Status regarding Budapest ConventionStatus : NA See legal profile
Rwanda has not yet published a national cybercrime strategy.
However, a cyber security policy was established in 2015. In the policy, it is stated that the Government of Rwanda (GoR) has invested significantly in Information and Communications Technology (ICT) infrastructure and applications, as a cornerstone for National economic growth. ICT is recognized as a key enabler for economic growth and social mobility and is expected to improve Rwandans’ standard of living as part of the Integrated ICT-led Socio-Economic Development Policy and Plan.
Law 27/2016 establishes a National Cyber Security Authority, responsible for:
- Advising the President and other public and private institutions on strategies to defend the country's interests in cyberspace;
- Conducting cyber intelligence on any national security threat in cyberspace and provide information from such intelligence to the relevant organs;
- Establishing guidelines on the basis of national, regional and international ICT security principles;
- Coordinating and implementing the national ICT security policy and strategy;
- Developing strategies to secure all electronic operations;
- Monitoring all national ICT security programs;
- Preventing cyber-attacks in order to protect ICT infrastructure in general and critical information infrastructure in particular;
- Establishing and promoting national cyber security education programs, foster research and develop industry in the ICT field;
- Creating awareness about cyber security;
- Collaborating with other public and private institutions and other information technology-related bodies to ensure national ICT security;
- Cooperating and collaborating with other regional and international organs in charge of cyber security;
- Providing national defence and security organs with the necessary support to attain their responsibilities in relation to cyberspace;
- Performing other duties as may be assigned by the President.
State of cybercrime legislation
The Law on Prevention and Punishment of Cyber Crimes of 2018 addresses all of the offences listed in the Budapest Convention in terms of substantive law.
The same Law partially addresses procedural powers corresponding to the Budapest Convention, with more details and regulations required as to search and seizure, monitoring and interception.
The Law on Prevention and Punishment of Cyber Crimes has the following provisions:
Chapter IV: Offences And Penalties – Section One: Offences against the confidentiality, integrity and availability of data and computer or computer system
Article 16: Unauthorized access to a computer or a computer system data
Article 17: Access to data with intent to commit an offence
Article 18: Unauthorized modification of computer or computer system data
Article 19: Interception of computer or computer system
Article 20: Damaging or denying access to a computer or computer system
Article 21: Unauthorized disclosure of access code
Article 22: Continuous fraudulent use of an automated or non-automated data processing system of another person
Article 23: Preventing or misguiding the running automated or non-automated data processing system
Article 24: Access to a computer or computer system data
Article 25: Unlawful manufacturing, selling, buying, use, import, distribution or possession of a computer or computer system or computer or computer system data
Article 26: Unauthorized reception or giving of access to a computer or computer system program or data
Article 27: Cyber-squatting
Article 28: Unlawful acts in respect of malware
Section 2: Offences related to digital signature and certification
Article 29: Misrepresentation and suppression
Article 30: False digital signature certificate
Article 31: Fraudulent use of digital signature
Section 3: Computer-related offences
Article 32: Computer-or computer system-related forgery
Article 33: Changing computer or computer system equipment identity
Section 4: Offences related to the content of computer and computer system
Article 34: Publication of pornographic images through a computer or a computer system
Article 35: Cyber-stalking
Article 36: Phishing
Article 37: Spamming
Article 38: Publishing indecent information in electronic form
Article 39: Publication of rumours
Article 40: Impersonation
Section 5: Offences related to terrorism, trafficking in persons or narcotics committed using a computer or a computer system
Article 41: Creation or publication of a site for terrorist groups
Article 42: Creation or publication of a site for the purpose of trafficking in persons
Article 43: Creation or publication of a site for the purpose of trafficking or distributing drugs or narcotics
Section 6: Cyber offences committed by service providers
Article 44: Disclosure of data made available to third party
Article 45: Provision of access to a computer or computer system or cause them to send or use electronic content on another person’s computer or computer system
Article 46: Refusal to remove or disable access to illegal information stored
Article 47: Non reporting of cyber threats incident
Article 48: Offences related to stored information
Article 49: Illegal search results
Article 50: Failure to take action on take-down notification
Section 7: Common provisions to all offences
Article 51: Penalties imposed on a business entity having committed an offence
Chapter V: Miscellaneous And Final Provisions
Article 53: Regulations on cyber security
In the Law on Prevention and Punishment of Cyber Crimes, the following provisions regarding procedural powers are included:
In Chapter III: Investigation Of Cybercrimes – Article 8: Obligation to collaborate with organs in charge of investigations, Article 9: Search and seizure, Article 10: Accessing or retrieving a copy of computer or a computer system data on the system after seizure, Article 11:Disclosure of data, Article 12: Preservation of computer or computer system, Article 13: Disclosure and collection of electronic traffic data, Article 14: Court order, Article 15: Authorization to use a forensic method.
Related laws and regulations
Law 27/2017 on establishing a National CyberSecurity Authority.
Law N. 24/2016 governing Information and Communication Technologies – Establishes a framework for ICT policy and regulation, with emphasis including on: promoting national ICT policy objectives; establishing a licensing and regulatory framework in support of national policy objectives for the ICT industry; establishing and strengthening the relevant institutions;
Comprises a section on Matters of national interest and data security (Section 7), including provisions on interception and monitoring of information, privacy and data protection, powers of the Minister on issues of national sovereignty, disaster management plans.
Rwanda has established a CSIRT in 2014. Its roles are:
- Serving as national point of contact for computer security incidents coordination and response;
- Providing accurate and timely information on current and emerging cyber security threats and vulnerabilities;
- Building cyber security capacities to handle cyber security incidents and threats;
- Promoting information security awareness;
- Promoting research and development in the cyber security field;
- Promoting regional and international cooperation.
In the National Police, there is a department specialized in Information Technology and Cyber Security.
The Judiciary system of Rwanda has a dedicated web page, where there is also an archive of court decisions: https://www.judiciary.gov.rw/index.php?id=293&no_cache=1
Sources and links
Rwanda National Police - https://www.police.gov.rw/home/
Judiciary - https://www.judiciary.gov.rw/index.php?id=2
Rwanda Information Society Authority - https://www.risa.rw/home/#aboutrisa
These profiles do not necessarily reflect official positions of the States covered or of the Council of Europe.
Are you aware of the latest legislative or policy developments on cybercrime and electronic evidence?
Share this information with us helping to keep this platform up to date.
- Cybercrime website
- Template: Mutual Legal Assistance Request for subscriber information (Art. 31 Budapest Convention). English and bilingual versions available.
- Template: Data Preservation Request (Articles 29 and 30 Budapest Convention). English and bilingual versions available.