top of page
Buscar

Approval of New Regulatory Instruments for Information and Communication Technologies in Mozambique

  • Foto do escritor: JLA advogados
    JLA advogados
  • há 2 dias
  • 6 min de leitura


The Council of Ministers approved three regulatory diplomas structuring the Information and Communication Technologies (ICT) sector, strengthening the legal framework of the national digital infrastructure and establishing new regimes for the control of telecommunications traffic, data centers and cloud computing services.


The following were approved:


  1. Decree No. 48/2025, which approves the Telecommunications Traffic Control Regulation;

  2. Decree No. 71/2025, which approves the Data Centre Regulation;

  3. Decree No. 72/2025, which approves the Cloud Computing Regulation.


The approval of these laws is part of the effort to consolidate digital governance in Mozambique, keeping pace with technological developments, the growth of the digital economy and the need to ensure greater security, transparency and sovereignty over critical communication and data processing infrastructures.


  1. Telecommunications Traffic Control Regulations


These Regulations establish the mechanisms and procedures for monitoring and controlling traffic on telecommunications networks, applying to all licensed operators and providers of telecommunications services to the public. Private networks are excluded, except when interconnected with public networks.


Compared to the previous regime, the new law broadens its scope and strengthens regulatory intervention. In addition to technical and economic aspects, it now expressly covers:


  • Protection of the public interest;

  • Public safety and state security;

  • Protection of users; and

  • Enforcement of regulatory obligations.


1.1. Strengthening the powers of the Regulatory Authority


The Authority now has greater technical autonomy and powers of intervention, including:


  • Control over tariffs and compliance with regulatory obligations;

  • Suspension of services in cases of fraud or risk to state security; and

  • Technological action independent of operators.


Operators, in turn, are obliged to carry out traffic blocking instructions and ensure technical conditions for full compliance with the measures provided for in the Regulation.


1.2. Suspension and blocking of traffic


The Regulation now expressly provides for the suspension and blocking of traffic, defining the respective legal assumptions and guarantees. The measures must comply with:


  • Technical and legal justification;

  • Observance of the principles of legality, proportionality and necessity;

  • Subsequent judicial validation, where applicable;

  • Clear time limits for preventive suspensions.


1.3. Use of data and financial regime


The Regulation establishes that data collected in the context of traffic control shall be used for:


  • Billing of regulatory fees;

  • Quality of service control;

  • Monitoring the use of numbering and infrastructure;

  • Supporting other State entities, always safeguarding confidentiality and protecting personal data.


It also provides for:


  • Mandatory monthly contributions from operators to finance the traffic control system, limited to 1% of gross annual revenue;

  • A penalty system, with heavy fines, increased penalties in the event of repeat offences and the possibility of tax enforcement.


In summary, the new Regulation provides a more comprehensive framework for the control of telecommunications traffic, defining the powers of the Regulatory Authority, the duties of operators, procedures for suspending and blocking traffic, the use of data and the penalty system.


  1. Data Centre Regulation


For the first time, Mozambique now has a specific legal framework for the installation, operation and supervision of data centers. This legislation is a response to the growing importance of digital infrastructure and aims to promote digital transformation, guarantee technological sovereignty and safeguard the security of the state and public and private institutions. Among the main points of the regulation are:


2.1. Mandatory registration and licensing


The Regulation establishes that only duly registered operators may provide data center services in Mozambique, regardless of the physical location of the center in the country. The management or operation of a data center is subject to prior licensing, obtained through a process carried out on the New Technologies Economic Operator Portal. The license is valid for 10 years and is renewable, and failure to comply with the rules may result in its suspension or revocation.


2.2. Classification of Data Centers


Data centers are now classified into four categories according to levels of resilience, redundancy, availability and security:


  • Advanced

  • Standard

  • Limited

  • Basic



2.3. Technical and Security Requirements


The regulation establishes mandatory criteria for the operation and protection of data centers, including:


  • Strategic location and natural risk mitigation;

  • Air conditioning and environmental control requirements;

  • Physical and cyber security measures;

  • Business continuity and disaster recovery plans;

  • Maintenance of technical and contractual files;

  • Mandatory civil liability insurance.


The Regulatory Authority for Information and Communication Technologies is designated as the competent authority for the registration, licensing and supervision of data centers.


2.4. Essential services: more stringent rules


For sectors considered essential, such as Public Administration, Internal Security and State Security, National Defense, Public Water Supply, Education, Postal Services, Energy, Health, Finance, Electronic Communications and Transport, additional requirements apply, namely:


  • Primary data centers must be located in national territory;

  • Minimum category ‘Advanced’ or ‘Standard’;

  • Reporting of relevant incidents within 24 hours;

  • Storage of information classified as state secrets exclusively within national territory.


Companies operating data infrastructures, cloud providers, financial institutions, telecommunications operators and public entities must comply with the provisions of the Regulation within one year of its entry into force.


In summary, the Data Centre Regulation establishes clear and detailed rules aimed at organizing, protecting and supervising critical data storage and processing infrastructure in the country.


  1. Cloud Computing Regulation


This Regulation establishes the regime applicable to cloud computing service providers in Mozambique, recognizing their strategic importance for digital transformation, the promotion of technological innovation and the strengthening of the competitiveness of the private sector. Among the main points are:


3.1. Mandatory registration of service providers


The Regulations stipulate that only duly registered and licensed entities may provide cloud computing services in the country. Registration and licensing is carried out by the Information and Communication Technology Regulatory Authority. The provision of services without registration constitutes an offence subject to penalties.


The license is valid for five years, renewable for equal periods, and depends on the submission of the elements required in the regulation, including the indication of the category of services. Foreign entities providing services in Mozambique must also appoint and register a legal representative established in the national territory.


3.2. Classification by categories


The Regulation introduces a classification of service providers into three categories, depending on the level of sensitivity of the data that may be processed:


  • Advanced Category – allows the processing of information classified as state secret, secret, restricted and confidential;

  • Standard Category – allows the processing of restricted and confidential information;

  • Basic Category – limited to the processing of unclassified data.


It should be noted that data from entities operating in the financial sector may only be processed by Advanced or Standard category providers.


3.3. Technical and security requirements


The Regulation establishes a structured set of technical obligations designed to ensure the integrity, availability and confidentiality of the information processed. The main requirements include:


  • preparation and maintenance of a security plan;

  • implementation of multi-factor authentication mechanisms;

  • encryption of data in transit and at rest;

  • periodic intrusion testing;

  • monitoring and recording of critical events;

  • adoption of backup policies and disaster recovery plans;

  • taking out civil liability insurance.


In the Advanced and Standard categories, the permanent availability of a technical team to respond to incidents is also required.


3.4. Contractual obligations and supervision


Service contracts must be in writing and include at least:


  • a detailed description of the services and service levels;

  • an indication of the location of data processing and storage;

  • incident notification rules;

  • data retention period after termination of the contract;

  • exit and portability strategies.


Supervision is the responsibility of the regulatory authority, and non-compliance may result in:


  • the imposition of fines;

  • suspension or revocation of the license;

  • the application of additional penalties provided for in the regulation.


In summary, the Cloud Computing Regulation introduces a formal regime for the registration, licensing and supervision of service providers, establishing minimum standards for security, technological governance and operational responsibility, with a focus on data protection and the continuity of critical services.


  1. Conclusion


Together, the three pieces of legislation represent a milestone in the consolidation of Mozambique's digital ecosystem. The new regulatory framework strengthens the powers of the regulatory authority, establishes more demanding technical and security standards, and introduces formal registration and licensing regimes for critical infrastructure.


For operators, service providers, and investors, the impact is significant, as it will require a strategic review of compliance models, information security, contractual structure, and the applicable regulatory framework.


For the State and users, the regime offers greater predictability, enhanced digital sovereignty and greater institutional confidence in the ICT sector.


Entities operating in the areas of telecommunications, data centres and cloud computing should assess their level of compliance in a timely manner and plan the necessary adjustments within the established legal deadlines.

                    *


Para mais informações, queira contactar-nos através de maputo@jlaadvogados.com

 
 
 
bottom of page