ICTworks

For years, we explored the digital regulatory environment in an African country by:

• Opening fifteen browser tabs, with three of them showing 404 errors,
• Downloaded PDFs from three different ministry websites
• Asked a colleague in Nairobi or Lagos for the law nobody can find online
• Stitched together a picture that’s already out of date by the time the slide deck is due.

The Africa Technology Policy Tracker finally puts national digital economy laws, policies, and regulations in one searchable place. It catalogs documents across four pillars: digital infrastructure, digital platforms, digital skills, and digital innovation.

That’s useful. What’s more useful is what happens when you actually use it.

I pulled the records for three countries that practitioners, donors, and digital health implementers spend a lot of time talking about: Nigeria, Rwanda, and Zambia.

The contrast is sharp. Regulatory volume tells you almost nothing about regulatory quality, and the word “cybersecurity” in an AfTech entry can mean wildly different things depending on who signed the law.

The numbers are deceptive

Here’s what the tracker shows for each country’s total document count across all four pillars:

• Nigeria: 60 documents, including 22 laws, 54 policies, and 30 regulations spread across infrastructure, platforms, skills, and innovation
• Rwanda: 59 documents, weighted heavily toward digital infrastructure (8 laws, 18 policies, 31 regulations) and almost nothing in the law column for the other three pillars
• Zambia: 19 documents, dominated by digital infrastructure (13 laws, 5 policies) with a near-empty digital skills and innovation column

A donor program officer scanning these numbers might conclude that Nigeria is the most “mature,” Rwanda is the most “comprehensive,” and Zambia is the most “underdeveloped.”

That reading is wrong on all three counts.

• Nigeria’s 60 documents reflect a country that has been legislating around ICT since the 2003 Nigerian Communications Act and keeps layering new instruments on top of old ones.
• Rwanda’s 59 reflect a regulator (RURA) that issues granular technical regulations at a steady cadence, which inflates the count without necessarily expanding the substantive policy footprint.
• Zambia’s 19 reflect a country that has done relatively little until recently and is now passing concentrated, high-stakes legislation that will shape civic space for years.

The three countries are doing genuinely different things. The tracker makes that visible if you read past the totals.

Three different regulatory archetypes

The AfTech tracker correctly shows all three countries as having “cybersecurity” laws. It does not, and cannot, tell you that one country’s cybersecurity law is GDPR-adjacent and another’s is a surveillance enabling statute. That distinction has to come from the user.

1. Nigeria is building a digital economy stack.

The tracker shows the breadth: a 2020 National Digital Economy Policy 2020-2030, a 2023 National Data Protection Act, a 2022 Nigeria Start-Up Act, a 2024 National AI Strategy, a 2023 Blockchain Policy, plus the Cybercrimes Act of 2015.

Nigeria is the only one of the three with substantive entries across all four pillars including digital skills (3 laws, 12 policies) and digital innovation (4 laws, 9 policies).

The country’s ICT sector contributed roughly 20 percent of real GDP in 2024 according to the Nigerian Bureau of Statistics, and the policy architecture, however messy, is oriented toward growth.

2. Rwanda is building a state.

Look at what’s missing from Rwanda’s column: zero laws on digital platforms, zero on digital skills, zero on digital innovation. The country has 13 policies on digital skills and 10 on digital innovation, but no statutory backing.

Almost all of Rwanda’s binding instruments sit in the “invisible” sub-pillar of digital infrastructure: cybersecurity, data protection, licensing, spectrum, SIM registration, network security.

This is a regulatory pattern designed for state coordination and control of digital infrastructure, with strategy documents (Smart Rwanda, Vision 2050, the 2022 AI Policy, the 2024 AI Playbook for Small States) pointing aspirationally toward platforms and innovation.

Rwanda’s Irembo e-government platform is genuinely impressive, but the regulatory weight sits with the executive, not with statutory rights for users or firms.

3. Zambia is consolidating executive power.

This is where the tracker gets uncomfortable. Zambia’s digital infrastructure column shows the recently enacted Cyber Crimes Act, 2025 and Cyber Security Act, 2025 sitting alongside the older 2021 Cyber Security and Cybercrime Act they replaced.

On paper, this looks like normal regulatory updating.

In practice, the Collaboration on International ICT Policy for East and Southern Africa and the Global Network Initiative have documented that the new laws place the Zambia Cyber Security Agency under direct presidential control, expand the definition of “law enforcement officer” to include any person the President designates, and authorize ex parte interception orders.

The U.S. Embassy in Lusaka issued a surveillance advisory to American citizens in April 2025, prompting a public rebuttal from Zambia’s Ministry of Foreign Affairs. With general elections due in August 2026, the regulatory architecture matters enormously.

What practitioners should actually do with this

The tracker is a starting point, not an endpoint. Three uses I’d suggest:

1. Stop relying on memory or vendor decks for the regulatory baseline. If you’re designing a system in Lusaka, the AfTech entry showing Zambia’s 2021 Data Protection Act and 2025 Cyber Security Act tells you what statutes you must comply with. Whether those statutes protect your beneficiaries is a separate question, and one the tracker does not pretend to answer.
2. Use the gap analysis as a programming signal. Rwanda’s complete absence of statutory law in digital skills, platforms, and innovation is not a deficit to be filled with another donor-funded “policy support” program. It’s a deliberate choice by a government that prefers strategy documents to binding law. Programs that try to push statutory frameworks into that space without understanding the political economy will fail. This is the same dynamic the ICTworks community has flagged in African data protection enforcement patterns, where the gap between law on the books and enforcement on the ground is the actual story.
3. Pair the tracker with civil society sources before drawing conclusions. AfTech catalogs what governments have enacted. It does not catalog who was excluded from drafting, what civil society submissions were ignored, or which provisions were quietly inserted at third reading. For that, you need organizations like CIPESA, Paradigm Initiative, the Law Association of Zambia, and the digital rights coalitions ICTworks has covered tracking 111 million Africans affected by internet shutdowns in 2024 alone.

A useful tool, with the caveats it deserves

The Carnegie team and the ATU have built something the sector genuinely needed. Before AfTech, comparing digital policy across three African countries took days of desk research; now it takes an hour. That’s a meaningful productivity gain for analysts, donor staff, regulators, and practitioners.

The tracker’s limits are also worth naming.

• It indexes officially adopted documents only, so draft legislation under public consultation, ministerial circulars, and informal guidance do not appear.
• It treats every entry as a discrete policy unit without weighting for substantive importance, so a SIM card registration regulation counts the same as a national AI strategy.
• It does not assess implementation, enforcement, or human rights compatibility, which means three countries with very different governance trajectories can look superficially similar in the document tally.

None of that is a flaw in the tool. It’s a flaw in how we’ll be tempted to use it.

The next time someone shows you a slide claiming Country X has “comprehensive digital regulation” because it scored well on a tracker, ask which laws, who drafted them, and whose rights they actually protect. AfTech gives you the first answer for free. The other two are still your job.