Cybersecurity
& compliance articles.
Practical guidance on regulations, frameworks, and best practices relevant to South African businesses.
Shadow AI in South African Organisations: The Audit-First Answer
Most South African organisations have no inventory of which AI tools their employees use, what personal information flows to them, or what the vendor terms grant. POPIA does not let you say 'we did not know.' The honest answer starts with discovery.
POPIA Section 71 and Automated Decision-Making: What Counts, What's Required
Section 71 of POPIA is the section that catches AI workflows. It governs decisions made 'solely on the basis of the automated processing of personal information' — and it gives the data subject the right to refuse them. Information Officers in 2026 cannot afford to misread it.
The FSCA and SARB Prudential Authority Position on AI in Financial Services
The FSCA and Prudential Authority published their joint position on AI in financial services in November 2025. The signal is principles-based, technology-neutral, and harder to defend against than an EU-style horizontal Act. Here is what South African financial organisations should expect supervisory dialogue to look like in 2026.
AI-Augmented Attacks in South Africa: Deepfakes, BEC and Ransomware in 2026
South Africa is the most targeted country in Africa for cyber attacks. In 2026 the attacks are no longer foreign-flavoured templates — they speak SARS, eFiling, and load-shedding. Mid-market organisations need to update their controls or accept the new loss rate.
SAHPRA's AI/ML SaMD Framework: What South African Healthcare Organisations Must Know
SAHPRA published one of the more advanced sector AI documents in South Africa in September 2025 — an AI/ML Software-as-a-Medical-Device framework. For healthcare organisations deploying or developing AI-driven clinical decision-support, SaMD classification is no longer optional.
POPIA Compliance in 2026: What South African Businesses Must Have in Place
The Information Regulator has ramped up enforcement since 2023. South African businesses handling personal information need documented controls, a designated Information Officer, and a tested breach response process — here's the full picture.
CIPC Registration and Cybersecurity: What Companies Must Know
The Companies and Intellectual Property Commission holds sensitive company records for millions of South African entities. Recent CIPC breaches have raised the bar for what regulators expect from registered companies around data and system security.