Across Africa, digital rulemaking is entering a more decisive phase where the focus is shifting from passing laws to actually enforcing them, as governments tighten oversight of personal data and begin laying the groundwork for artificial intelligence governance.
A new report by Yellow Card, a stablecoin-based infrastructure provider operating in emerging markets, shows that while the continent has recorded significant gains in building legal frameworks for data protection, the real test is now moving to enforcement capacity, institutional strength and regulatory consistency across jurisdictions.
As of late 2025, 45 African countries had enacted data protection laws, while 39 had established operational data protection authorities. That expansion marks a sharp departure from a decade ago when only a small number of countries had formal legal structures governing personal data.
The rapid spread of these laws reflects how quickly African economies have digitised in recent years, driven by expanding mobile connectivity, the growth of fintech services, rising cross-border data flows and the increasing reliance on digital platforms for commerce, governance and communication.
Yet, the report makes clear that legislative coverage is no longer the central issue. Instead, attention is shifting toward how effectively these frameworks are enforced and whether regulators have the institutional capacity to keep pace with fast-evolving digital risks.
According to Yellow Card, Africa’s regulatory environment is now transitioning “from coverage to depth,” with governments placing greater emphasis on accountability mechanisms, compliance monitoring and risk-based supervision.
This shift is most visible in countries with relatively advanced digital economies, including Nigeria, Kenya, South Africa, Ghana and Rwanda, where regulators are strengthening enforcement actions and tightening scrutiny of high-risk data processing activities.
In Nigeria, for instance, the Nigeria Data Protection Commission (NDPC) recently published a list of more than 1,300 organisations under investigation for alleged breaches of the Nigeria Data Protection Act. The move has been widely interpreted as a signal of more assertive enforcement under the country’s evolving privacy regime.
Similar patterns are emerging elsewhere on the continent, where regulators are beginning to demonstrate greater willingness to impose penalties and set precedents for compliance. In Uganda, a digital lending platform executive was jailed for operating without proper registration and processing personal data without consent, underscoring the personal liability risks now associated with non-compliance.
In Kenya, the Office of the Data Protection Commissioner has issued fines and enforcement notices against organisations found to have unlawfully retained or processed personal information. Tanzania’s High Court has also upheld penalties against companies that used individuals’ images for commercial purposes without consent, reinforcing the judiciary’s role in data protection enforcement.
Taken together, these actions point to a broader shift in regulatory posture across the continent, where data protection is increasingly being treated as a core governance issue rather than a peripheral compliance requirement.
At the same time, the report highlights child-focused privacy as an emerging priority, with regulators paying closer attention to how children’s data is collected, processed and protected in digital environments. This trend, it notes, is expected to become even more pronounced in 2026 as digital services targeting younger users continue to expand.
Despite this momentum, significant disparities remain across African markets. Several countries still operate with nascent or weak enforcement structures, creating uneven compliance environments for businesses operating across multiple jurisdictions and increasing exposure to privacy risks for users.
New developments in 2025 reflect both expansion and consolidation of the regulatory landscape. Djibouti, The Gambia and Algeria all enacted new data protection laws during the year, while Malawi, Togo and the Republic of the Congo moved to operationalise newly established regulatory authorities.
Alongside these changes, regulators in Nigeria, Zimbabwe, Uganda and Tanzania issued updated compliance guidelines aimed at helping organisations better understand their obligations under existing frameworks.
Beyond data protection, attention across the continent is also turning toward artificial intelligence, where policy development is gathering pace even in the absence of comprehensive legislation.
The report shows that 16 out of 54 African countries had adopted national AI strategies or policy frameworks by the end of 2025, signalling early but growing interest in formalising AI governance.
Countries including Mauritius, Egypt, Ghana, Senegal, Rwanda, Zambia, Kenya, Côte d’Ivoire and Nigeria have already released national AI strategies. These frameworks typically prioritise digital infrastructure development, skills acquisition, ethical AI use and the establishment of institutional oversight mechanisms.
In parallel, countries such as Angola, Nigeria, Morocco and Namibia are now considering draft AI legislation, suggesting a gradual shift from soft policy guidance toward legally binding regulatory regimes.
Yellow Card notes that most governments are currently taking an incremental approach, relying on policy frameworks and existing laws to manage emerging risks while building institutional capacity for more comprehensive regulation in the future.
“Governments are using policy frameworks and soft-law instruments to build capacity and attract investment, while relying on existing data protection and cybersecurity laws to manage immediate risks,” the report stated.
In practice, this means that data protection and cybersecurity regulations are currently serving as the primary tools for addressing AI-related risks, particularly in areas such as automated decision-making systems, biometric technologies and large-scale data analytics.
Looking ahead, the regulatory environment is expected to become more demanding as institutions mature and enforcement becomes more coordinated. The report warns that organisations operating across African markets should prepare for higher compliance expectations, more frequent enforcement actions and closer scrutiny of both data governance and AI deployment.
Regulators, it adds, are likely to demand stronger internal controls, documented risk assessments and clearer evidence that businesses are embedding responsible innovation principles into their operations.
Ultimately, the report indicates that Africa’s digital economy is entering a new regulatory phase where trust, compliance and accountability are becoming central to market participation.
