8. Process for developing legislation and regulation part 1
(strategy to policy)

Having identified legislation and regulation as some of the levers a government may deploy to implement a national strategy, it is necessary to discuss the process of converting the objectives into legislation. The process for developing legislation and regulation varies a lot between countries. This section will outline a generic approach that can be applied in most countries. 

As mentioned earlier in the text, NCSS is a document containing the vision, high-level objectives, principles and priorities that will guide the country in addressing cybersecurity. In most instances, the subject that requires leveraging through legislation has been identified in the NCSS. Thus the strategy development process should have produced a prioritised list of cybersecurity issues that need to be addressed by the government.

Based on these priority areas, and objectives, the standard practice is to break down the objectives and priority areas into policy directions that would form the basis of legislation or regulations. This can be done either in the strategy development process, or during the years between strategy drafting and implementation. Some countries appoint a Cybersecurity Policy Group that consists of experts from within (and sometimes outside) the government to advise what the areas of policy should be and the policies’ content. In Ghana, it was the National Cyber Security Working Group, while in Nigeria, it was called the Nigerian Cybercrime Working Group.  

Some possible policy areas would include cybercrime prohibition, Data protection, cybersecurity in key sectors (e.g. energy; finance; e-government; health), technology assurance, education, workforce and awareness. The ‘Double Decision Diamond’ described in National Cybersecurity Strategies: Lessons Learned and Reflections from The Americas and Other Regions is a tool that can help move from strategic objectives to policy initiatives (and thereby policy areas). Some of the typical cybersecurity issues that would need to be addressed would include cybercrime, personal data protection, protection of critical networks, sector-specific regulations; for example, finance; energy; health, product-specific regulation for example, devices, aeroplanes, cars, electronic transactions, digital signatures, cybersecurity standards certification of companies/organisations among others.

The next step after identifying a key policy area, a government will typically decide to develop a corresponding policy. It is in this policy that the government will decide which levers to use to implement the policy and whether legislation or regulation should be among them. Policy development typically begins with ministerial direction, to set the framework and timeline, and then consultation, which can be informal or formal.

Informal consultation can occur before ‘pen is put to paper’. A good time to begin informal consultation is when the NCSS is being produced, but consultation should not be put off simply because there isn’t a strategy being drafted. The informal consultation helps officials produce the framework of ideas on the problem and policy solutions that can be discussed with ministers and put into a formal consultation process.

Formal consultation will typically involve the publishing of documents upon which stakeholders can provide feedback. In South Africa, for example, policy development follows a common approach to consultation, using two rounds of documents known as papers. The first round is based on a discussion document called a Green Paper. The Green Paper expresses the position of the government on a particular issue. It is published with a request for public comments. Sometimes, the Green Paper is followed by a more refined discussion document, called a White Paper. The white paper is a broad government policy statement and may invite additional public comments on the issue. The relevant parliamentary Committees may propose amendments or other proposals and then send the policy paper back to the Ministry for further discussion and final decisions.

The consultation process will break stakeholders into groups based on characteristics or interest levels and engage with each differently.  One of the most important groups will be the technical experts with deep knowledge and experience in policy. Some of these experts may already be within the government, but they often work outside it in universities, companies or civil society organisations. Advice for consulting and working with stakeholders in cybersecurity can be found in ‘A Short Guide to Stakeholder Engagement on National Cybersecurity Strategy Development’ (Weisser Harris et al. 2022).

A Minister or the Cabinet will approve a final policy position at the end of the policy development process.  It is good practice to publish this, as South Africa does with its White Papers (referenced above). In Nigeria, such policies are approved by the Federal Executive Council, a council of all Ministers of the Federal Government chaired by the President. 

Many policies require legislation or formal regulation to support or drive their implementation. Sometimes the nature of a policy issue determines the type of lever to apply in its implementation. For example, it would be more suitable to use legislation to address cybercrime issues, typically activities that need to be prohibited and treated like crimes as distinct from policies that aim to regulate specific sectors or cybersecurity-related activities such as data handling and digital security measures.

A policy to tackle cybercrime will always require primary legislation to define rights and responsibilities in civil law, and crimes and punishments in criminal law (substantive law).  It will also require primary legislation to define how cybercrimes are processed through the judicial system (procedural law). More information on this is contained in the Cybercrime Knowledge Module.

In contrast, policies that seek to regulate a sector or a type of cybersecurity-related activity, such as data handling, will require regulation, which may or may not require new primary legislation. Please note that sometimes, legislation and regulations may be related. There are three main ways in which regulation can relate to primary legislation:

1. The regulation is issued via primary legislation. Example: South Africa’s Protection of Personal Information Act (POPIA) No. 4 of 2013.

2. The regulation is issued by a ministry/agency/organisation that already has the authority to do so. No new primary legislation is needed. Example: The Nigerian Data Protection Regulation, 2019 (‘NDPR’) was issued by the National Information Technology Development Agency (‘NITDA’). 

3. Primary legislation is needed to give an existing body a new authority to issue regulations or to create a new body with this authority.  Example: Kenya’s Data Protection Act (DPA) 2019 established the Office of the Data Protection Commissioner (ODPC), which, together with a regulatory Task Force, had the mandate to create regulation under the DPA, which it subsequently did in the Data Protection Regulations 2021. 

The process for developing cybercrime legislation is described in the Cybercrime Knowledge Module. The process for developing regulation is described in the next section.