Angola: Cybersecurity Bill Raising Compliance Risk for Critical Infrastructure

What happened: The National Assembly advanced draft cybersecurity legislation that would establish a national system to supervise and enforce cybersecurity across the public and private sectors.

Why it matters: Energy investors should be concerned about regulatory access to systems and data, compliance costs and enforcement discretion for strategically important assets.

What happens next: The bill could be passed before the 2027 general elections, with implications for compliance risk.

On 23 January, the National Assembly approved a draft cybersecurity bill that would formalize a national cybersecurity system under state oversight.

The bill provides a legal framework for cybersecurity, including protections for citizens, networks, information systems and critical infrastructure. It also establishes specialized bodies such as a National Cybersecurity Center (CNC) and a National Cybersecurity Council, which would coordinate policy, supervise compliance and exercise inspection and sanctioning powers.

Energy Implications

For energy investors, the key concern is how the bill would apply to assets deemed strategically important, including generation, transmission, fuel logistics and oil and gas infrastructure. The focus on “national sovereignty” in the proposed legislation underscores the likelihood of heightened oversight of such assets.

The legislation points toward a more formal, mandatory cybersecurity compliance regime that would raise operating costs for energy operators through audit requirements, incident reporting, and other measures. These pressures may be particularly acute for joint ventures and projects involving multiple international contractors and service providers, where compliance responsibility could become fragmented.

Another more sensitive issue for investors is the potential for state-mandated access to systems or data under the banner of cybersecurity oversight. Depending on how secondary regulations are drafted, this could undermine intellectual property protection, cross-border data flows and data confidentiality.

What’s more, the concentration of functions within a single institution — the proposed CNC — limits institutional separation between rule-setting and enforcement. This raises questions around effective recourse, as inspection findings and penalties would be determined by the same authority that also defines compliance standards. In practice, this increases exposure to discretionary enforcement and limits predictability during disputes.

Politics at Play

The ruling Popular Movement for the Liberation of Angola (MPLA) and two smaller parties backed the bill at first reading, despite concerns from the main opposition, the National Union for the Total Independence of Angola (UNITA), over vague definitions and enforcement safeguards.

Minister of Telecommunications, Information Technologies and Social Communication Mario Oliveira (see Featured Personality) justified the legislation by pointing to Angola’s weak cybersecurity framework and limited response capacity. He referenced the country’s low ranking on international cybersecurity: Angola is fourth from the bottom in the UN’s 2024 Global Cybersecurity Index.

UNITA and civil society groups, meanwhile, have warned that vague definitions and broad enforcement powers could enable selective or politicized application of the law. While their focus is on civil liberties, for investors, this concern highlights the very real risk that political or institutional considerations could shape enforcement rather than purely technical ones. Angola’s historically opaque regulatory environment and the CNC’s overlapping mandate underline this risk.

Limited institutional capacity will also further constrain consistent implementation. The government has already acknowledged limited cybersecurity capability, signaling that enforcement will probably be marked by uncertainty, especially when it is first operationalized, regardless of what is set down on paper.

Next Steps

The legislation will now move to further parliamentary scrutiny and amendment before a final vote, and while no date has been set for further review, we consider its passage likely before the 2027 general elections. The MPLA will be eager to enact the bill before it risks losing its parliamentary majority.

The bill also aligns with a broader legislative push to expand state oversight of the digital environment, following other recent efforts to regulate online content and information flows. Critically, this signals political commitment to stronger digital regulation and reduces the likelihood that the cybersecurity bill will stall or be diluted ahead of the 2027 elections.