South Africa has the legislative foundation to respond to nation-scale cyberattacks but the practical capacity has yet to be realised.
A wave of distributed denial-of-service (DDoS) attacks earlier this week disrupted connectivity across more than half a dozen South African hosting providers and internet specialists, including 1-grid, Xneelo, Network Platforms, Host Africa and Domains.co.za. Tens of thousands of businesses were affected downstream, while upstream effects disrupted connectivity via the Seacom undersea cable.
But industry players are divided on whether government should respond. A senior networking specialist quoted in TechCentral’s earlier reporting criticised government’s apparent silence on the matter.
“If this had happened in the UK, the US or Australia, there would already be a government-level task team … actively assisting the affected centres, exchanging indicators of compromise with foreign counterparts and issuing public technical advisories within 24 hours,” the specialist said.
But others, including one of those directly impacted, see it as an industry issue that should be solved without government involvement.
“We have not reached out to government on this matter. It is a concern that should be discussed within the industry. We are considering our involvement,” said Athena Turner, head of marketing at Xneelo, told TechCentral.
Oversight
Communications minister Solly Malatsi has since responded, saying he is engaging with minister in the presidency Khumbudzo Ntshavheni on a coordinated approach.
“I am aware of the large-scale distributed denial-of-service attacks that have targeted South African web hosting and telecommunications companies over the past week and note the concern this has raised among businesses and the public,” Malatsi said.
“I am engaging with the minister in the presidency to ensure a coordinated whole-of-government approach to monitoring these attacks and implementing concomitant responses within the prescriptions of applicable legislation, including the Cybercrimes Act given that the mandate for that lies with her department.”
Read: SAPS cannot fight cybercrime on its own
The Cybercrimes Act sits with Ntshavheni’s portfolio, which also has oversight of the State Security Agency. Whether the state’s response amounts to more than ministerial coordination is doubtful, according to Samantha Moloi, an advocate at Thulamela Chambers, whose practice covers cybersecurity, AI law and technology.
According to Moloi, South Africa has the legal architecture but lacks the practical capacity to respond adequately to a national-scale attack.
The Cybercrimes Act 19 of 2020 criminalises unlawful access, interception of data, interference with data or computer systems and cyber extortion.
It also creates response tools, including expedited preservation directions, a designated point of contact and reporting obligations for electronic communications service providers and financial institutions.
“The real weakness, in my view, and in short, is capacity,” Moloi said.
Section 55 of the act requires the minister responsible for policing to establish and maintain sufficient human and operational capacity to detect, prevent and investigate cybercrimes.
“That wording is important because it shows that capacity is not assumed; it must still be built and maintained. This was promulgated in 2020; to date, we do not have a dedicated cyber division in SAPS, but fragmentation.”
For affected businesses, the first technical coordination point is government’s Cybersecurity Hub – although Moloi noted that its website “has been on hold”, with only an e-mail address offered to report incidents.
Starting point
Where an incident amounts to a cybercrime, the statutory point of call is the South African Police Service, but the capacity to investigate and prosecute remains in question. Industry experts have previously noted that the SAPS doesn’t have the capacity to combat cybercrime on its own.
What is needed, Moloi argued, is not more legislation but practical response capability: trained cyber investigators, technical incident responders, forensic capability, real-time threat intelligence and a clear national coordination system linking SAPS, the Cybersecurity Hub, regulators, telecoms providers, banks and other private infrastructure operators. A central cybersecurity centre, and possibly a dedicated court and prosecutorial unit, would be a sensible starting point, she said.
Read: Extortionists ‘carpet bomb’ South African internet hosts
Moloi pointed to the UK’s National Cyber Security Centre – which triages serious incidents, defines a cross-government response and provides direct support to victim organisations – as a workable model. Australia’s Cyber Security Centre and ReportCyber service, and Canada’s Centre for Cyber Security, follow similar centralised approaches.
Fragmentation is also baked into the legislative landscape. The Cybercrimes Act sits alongside Popia, the Electronic Communications and Transactions Act, Rica, the Electronic Communications Act and the Critical Infrastructure Protection Act – with an AI Act expected to follow.
A single attack can simultaneously implicate SAPS for the criminal offence, the Cybersecurity Hub for coordination, the Information Regulator for personal information, Icasa for electronic communications and the critical infrastructure framework where essential services are affected.
“Without one clear national incident command structure, departments may respond in silos rather than as one coordinated state response,” Moloi said.
For now, Malatsi’s engagement with the presidency is the clearest signal the matter has reached cabinet level, even if, on Moloi’s reading, the deeper problem is one Pretoria has not yet solved. – © 2026 NewsCentral Media
