For years, Somalia’s digital growth has moved faster than its ability to protect it. Mobile money expanded, government services went online, and connectivity spread, even as cyber risks quietly piled up in the background. This week, the country took a decisive step to close that gap.
On Monday, January 26, Somalia’s parliament approved a new cybersecurity law, giving the country its most comprehensive legal framework yet to protect national digital systems. The move comes after a string of cyber incidents, growing dependence on online public services, and rising concern that weak cyber defences could undermine trust in the state’s digital future.
At its core, the law sets out who is responsible for securing Somalia’s cyberspace, how incidents should be reported, and what happens when systems are breached. But beyond the legal language, it signals something bigger: Somalia is beginning to treat cybersecurity as national infrastructure, not a technical afterthought.
From fragmented responses to a national system
Until now, Somalia’s approach to cybersecurity has been scattered. Different agencies handled digital risks in isolation, often reacting only after something went wrong. The new law aims to change that by creating a central governance structure.
Under the legislation, the Ministry of Communications is placed in charge of national cybersecurity policy, while the National Communications Authority (NCA) is given technical oversight. Operators of critical infrastructure – including telecom companies, financial service providers, and government platforms – now face clear obligations to prevent, detect, and report cyber incidents.
Perhaps most importantly, the law establishes new institutions designed for speed and coordination. These include the Somalia Computer Incident Response Team (SOM-CIRT), a nine-member national cybersecurity committee, and an emergency intervention centre tasked with managing major cyber events in real time.
For a country where institutional coordination has often been a challenge, this shift matters. Cyber threats do not respect agency boundaries, and delayed responses can quickly turn small breaches into national crises.
In a statement following the vote, the NCA said the law would help “strengthen digital trust, support the growth of the digital economy, and intensify cooperation between public institutions, the private sector and international partners.” That trust is something Somalia urgently needs as more services move online.
Why the timing matters
The law did not emerge in a vacuum. Over the past two years, Somalia has experienced a steady rise in cyber incidents, even if many were never publicly disclosed.
According to Abdullahi Guled, a consultant to the Ministry of Communications and author of the State of Cybersecurity in Somalia 2024 report, ransomware attacks have targeted public institutions, while phishing campaigns have increasingly focused on the financial sector. These attacks exploit exactly the systems Somalia is trying to modernise.
The risks became impossible to ignore in November 2025, when hackers breached Somalia’s e-visa platform. The attack exposed the personal data of several thousand users, highlighting vulnerabilities in government digital systems that were meant to make travel and administration easier, not riskier.
For citizens and businesses, incidents like these erode confidence. If people do not trust digital platforms to protect their data, adoption slows—and with it, the economic benefits of digitisation.
Catching up with global standards
Internationally, Somalia is still playing catch-up. In the International Telecommunication Union’s Global Cybersecurity Index 2024, the country ranked Tier 4 out of 5, scoring 37.38 out of 100. The ITU describes this tier as showing a “basic commitment to cybersecurity,” but also points to gaps in technical capacity, legal enforcement, and skills development.
The new law is designed to address some of those weaknesses, especially on the legal and institutional side. It also builds on earlier steps. In March 2023, Somalia’s Data Protection Act came into force, leading to the creation of the Data Protection Authority (ADP). In August 2025, the government approved a draft cybercrime bill aimed at criminalising online offences more clearly.
Beyond legislation, Somalia has sought international partnerships to strengthen its defences. In August 2025, it signed a cybersecurity cooperation agreement with Malaysia, which authorities see as a global benchmark in the field. Earlier, in November 2024, Somalia deepened collaboration with the United Nations Office on Drugs and Crime (UNODC) to build capacity against online crime.
These partnerships matter because cybersecurity is as much about people and processes as it is about technology. Laws alone do not stop attacks; trained teams and tested systems do.
The road ahead is harder than the vote
Passing a law is the easy part. Implementing it will be far more challenging.
Somalia still faces shortages of skilled cybersecurity professionals, limited funding for digital infrastructure, and uneven capacity across institutions. Coordination between regulators, operators, and security agencies will need to improve quickly if the new structures are to function as intended.
There is also the question of transparency. While authorities acknowledge that cyber incidents are rising, limited public reporting makes it difficult to assess the true scale of the threat—or measure progress over time.
Still, the direction is clear. As Somalia continues to digitise government services, expand connectivity, and integrate into regional and global digital economies, cybersecurity can no longer be optional.
The new law does not make Somalia cyber-safe overnight. But it does mark a shift in mindset: from reacting to digital threats after damage is done, to treating cybersecurity as a foundation for state stability, economic growth, and public trust.
In a country rebuilding its institutions step by step, that change may prove just as important as any line of code.
