The National Cybersecurity Strategy of São Tomé and Príncipe (2024-2028)

December 2023

The National Cybersecurity Strategy of São Tomé and Príncipe (2024-2028) is a comprehensive roadmap for enhancing the country’s digital security. It prioritises education, governance, law enforcement, and best practices to create a resilient digital ecosystem. However, its success relies on effective coordination, adequate funding, and strong enforcement mechanisms.

1. Introduction & justification

The strategy aims to ensure the integrity, confidentiality, and availability of national digital infrastructures. São Tomé and Príncipe recognise that cyber threats are increasing, necessitating a proactive approach to protect national interests.

Key guiding principles:

  • Human rights & freedoms – protecting privacy, freedom of expression, and personal data.
  • Transparency & trust – fostering an inclusive digital society.
  • International cooperation – strengthening ties with other nations.
  • Digital education – raising cybersecurity awareness.

The main challenge is that São Tomé and Príncipe lacks resources and cybersecurity experts, making the development of a solid cybersecurity framework essential.

2. Vision, mission & objectives

Vision

To establish São Tomé and Príncipe as a secure, resilient digital nation where information security is a fundamental priority.

Mission

Integrate cybersecurity within national digital development efforts to ensure a safe and reliable cyberspace.

Strategic objectives

  1. Strengthening cybersecurity governance & coordination
    • Establishing a Cybersecurity Committee.
    • Creating a National Cybersecurity Incident Response Center (CERT-STP).
    • Identifying and regulating critical infrastructure.
  2. Promoting cybersecurity awareness & culture
    • Increasing public awareness and digital literacy.
    • Improving trust in online services with secure government platforms.
    • Encouraging reporting mechanisms for cyber threats.
  3. Enhancing cybersecurity capabilities
    • Training IT professionals and general users on cyber hygiene.
    • Developing a national cybersecurity curriculum in schools and universities.
    • Establishing national & international partnerships for cybersecurity training.
  4. Strengthening the legal and regulatory framework
    • Updating laws on cybercrime, data protection, and digital identity.
    • Enhancing the judicial system’s ability to handle cybercrimes.
    • Establishing international cooperation for cyber law enforcement.
  5. Implementing cybersecurity best practices
    • Adopting international security standards for data protection.
    • Ensuring secure software development & hardware procurement.
    • Conducting regular security assessments on critical digital infrastructure.

3. Implementation strategy

3.1 National cybersecurity committee

The Cybersecurity committee is responsible for:

  • Coordinating national cybersecurity policies.
  • Assessing risks and making recommendations.
  • Ensuring compliance with security regulations.
  • Identifying and protecting critical digital assets.

Key members include:

  • Ministry of Infrastructure, Natural Resources, and Environment
  • Regulatory authorities (AGER, ANPDP, INIC)
  • National Institute of Statistics (INE)
  • Central Bank & Telecom Operators

Each institution will appoint cybersecurity experts to participate in decision-making.

3.2 Financial & resource allocation

  • Public sector funding: Government budget allocations.
  • International cooperation: Seeking financial & technical support from global cybersecurity initiatives.
  • Private sector involvement: Encouraging businesses to invest in cybersecurity training & solutions.

3.3 Monitoring & evaluation

  • Annual assessments to track implementation.
  • Cyber risk reports published periodically.
  • Adjustments based on evolving threats.

4. Action plan

The Action Plan structures initiatives into short, medium, and long-term goals.

4.1 Importance of the action plan

  • Defines clear responsibilities for different stakeholders.
  • Ensures alignment with national digital development plans.
  • Establishes success metrics to evaluate progress.

4.2 Key initiatives

  • Creating a Cybersecurity Awareness Program for citizens and businesses.
  • Developing a Cybersecurity Incident Reporting System.
  • Establishing partnerships with international cybersecurity organisations.
  • Training government officials in cyber risk management.
  • Enhancing technical capabilities of law enforcement & judiciary for cybercrime prosecution.

4.3 Continuous monitoring

The plan will be continuously updated based on:

  • Cyber threat landscape changes.
  • New technological advancements.
  • Lessons from past cyber incidents.