What is AI regulation in Zambia?
AI regulation: countries and regions
Zambia has no dedicated AI statute. AI is governed by a non-binding National Artificial Intelligence Strategy launched in November 2024 and by existing law: the Data Protection Act No. 3 of 2021, the Cyber Security Act and Cyber Crimes Act of 2025, electronic transactions law and sector regulation. The Ministry of Technology and Science leads policy, with ZICTA and the Data Protection Commission as regulators. Zambia aligns with the African Union Continental AI Strategy.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
AI regulation in Zambia is best described as a policy-led, soft-law model resting on existing technology and data laws, rather than a single binding AI Act. As of mid-2026 Zambia has no AI-specific statute. What exists is a national strategy that sets direction and proposes institutions, plus a set of general laws that already bite on AI systems because of what they do with data, communications and security.
The central policy instrument is the National Artificial Intelligence Strategy, launched by the Ministry of Technology and Science in November 2024. It is a roadmap, not a law: it creates no binding obligations and instead calls for a future National AI Policy, a National AI Council and sectoral Technical Working Groups, and it proposes extending the existing telecoms regulator's mandate to cover AI.
In the meantime, anyone building or deploying AI in Zambia is governed by laws of general application. The most important is the Data Protection Act No. 3 of 2021, which regulates automated processing, profiling and cross-border data transfers, and which is now actively enforced. Cybercrime, electronic transactions and sector-specific rules fill in the rest.
Why it matters
For organisations, the practical point is that "no AI law" does not mean "no rules." If your AI system processes personal data about people in Zambia, you fall under the Data Protection Act, which requires registration with the Office of the Data Protection Commissioner, data protection impact assessments for high-risk and profiling activities, and data localisation for sensitive personal data. Missing the registration deadline is a criminal offence.
The stakes are sharpened by data localisation and security duties. Sensitive personal data must be stored and processed inside Zambia, and operators of critical information infrastructure face registration and local-storage duties under the 2025 cyber laws. For cloud-first AI deployments this raises real architecture questions. Because the framework is still forming, the duties that matter today flow from data protection, cybercrime and sector law, and they apply now regardless of the strategy's aspirations. Leaders who wait for an AI Act will misjudge their current exposure.
How it works
The current model: policy first, statute later
Zambia's approach is a development-focused, strategy-led model that leans on existing horizontal laws rather than a bespoke AI statute. This is closer to a soft-law and sectoral approach than to a single risk-based AI Act. The National Artificial Intelligence Strategy sets ambitions across sectors such as agriculture, healthcare, mining, education and public services, and it openly acknowledges that there is currently no centralised authority or regulatory body dedicated to overseeing AI in Zambia. Its own implementation plan proposes that a National AI Policy be drafted and enacted, and that the telecoms regulator's mandate be extended to AI.
The National Artificial Intelligence Strategy
The strategy was launched by the Ministry of Technology and Science in November 2024. It is a non-binding policy document, structured around pillars covering policy and regulation, human capital, infrastructure and data ecosystems, research and innovation, sectoral adoption, and international collaboration. It was developed with technical assistance from the Tony Blair Institute and contributions from the Government of Finland and USAID Open Spaces. There is a date inconsistency in the official record: the document carries both "2024-2026" (on its cover and foreword) and "2025-2027" (in its running page headers), so cite it by title rather than by a single date range.
The strategy proposes governance institutions rather than creating them in law: a National AI Council as a central advisory body, and sectoral Technical Working Groups. It also envisages the Smart Zambia Institute coordinating AI adoption inside government, and an Emerging Technologies Centre of Excellence for research. None of these bodies has statutory force from the strategy itself.
Data protection law: the workhorse for AI
The Data Protection Act No. 3 of 2021 is the single most relevant binding instrument for AI today. It applies to processing performed wholly or partly by automated means. It gives data subjects rights to be informed about the logic of automated processing, requires data protection impact assessments where profiling or new technologies pose high risks, and requires controllers and processors to register with the Data Protection Commissioner. The Act reinforces the right to privacy in Article 17 of the Constitution.
The Office of the Data Protection Commissioner became fully operational in 2025, with a registration deadline of 30 April 2025 and enforcement beginning that year. Sensitive personal data must be processed and stored within Zambia, and other personal data is subject to localisation unless cross-border transfer conditions are met. For AI builders, this means training data, model inputs and profiling outputs that involve personal data sit squarely inside the Act.
Cybercrime, cybersecurity and electronic transactions law
On 8 April 2025 President Hakainde Hichilema enacted two new statutes, the Cyber Security Act No. 3 of 2025 and the Cyber Crimes Act No. 4 of 2025, which repealed and replaced the 2021 Cyber Security and Cyber Crimes Act. The Cyber Security Act establishes a Zambia Cyber Security Agency and a framework for designating and protecting critical information infrastructure, including local storage and incident-notification duties. The Cyber Crimes Act sets out offences including unauthorised access, identity-related fraud and non-consensual sharing of intimate images, with relevance to AI-enabled harms such as synthetic media. The Electronic Communications and Transactions Act No. 4 of 2021 governs electronic signatures, data messages and automated transactions, giving legal recognition to automated systems.
Responsible institutions
The Ministry of Technology and Science owns AI policy. ZICTA, the Zambia Information and Communications Technology Authority, is the ICT regulator under the Information and Communication Technologies Act No. 15 of 2009 and is the body the strategy proposes to extend into AI oversight. The Office of the Data Protection Commissioner enforces the Data Protection Act. The Zambia Cyber Security Agency handles cybersecurity. The Smart Zambia Institute, in the Office of the President, coordinates e-government. Sector regulators such as the Bank of Zambia and the Securities and Exchange Commission run fintech regulatory sandboxes that capture AI-driven financial products.
Regional and continental alignment
Zambia's strategy is explicitly aligned with the African Union Continental Artificial Intelligence Strategy, adopted by the AU Executive Council at its 45th Ordinary Session in Accra, Ghana, on 18 to 19 July 2024, which is a non-binding guiding framework promoting an Africa-centric, development-focused approach. Zambia ratified the African Union Convention on Cyber Security and Personal Data Protection (the Malabo Convention) on 24 March 2021; the Convention entered into force on 8 June 2023, 30 days after Mauritania deposited the fifteenth instrument of ratification. SADC and COMESA model laws on data protection and cybercrime have influenced the design of Zambia's domestic statutes.
Examples
A fintech deploying an AI credit-scoring model for Zambian customers processes personal data by automated means, so it must register with the Data Protection Commissioner, conduct a data protection impact assessment because profiling produces significant effects, and keep sensitive personal data inside Zambia. It may also test the product in the Bank of Zambia or Securities and Exchange Commission regulatory sandbox before full launch.
A government department using AI tools to improve public service delivery works within the Smart Zambia Institute's e-government coordination and the National AI Strategy's public-sector pilots, while remaining bound by the Data Protection Act when citizen data is involved. The strategy points to pilots in agriculture, education and health.
An operator of a national patient database or core banking system designated as critical information infrastructure under the Cyber Security Act No. 3 of 2025 must register with the Zambia Cyber Security Agency, store the relevant information in Zambia unless authorised otherwise, and notify the Agency of cybersecurity incidents, including those affecting AI components.
Common misunderstandings
"Zambia has an AI law." It does not. As of mid-2026 there is no AI-specific statute; there is a non-binding strategy plus laws of general application.
"The National AI Strategy is legally binding." It is a policy roadmap. It creates no enforceable obligations and itself calls for a future National AI Policy to be enacted.
"There are no rules until an AI Act arrives." Data protection, cybercrime and sector law already apply to AI systems, and the Data Protection Commission is actively enforcing.
"The 2021 cyber law still governs." The 2021 Cyber Security and Cyber Crimes Act was repealed and replaced by two separate 2025 statutes.
"Data can be hosted anywhere." Sensitive personal data must be stored in Zambia, and critical information infrastructure faces local-storage duties.
Risks and boundaries
This page covers Zambia's national approach to AI governance, not a comprehensive guide to data protection compliance, which sits on dedicated privacy pages. The biggest area of uncertainty is the future shape of binding AI rules. The strategy proposes a National AI Policy and an expanded ZICTA mandate, but neither is yet law. In April 2025 the Cabinet approved in principle a Bill to repeal and replace the Data Protection Act to cover emerging technologies including AI, machine learning and non-personal data, but as of mid-2026 no such Bill appears to have been tabled or enacted, so the 2021 Act remains the operative law.
The 2025 cyber laws are contested. The Law Association of Zambia petitioned the High Court (Constitutional Jurisdiction) on 11 July 2025, challenging numerous provisions of both the Cyber Crimes Act and the Cyber Security Act, with Chapter One Foundation granted leave to join on 3 October 2025. Civil society groups have criticised surveillance and expression provisions and the Cyber Security Agency's placement under the Office of the President. The constitutionality of parts of the regime is therefore an open legal question that could change duties for operators. Treat the institutions named in the strategy as proposed until established in law, and verify current status before relying on them.
What to do next
First, map whether your AI system processes personal data of people in Zambia. If it does, register with the Office of the Data Protection Commissioner, run data protection impact assessments for profiling and high-risk processing, and design for data localisation of sensitive personal data.
Second, check whether any system you operate could be designated critical information infrastructure under the Cyber Security Act, and prepare for registration, local storage and incident notification.
Third, treat the National AI Strategy as a signal of direction. Track the proposed National AI Policy and any expansion of ZICTA's mandate, and watch whether the proposed data law repeal is tabled. Use sector sandboxes where relevant.
Fourth, align governance with durable principles drawn from the African Union Continental AI Strategy and international standards, so you are ready when binding AI rules arrive. The benchmark that should change your plans: introduction of a National AI Policy or AI Bill, or tabling of the data law repeal.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Zambia have an AI law?
No. As of mid-2026 Zambia has no AI-specific statute. AI is governed by the National AI Strategy, a non-binding policy, plus laws of general application such as data protection, cybercrime and electronic transactions law.
What is the main law that applies to AI in Zambia today?
The Data Protection Act No. 3 of 2021. It covers automated processing and profiling, requires registration and impact assessments, and is enforced by the Office of the Data Protection Commissioner, which became operational in 2025.
Who regulates AI in Zambia?
No single AI regulator exists. The Ministry of Technology and Science leads policy, ZICTA regulates ICT, the Data Protection Commissioner enforces privacy law, and the Zambia Cyber Security Agency handles cybersecurity.
What does the National AI Strategy actually do?
It sets direction across sectors and proposes institutions: a National AI Council, sectoral Technical Working Groups, and a future National AI Policy. It is a roadmap and creates no binding obligations.
Are there data localisation rules affecting AI?
Yes. Sensitive personal data must be processed and stored in Zambia, and critical information infrastructure faces local-storage duties under the Cyber Security Act No. 3 of 2025.
How does Zambia align with the African Union?
The strategy aligns with the African Union Continental AI Strategy adopted in July 2024, and Zambia has ratified the Malabo Convention on cyber security and personal data protection.
Is a binding AI law coming?
Possibly. The strategy proposes a National AI Policy and an expanded ZICTA mandate, and the Cabinet approved a data law repeal in principle in 2025, but none is yet enacted.