What is AI regulation in Eswatini?
AI regulation: countries and regions
Eswatini has no dedicated artificial intelligence law, regulator or bill. AI is governed indirectly, mainly through the Data Protection Act, 2022, enforced by the Eswatini Communications Commission (ESCCOM) acting as the Eswatini Data Protection Authority. A National AI Strategy and a Fourth Industrial Revolution strategy were announced by the Ministry of ICT but have not been published. Eswatini's approach sits within Southern African Development Community and African Union digital policy.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
There is no single statute in Eswatini that names or regulates artificial intelligence. Anyone deploying AI in the kingdom must instead work within general laws that touch on data and computers. The most important is the Data Protection Act, 2022, which controls how personal information is collected and used, including by automated means. The Computer Crime and Cybercrime Act, 2022 sits alongside it.
The country's communications and data regulator, ESCCOM, is also the designated Eswatini Data Protection Authority. It enforces the Data Protection Act, runs a register of data controllers and processors, and handles complaints and breaches.
At policy level, the Ministry of ICT has signalled interest in AI through its Eswatini Digitalisation Strategy 2024 to 2028 (themed "Government in Your Hand"), an inaugural AI Indaba, and an announced but unpublished National AI Strategy. None of these is binding law.
Why it matters
For organisations building or buying AI in Eswatini, the practical point is that compliance hinges on data protection law, not an AI-specific rulebook. If your system processes personal information about people in Eswatini, the Data Protection Act applies regardless of whether you call the system "AI". That brings duties around lawful basis, transparency, security, breach notification and registration with ESCCOM. It also gives individuals a right not to be subject to decisions based solely on automated processing, which is the closest thing in Eswatini law to a direct control on algorithmic decision-making. Getting this wrong carries real penalties: serious offences under the Act can reach a fine of up to 100,000,000 Emalangeni, 5 per cent of annual turnover, and up to 10 years' imprisonment.
How it works
The Data Protection Act, 2022 is the backbone
Eswatini's Data Protection Act was published in the Government Gazette and came into force on 4 March 2022. It provides for the collection, processing, disclosure and protection of personal data, and applies to data controllers and processors who use automated or non-automated means in Eswatini, whether or not they are domiciled there. Exemptions include purely personal or household activity, fully de-identified data, national security and defence, and journalistic, artistic or literary expression. The Act sets out processing principles, lawful bases for processing, security duties, and restrictions on sensitive personal information such as health, biometric and children's data.
ESCCOM as the Eswatini Data Protection Authority
The Act designates the Eswatini Communications Commission, established under the Swaziland Communications Commission Act, 2013, as the Eswatini Data Protection Authority (EDPA). ESCCOM is mandated to regulate how personal information is handled, maintain a register of data controllers and processors, investigate breaches and resolve complaints. It can issue warnings, enforcement notices, suspend processing authorisations and impose administrative fines.
The automated decision-making right
The closest thing Eswatini has to a direct AI control is the data subject's protection against decisions based solely on automated processing that have significant effects. Individuals must be informed of automated profiling and decision-making, and must have a means to challenge an automated decision or ask for human review. This is the practical hook for governing AI-driven scoring, screening or profiling.
Registration, breach notification and penalties
Section 5 of the Act requires the Commission to maintain a register of all data controllers and data processors, and ESCCOM issues a registration certificate to applicants; certified entities already include EswatiniBank, Liberty Life Eswatini and the Eswatini Posts and Telecommunications Corporation (EPTC). Controllers must report personal data breaches to the EDPA within 72 hours of becoming aware. Under Section 6(3)(b), the Commission may impose an administrative fine not exceeding 5,000,000 Emalangeni or 2 per cent of annual turnover for some contraventions, while serious offences carry a fine of up to 100,000,000 Emalangeni, 5 per cent of the data controller's annual turnover, and/or up to 10 years' imprisonment. A transitional period of two years, extendable to three, was provided for existing processing to comply.
Supporting cyber and electronic transactions laws
Eswatini passed a cluster of digital laws in 2022: the Data Protection Act, the Computer Crime and Cybercrime Act, and electronic communications and transactions legislation. The Computer Crime and Cybercrime Act establishes cybersecurity governance structures, including a National Cybersecurity Advisory Council and a national incident response team within ESCCOM. The National Cybersecurity Strategy 2022 to 2027 sets the national framework. None of these addresses AI as such, but they shape the environment in which AI systems operate.
Policy and strategy layer
The Ministry of ICT is implementing the Eswatini Digitalisation Strategy 2024 to 2028 under the "Government in Your Hand" banner. A Digital Readiness Assessment, conducted by the Ministry of Information, Communication, and Technology in collaboration with UNDP and the Eswatini Economic Policy Analysis and Research Centre (ESEPARC), found Eswatini at the "systematic" stage with an overall score of 2.6 out of 5, and reported that digital public infrastructure, connectivity, and regulation lag behind other pillars. The Ministry announced plans to develop a National AI Strategy and a Fourth Industrial Revolution strategy, but neither has been published as binding policy.
Regional and continental context
Eswatini's data law tracks the SADC Model Law on Data Protection, developed under the ITU-EU HIPSSA project, which influenced data protection regimes across Southern Africa. At the continental level, the African Union adopted its Continental Artificial Intelligence Strategy in July 2024, which calls on member states to develop national AI strategies and treats data protection and governance laws as the backbone of AI regulation. Eswatini signed the AU Convention on Cyber Security and Personal Data Protection (the Malabo Convention) on 2 April 2019 but has not ratified it.
Examples
1. A fintech lender in Mbabane deploys an automated credit-scoring model. Because the model makes a decision based solely on automated processing with a significant effect on the applicant, the lender must inform applicants, allow them to challenge the decision and request human review, and must process the underlying personal data lawfully under the Data Protection Act. The lender must also register with ESCCOM as a data controller.
2. A health provider pilots an AI diagnostic tool that processes patient health data. Health data is sensitive personal information under the Act, so processing is restricted and generally requires a specific lawful basis or authorisation. The provider must apply security measures and report any breach to the Eswatini Data Protection Authority within 72 hours.
3. A government service under the "Government in Your Hand" programme adds AI-assisted features. The deploying ministry operates within the Digitalisation Strategy and the data protection regime; there is no separate AI law to clear, but personal data duties, cybersecurity obligations and the automated-decision right still apply.
Common misunderstandings
1. "Eswatini has an AI Act." It does not. There is no dedicated AI statute, bill or regulator. AI is governed indirectly through data protection and cyber laws.
2. "The National AI Strategy is in force." It was announced by the Ministry of ICT but has not been published or adopted as binding policy.
3. "If it is AI, data protection law does not reach it." The Data Protection Act applies to automated processing of personal information regardless of the label, so most AI touching personal data is already in scope.
4. "Eswatini ratified the Malabo Convention." Eswatini signed the Convention in 2019 but has not ratified it; its binding domestic rules come from its own 2022 Act.
5. "There is no control on automated decisions." The Act gives individuals protection against decisions based solely on automated processing and a right to challenge them.
Risks and boundaries
This article describes general legal architecture, not legal advice. The central limit is that Eswatini has no AI-specific law, so there is no risk-tiering, conformity assessment or AI registration regime of the kind seen in some other jurisdictions. Governance of AI rests on data protection, cybercrime and sector rules. Legal status is partly uncertain and could change: the National AI Strategy and Fourth Industrial Revolution strategy are announced but unpublished, and the Ministry of ICT has signalled future legislation for emerging technologies including AI. Penalty figures and procedural details should be confirmed against the gazetted Act before relying on them. Enforcement capacity is still developing, and the Digital Readiness Assessment noted that regulation lags other digital pillars.
What to do next
Treat the Data Protection Act, 2022 as your primary compliance anchor for any AI that touches personal data. Register with ESCCOM as a controller or processor where required, map your data flows, and document a lawful basis. Build in transparency and a human-review route wherever you use automated decisions or profiling. Stand up breach detection and a 72-hour notification process. For sensitive data such as health or children's data, secure a specific lawful basis. Watch for publication of the National AI Strategy and any emerging-technology legislation, and align early with the AU Continental AI Strategy direction since national rules are expected to build on data protection foundations.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Eswatini have a dedicated AI law?
No. There is no AI-specific statute, bill or regulator. AI is governed indirectly, mainly through the Data Protection Act, 2022 and supporting cyber laws.
Who regulates data and AI-related processing in Eswatini?
The Eswatini Communications Commission (ESCCOM), which also acts as the Eswatini Data Protection Authority, enforces the Data Protection Act and handles registration, complaints and breaches.
When did the Data Protection Act take effect?
It was published in the Government Gazette and came into force on 4 March 2022.
Is there any rule on automated decisions?
Yes. Individuals are protected against decisions based solely on automated processing with significant effects, must be informed, and can challenge them or seek human review.
Has Eswatini published a National AI Strategy?
No. The Ministry of ICT announced plans for a National AI Strategy and a Fourth Industrial Revolution strategy, but neither has been published as binding policy.
Did Eswatini ratify the Malabo Convention?
Eswatini signed the AU Convention on Cyber Security and Personal Data Protection on 2 April 2019 but has not ratified it. Its binding rules come from its own 2022 Act.
What penalties apply under the data law?
The Commission may fine up to 5,000,000 Emalangeni or 2 per cent of annual turnover for some contraventions, while serious offences carry up to 100,000,000 Emalangeni, 5 per cent of turnover, and/or 10 years' imprisonment.
How does the African Union strategy affect Eswatini?
The AU Continental AI Strategy, adopted in July 2024, asks member states to build national AI strategies on data protection foundations, signalling the likely direction for Eswatini.