyber security;
Providing national defence and security organs with the necessary support to attain their responsibilities in relation to cyberspace;
Performing other duties as may be assigned by the President.

Cybercrime legislation

State of cybercrime legislation

The Law on Prevention and Punishment of Cyber Crimes of 2018 addresses all of the offences listed in the Budapest Convention in terms of substantive law.

The same Law partially addresses procedural powers corresponding to the Budapest Convention, with more details and regulations required as to search and seizure, monitoring and interception.

Substantive law

The Law on Prevention and Punishment of Cyber Crimes has the following provisions:

Chapter IV: Offences And Penalties – Section One: Offences against the confidentiality, integrity and availability of data and computer or computer system

Article 16: Unauthorized access to a computer or a computer system data

Article 17: Access to data with intent to commit an offence

Article 18: Unauthorized modification of computer or computer system data

Article 19: Interception of computer or computer system

Article 20: Damaging or denying access to a computer or computer system

Article 21: Unauthorized disclosure of access code

Article 22: Continuous fraudulent use of an automated or non-automated data processing system of another person

Article 23: Preventing or misguiding the running automated or non-automated data processing system

Article 24: Access to a computer or computer system data

Article 25: Unlawful manufacturing, selling, buying, use, import, distribution or possession of a computer or computer system or computer or computer system data

Article 26: Unauthorized reception or giving of access to a computer or computer system program or data

Article 27: Cyber-squatting

Article 28: Unlawful acts in respect of malware

Section 2: Offences related to digital signature and certification

Article 29: Misrepresentation and suppression

Article 30: False digital signature certificate

Article 31: Fraudulent use of digital signature

Section 3: Computer-related offences

Article 32: Computer-or computer system-related forgery

Article 33: Changing computer or computer system equipment identity

Section 4: Offences related to the content of computer and computer system

Article 34: Publication of pornographic images through a computer or a computer system

Article 35: Cyber-stalking

Article 36: Phishing

Article 37: Spamming

Article 38: Publishing indecent information in electronic form

Article 39: Publication of rumours

Article 40: Impersonation

Section 5: Offences related to terrorism, trafficking in persons or narcotics committed using a computer or a computer system

Article 41: Creation or publication of a site for terrorist groups

Article 42: Creation or publication of a site for the purpose of trafficking in persons

Article 43: Creation or publication of a site for the purpose of trafficking or distributing drugs or narcotics

Section 6: Cyber offences committed by service providers

Article 44: Disclosure of data made available to third party

Article 45: Provision of access to a computer or computer system or cause them to send or use electronic content on another person’s computer or computer system

Article 46: Refusal to remove or disable access to illegal information stored

Article 47: Non reporting of cyber threats incident

Article 48: Offences related to stored information

Article 49: Illegal search results

Article 50: Failure to take action on take-down notification

Section 7: Common provisions to all offences

Article 51: Penalties imposed on a business entity having committed an offence

Chapter V: Miscellaneous And Final Provisions

Article 53: Regulations on cyber security

Procedural law

In the Law on Prevention and Punishment of Cyber Crimes, the following provisions regarding procedural powers are included:

In Chapter III: Investigation Of Cybercrimes – Article 8: Obligation to collaborate with organs in charge of investigations, Article 9: Search and seizure, Article 10: Accessing or retrieving a copy of computer or a computer system data on the system after seizure, Article 11:Disclosure of data, Article 12: Preservation of computer or computer system, Article 13: Disclosure and collection of electronic traffic data, Article 14: Court order, Article 15: Authorization to use a forensic method.

Related laws and regulations

Law 27/2017 on establishing a National CyberSecurity Authority https://www.minict.gov.rw/fileadmin/Documents/Mitec2018/Policies___Publication/ICT_Laws/Law_establishing_the__NCSA-2-20.pdf

Law N. 24/2016 governing Information and Communication Technologies –

Establishes a framework for ICT policy and regulation, with emphasis including on: promoting national ICT policy objectives; establishing a licensing and regulatory framework in support of national policy objectives for the ICT industry; establishing and strengthening the relevant institutions;

Comprises a section on Matters of national interest and data security (Section 7), including provisions on interception and monitoring of information, privacy and data protection, powers of the Minister on issues of national sovereignty, disaster management plans.

https://www.minict.gov.rw/fileadmin/Documents/Policies_and_Rugulations/ICT_laws/ICT_LAW.pdf

Specialised institutions

Rwanda has established a CSIRT in 2014. Its roles are:

Serving as national point of contact for computer security incidents coordination and response;
Providing accurate and timely information on current and emerging cyber security threats and vulnerabilities;
Building cyber security capacities to handle cyber security incidents and threats;
Promoting information security awareness;
Promoting research and development in the cyber security field;
Promoting regional and international cooperation.

In the National Police, there is a department specialized in Information Technology and Cyber Security.

International cooperation

Jurisprudence/case law

The Judiciary system of Rwanda has a dedicated web page, where there is also an archive of court decisions: https://www.judiciary.gov.rw/index.php?id=293&no_cache=1