According to Article 16:
Any person who unlawfully makes available, broadcasts or distributes, by means
of a computer system, a data message to a specific person, group of persons or the 5 general public with the intention to incite—
-
(a) the causing of any damage to any property belonging to; or
-
(b) violence against,
a person or a group of persons, is guilty of an offence.
According to Article 17:
ny person who unlawfully and intentionally makes available, broadcasts or distributes, by means of a computer system, a data message which is harmful, is guilty of an offence.
(2) For purposes of subsection (1), a data message is harmful when—
-
(a) it threatens a person with— 15
-
(i) damage to any property belonging to, or violence against, that person; or
-
(ii) damage to any property belonging to, or violence against, any member of the family or household of the person or any other person in a close
relationship with the person;
-
-
(b) it threatens a group of persons with damage to any property belonging to, or 20
violence against, the group of persons or any identified person forming part of
the group of persons or who is associated with the group of persons;
-
(c) it intimidates, encourages or harasses a person to harm himself or herself or
any other person; or
-
(d) it is inherently false in nature and it is aimed at causing mental, psychological, 25
physical or economic harm to a specific person or a group of persons,
and a reasonable person in possession of the same information and with regard to all the circumstances would regard the data message as harmful.
According to Article 18:
(1) Any person who unlawfully and intentionally makes available, broadcasts or 30 distributes, by means of a computer system, a data message of an intimate image of an identifiable person knowing that the person depicted in the image did not give his or her consent to the making available, broadcasting or distribution of the data message, is guilty of an offence.
(2) For purposes of subsection (1), ‘‘intimate image’’ means a visual depiction of a 35 person made by any means—
-
(a) under circumstances that give rise to a reasonable expectation of privacy; and
-
(b) in which the person is nude, is exposing his or her genital organs or anal region
or, in the case of a female, her breasts.
According to Article 55:
55. (1) (a) The Cabinet member responsible for telecommunications and postal services must, by notice in the Gazette, after following a consultation process with the 20 persons or entities in a sector, declare different sectors which provide an electronic communications service for which a nodal point must be established.
(b) The declaration of different sectors referred to in paragraph (a) must be done in consultation with the Cabinet member responsible for the administration of that sector.
(2) Each sector must, within six months from the date of the publication of a notice 25 referred to in subsection (1)(a), identify and establish a nodal point, which will be responsible for—
-
(a) distributing information regarding cyber incidents to other entities within the sector;
-
(b) receiving and distributing information about cybersecurity incidents to the 30 nodal points established for other sectors or any computer security incident response team recognised in terms of subsection (6);
-
(c) reporting cybersecurity incidents to the Cybersecurity Hub contemplated in section 54(4); and
-
(d) receiving information about cybersecurity incidents from the Cybersecurity 35 Hub.
(3) If a sector fails to identify or establish a nodal point contemplated in subsection
(2), the Cabinet member responsible for telecommunications and postal services may, after consultation with the sector, identify and establish a nodal point for that sector on such terms and conditions as he or she deems fit in order to give effect to the objects of 40 this section.
According to Article 57:
(1) The State Security Agency—
(a) in consultation with the Cyber Response Committee; and 20 (b) after consultation with the owner or the person in control of any information infrastructure which is identified as a potential critical information infrastructure,
must within 12 months of the fixed date, submit to the Cabinet member responsible for State security, information and recommendations regarding information infrastructures 25 which need to be declared as critical information infrastructures.
(2) The Cabinet member responsible for State security may, subject to subsection (3), after considering any information and recommendations made to him or her in terms of subsection (1), by notice in the Gazette, declare any information infrastructure, or category or class of information infrastructures or any part thereof, as critical 30 information infrastructures if such information infrastructure or information infrastruc- tures are of such a strategic nature that any interference with them or their loss, damage, disruption or immobilisation may—
-
(a) substantially prejudice the security, defence, law enforcement or international relations of the Republic; 35
-
(b) substantially prejudice the health or safety of the public;
-
(c) cause a major interference with or disruption of an essential service;
-
(d) cause any major economic loss;
-
(e) cause destabilisation of the economy of the Republic; or
-
(f) create a major public emergency situation.
[...] (4) The Cabinet member responsible for State security must, within six months of the 55 declaration of any information infrastructure, or category or class of information infrastructure or any part thereof, as a critical information infrastructure, in consultation with the relevant Cabinet members, issue directives to the critical information infrastructure in order to regulate minimum standards relating to—
-
(a) the classification of data held by the critical information infrastructure; 60
-
(b) the protection of, the storing of and archiving of data held by the critical information infrastructure;
(c) cybersecurity incident management by the critical information infrastructure;
-
(d) disaster contingency and recovery measures which must be put in place by the
critical information infrastructure;
-
(e) minimum physical and technical security measures that must be implemented
in order to protect the critical information infrastructure; 5
-
(f) the period within which the owner, or person in control of a critical
information infrastructure must comply with the directives; and
-
(g) any other relevant matter which is necessary or expedient in order to promote
cybersecurity in respect of the critical information infrastructure.
[...] (6) Any information infrastructure declared a critical information infrastructure must, within the period stipulated in the directives, comply with the directives issued in terms of subsection (4).
[...] (8) The owner or person in control of a critical information infrastructure must, in consultation with the Cabinet member responsible for State security, at own cost, take 20 steps to the satisfaction of the Cabinet member for purposes of complying with the directives contemplated in subsection (4).
(9) If the owner or person in control of a critical information infrastructure fails to take the steps referred to in subsection (8), the Cabinet member responsible for State security may, by written notice, order him or her to take such steps in respect of the 25 critical information infrastructure specified in the notice, within the period specified in
the notice.
(10) An owner or person in control of the critical information infrastructure who without reasonable cause refuses or fails to take the steps specified in the notice within
the period specified therein, is guilty of an offence and is liable on conviction to a fine 30 or to imprisonment for a period not exceeding two years or to both a fine and such imprisonment.
(11) If the owner or person in control of the critical information infrastructure fails or refuses to take the steps specified in the notice within the period specified therein, the Cabinet member responsible for State security may take or cause to be taken those steps 35 which the owner or person failed or refused to take, irrespective of whether the owner
or person has been charged or convicted in connection with that failure or refusal, and
the Cabinet member may recover the costs of those steps from the owner or person on whose behalf they were taken.