On 3 May 2025, South African Airways (SAA) suffered a significant cyber incident that disrupted its website, mobile application, and several internal operational systems. Systems were restored later that same day after the airline activated robust disaster management and business continuity procedures.  

SAA immediately initiated a forensic investigation and formally reported the incident to the State Security Agency (SSA), the South African Police Service (SAPS), and the Information Regulator in terms of the Protection of Personal Information Act (POPIA), pending confirmation of whether any personal data had been accessed or exfiltrated. 

This incident underscores the importance of understanding and integrating South Africa’s multilayered cybersecurity legal framework, particularly where critical infrastructure is involved. 

Legal and Regulatory Framework 

South Africa’s cybersecurity regime is not governed by a single comprehensive statute, but rather by an interlocking system comprised of several Acts and policy instruments. 

The Cybercrimes Act 19 of 2020 criminalises unauthorised access, data interception, harmful communications and related cyber offences, providing SAPS with extensive investigative powers and requiring service providers to preserve relevant data. The Act applies extraterritorially where offences impact South African citizens or infrastructure. Significant portions of the Act, especially Chapters 2 to 4 and 8, came into effect on?1 December 2021, although some procedural sections await regulatory finalisation.  

The Electronic Communications and Transactions Act (ECTA) governs electronic communications, digital signatures and the security of e-commerce transactions. It defines computer access offences and obliges service providers to preserve data under lawful notice, with oversight by the Department of Communications and Digital Technologies. While not primarily a cybersecurity statute, its provisions frequently arise in incident response contexts where electronic communications systems are involved. 

The POPIA, which became fully enforceable from 1 July 2021, obliges organisations to adopt reasonable safeguards against data loss, damage or unauthorised access, and mandates breach notifications to the Information Regulator and affected individuals “as soon as reasonably possible” after discovery or reasonable suspicion of a breach.  

Under the Regulation of Interception of Communications Act (RICA), communications service providers must retain metadata for at least two years and ensure SIM-card registration. These provisions support lawful interception under judicial oversight and contribute to investigative capabilities in the event of cybercrime. 

Complementing these statutes, the National Cybersecurity Policy Framework (NCPF) establishes South Africa’s strategic approach to cyber defence, assigns roles across government and private sector entities, and tasks the State Security Agency with leading national incident response coordination. Additionally, the Critical Infrastructure Protection Act (CIPA) obliges declared critical infrastructure operators, including SAA as a National Key Point, to adhere to prescribed risk management and cybersecurity standards. 

Sector-specific regulators such as ICASA enforce network security mandates, SIM registration compliance, and retention protocols for telecom operators. Meanwhile, financial institutions must follow cybersecurity guidelines issued jointly by the Financial Sector Conduct Authority (FSCA) and the Prudential Authority, including the prompt reporting of incidents and the conduct of routine security assessments. The Information Regulator also issues detailed POPIA codes covering encryption, access control and breach-reporting protocols. 

How SAA’s Response Engaged the Legal Regime 

When the disruption began on 3 May, SAA promptly activated its disaster recovery and business continuity measures, limiting the operational and customer-service impact. Notably, core flight operations continued unaffected through contact centres and sales offices, with systems restored within hours. 

SAA commissioned independent digital forensic investigators to determine the breach’s root cause, scope, and whether data had been accessed, effectively illustrating the type of investigative steps directly envisaged by the Cybercrimes Act and critical for forensic chain-of-custody requirements. 

In compliance with regulatory obligations, the airline reported the incident to the SSA and the SAPS, as required by both. CIPA obligations and its status as a National Key Point, and notified the Information Regulator under POPIA as a precautionary measure. SAA further confirmed its commitment to notifying individuals affected by any data breach in a timely and transparent manner. 

These measures collectively align with the multitude of obligations spanning the Cybercrimes Act, ECTA, POPIA and sector-specific guidelines, reflecting a high degree of compliance with South Africa’s complex legal regime. 

Emerging Issues and the Need for a Dedicated Cybersecurity Act 

Although South Africa recently enacted the Cybercrimes Act, it lacks a standalone Cybersecurity Act to unify governance of cyber resilience across public and private sectors. A Cybersecurity Bill was first introduced in 2015 and revised in 2018, but the security-oriented aspects were removed before the 2021 enactment of the Cybercrimes Act. Discussions resumed in late 2023, but formal adoption remains pending and may take several years. 

In the absence of this legislation, regulatory guidance is fragmented, and operational expectations vary across different sectors. Organisations designated as critical infrastructure must navigate overlapping statutes and apply a combination of legal mandates, regulatory codes and policy frameworks. 

Conclusion 

The SAA cyberattack of 3 May 2025 demonstrates how South Africa’s layered cybersecurity framework operates in practice. While the nation does not have a unified Cybersecurity Act, the combination of the Cybercrimes Act, POPIA, ECTA, RICA, sector-specific regulation and strategic national policy provides a robust, though complex, legal basis for incident response involving critical infrastructure. 

Going forward, organisations must ensure that legal obligations are embedded within operational protocols, incident response plans and forensic processes. Monitoring and contributing to the development of the prospective Cybersecurity Bill will be critical.  

Written by Kerri Stewart, Attorney: Technology Law, SchoemanLaw Inc