Eswatini’s computer crime and cybercrime act, 2022

March 2022

View the original document

National Regulations

The Computer Crime and Cybercrime Act, 2022, is Eswatini’s comprehensive legal framework for addressing cyber threats. It criminalises a wide spectrum of offences, from hacking and data interference to cyberbullying, child exploitation, and cyberterrorism. It equips law enforcement with investigative powers while setting conditions for evidence handling. At the same time, it regulates the role of service providers and establishes national governance mechanisms through the Commission and Cybersecurity Advisory Council.

Purpose and scope of the act

The Act was passed to criminalise offences committed against or through computer systems and communication networks. It regulates how crimes in the digital environment are investigated, how evidence is collected and admitted in court, and it also establishes institutions and responsibilities for cybersecurity governance.

It applies not only to offences committed inside Eswatini, but also gives the country extraterritorial jurisdiction if crimes abroad affect Eswatini’s systems, citizens, or infrastructure.

Key offences under the act

The Act defines a wide range of computer-related crimes, with penalties that vary from fines to long prison sentences:

  • Illegal access and illegal remaining: unauthorised entry into or continued presence in a computer system.
  • Illegal interception: capturing transmissions or emissions from a computer system.
  • Illegal data interference and data espionage: altering, deleting, destroying, or stealing protected data.
  • System interference and illegal devices: disrupting computer systems or producing/using tools designed for cyberattacks (e.g., malware, hacking software).
  • Computer-related forgery and fraud: manipulating data to mislead, cause financial loss, or gain benefit.
  • Phishing: deceiving users to obtain money or sensitive data.
  • Cyberterrorism: attacks on critical systems (e.g. banking, electricity, aviation) with the intent to cause serious harm.
  • Child pornography, pornography distribution, sexual grooming, cybersex with minors: severely penalised with up to 10 years imprisonment or more.
  • Identity crimes, cyberbullying, cyberstalking, and harassment online.
  • Website defacement and dissemination of racist, xenophobic, hate speech or genocide-related material.
  • Spam and denial of service (DoS) attacks/botnets: fines up to five million Emalangeni and imprisonment up to 10 years.
  • Trafficking in humans, endangered species, or illegal goods when facilitated online.
  • Violation of intellectual property rights via digital tools.

Even attempting, abetting, or conspiring to commit these crimes is punishable under the Act.

Procedural powers for investigation

The Act gives law enforcement agencies broad investigative powers, subject to court approval:

  • Search and seizure of data or computer systems, including cross-border access if data is remotely available.
  • Production orders require service providers or individuals to hand over data.
  • Preservation and collection of traffic data, interception of content data.
  • Remote forensic tools (such as spyware/keystroke loggers) can be installed with court authorisation for serious crimes (murder, terrorism, corruption, drug trafficking, etc.).
  • Assistance orders compelling experts or service providers to help police access systems or decrypt data.

Liability of service providers

The Act clarifies responsibilities and protections for internet service providers (ISPs):

  • No general monitoring obligation: ISPs are not required to proactively monitor all traffic.
  • Access, hosting, caching, hyperlink, and search engine providers are exempt from liability if they act in good faith, remove illegal content when ordered, or promptly report illegal activities.

This balances liability while still ensuring cooperation with authorities.

penalties and sanctions

The penalties range widely:

  • Minor offences (e.g., harassment, cyberbullying) → fines of up to E100,000 or 1–2 years imprisonment.
  • Serious offences (e.g., child pornography, denial of service, cyberterrorism) → up to E5 million fines and imprisonment up to 20 years.
  • Genocide- or terrorism-related content → maximum penalty of E5 million and 20 years imprisonment.
  • Corporate liability: directors or managers can be held personally responsible for offences committed by a company.
  • Forfeiture of assets: courts can seize money, property, or technology used in cybercrime.

Governance and institutions

The Act also establishes structures for cybersecurity policy:

  • Eswatini Communications Commission: empowered to regulate and coordinate cybersecurity, enforce standards for critical infrastructure, and issue guidelines.
  • National Cybersecurity Advisory Council: up to 15 members from ICT, law, finance, education, civil society, police, and defence, serving as a multistakeholder advisory body.
  • Ad hoc committees: The Minister may set up specialised groups for specific cyber issues.

Evidence and judicial aspects

  • Electronic evidence is admissible in court if the integrity of the system is proven or if it carries a secure digital signature.
  • Printouts of electronic records can also serve as valid evidence if consistently relied upon.
  • Courts may order compensation to victims in addition to fines or imprisonment.