What is AI regulation in Zimbabwe?
AI regulation: countries and regions
As of 2026, Zimbabwe has no AI-specific statute. It governs AI through a National Artificial Intelligence Strategy 2026 to 2030 (a policy, not a binding law), the Cyber and Data Protection Act [Chapter 12:07] enforced by POTRAZ, the right to privacy in section 57 of the 2013 Constitution, and sector rules such as the Reserve Bank fintech sandbox. The Strategy proposes a future AI governance, ethics and regulatory framework and an oversight body, but these are not yet law.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
AI regulation in Zimbabwe describes the mix of policy, existing law and institutions that currently shape how artificial intelligence is built and used in the country. The key point for any operator is that there is no dedicated AI Act. There is no horizontal AI law with binding duties, and no statutory risk tiers. What exists instead is a national policy document plus a set of general laws that apply to AI because AI systems process personal data, make decisions about people and operate in regulated sectors.
The central policy instrument is the National Artificial Intelligence Strategy 2026 to 2030, approved by Cabinet in October 2025 and launched by President Emmerson Mnangagwa on 13 March 2026 at the New Parliament Building in Mount Hampden. It is led by the Ministry of Information Communication Technology, Postal and Courier Services. The Strategy sets direction and proposes new governance bodies, but a strategy is soft law: it guides government action and signals intent rather than creating enforceable obligations on companies.
The binding rules that already bite on AI come from elsewhere. The Cyber and Data Protection Act [Chapter 12:07] regulates how personal data is processed, including by automated means, and names the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) as the Data Protection Authority. The 2013 Constitution protects privacy. Sector regulators, notably the Reserve Bank of Zimbabwe in financial services, supervise AI-enabled products within their own mandates.
Why it matters
For anyone deploying or buying AI in Zimbabwe, the practical stakes sit in the gap between ambition and enforceable rules. The Strategy is expansive, with flagship programmes, a national data platform and a planned AI regulatory sandbox, but the obligations you must actually comply with today come from data protection law and sector regulation, not from an AI statute.
That has three consequences. First, if your AI system touches personal data, you are already regulated: you likely need to register and license with POTRAZ, appoint a Data Protection Officer, and respect rules on sensitive data and automated decisions. Second, the absence of a specific AI law does not mean a free hand, because constitutional privacy rights, consumer protection, financial-sector rules and criminal provisions on data misuse still apply. Third, the direction of travel is clear: the Strategy proposes a dedicated governance, ethics and regulatory framework and an oversight body, so organisations that build governance now will adapt more cheaply when binding rules arrive.
There is also a credibility gap to manage. Zimbabwe scored 3.69 out of 100 on the 2024 Global Index on Responsible AI, produced by the Global Center on AI Governance, which signals weak institutional readiness despite strong policy language. Buyers and investors should treat governance claims with appropriate diligence.
How it works
The current model: policy strategy plus general law
Zimbabwe follows what is best described as a strategy-led, data-protection-anchored model. There is no horizontal AI law and no statutory risk tiers of the kind seen in the EU. Instead, a national policy strategy sets direction while binding control over AI comes from laws of general application. This places Zimbabwe with the majority of African states that have an AI strategy or draft policy but no dedicated AI statute.
The National AI Strategy 2026 to 2030
The Strategy was approved by Cabinet in October 2025 and launched on 13 March 2026. It is built on six pillars: AI talent and capacity development; AI infrastructure and computational sovereignty; AI adoption and service transformation; AI governance, ethics and regulation; research, development and innovation; and international collaboration and diplomacy. It is rooted in the Ubuntu philosophy and emphasises data sovereignty, with five named flagship initiatives: a national AI and data platform branded Project Pangolin; an AI regulatory sandbox called the Innovation Crucible; the Nzwisiso.ai national AI literacy campaign, targeted to reach 60 per cent of Zimbabwe's adult population by 2030; the AI Grand Challenge competition; and the National AI Innovation Fund (the Mugove/Isabelo Fund). Governance of implementation sits with a National AI Council and an AI Strategy Implementation Office, supported by technical working groups. Crucially, the Strategy is a policy document. The fourth pillar promises a future AI governance, ethics and regulatory framework, including ethics guidelines, bias testing for high-stakes applications and human-rights safeguards, but these are proposals, not enacted law.
The binding layer: the Cyber and Data Protection Act
The Cyber and Data Protection Act [Chapter 12:07] is the law that most directly governs AI in Zimbabwe today, because almost all AI systems process personal data. Enacted in 2021 and effective from 11 March 2022, it designates POTRAZ as the Data Protection Authority under section 5. It applies to automated and partly automated processing, and it reaches controllers outside Zimbabwe who use equipment or systems located in the country, requiring them to appoint a local representative.
Several provisions bear directly on AI. Section 12 prohibits processing of genetic, biometric and health data without written consent, subject to exceptions, which directly affects facial recognition, voice systems and health AI. Section 25, headed Decision taken on basis of Automatic Data Processing, addresses automated decision-making and profiling: it protects individuals against decisions with legal or significant effects that are based solely on automated processing, unless the person has consented or it is otherwise authorised by law. This is the closest thing in current Zimbabwean law to an AI-specific duty. The Act also imposes data breach notification within 24 hours and restricts cross-border transfers.
Licensing under SI 155 of 2024
Statutory Instrument 155 of 2024, the Cyber and Data Protection (Licensing of Data Controllers and Appointment of Data Protection Officers) Regulations, was gazetted on 13 September 2024. It requires data controllers to register and obtain a data controller licence from POTRAZ, with existing controllers required to apply by 12 March 2025. Controllers must appoint a qualified Data Protection Officer. Licence fees range from US$50 to US$2,000, and processing without a licence after the deadline is an offence carrying a fine or imprisonment of up to seven years. Any organisation running AI over personal data of Zimbabwean individuals should expect to fall within this licensing regime.
Constitutional foundation
Section 57 of the 2013 Constitution guarantees the right to privacy, including the privacy of communications and protection against disclosure of health conditions. Related rights to dignity, administrative justice and a fair hearing are also relevant to automated decisions. Constitutional rights bind the State and shape how courts interpret data and surveillance law, though section 86 permits limitations that are fair, reasonable, necessary and justifiable.
Sector regulation
In the absence of a horizontal AI law, sector regulators carry significant weight. The Reserve Bank of Zimbabwe operates a Fintech Regulatory Sandbox, established in March 2021 by the National Fintech Steering Committee, that lets firms test innovative financial products, including AI-enabled ones, under supervision and within existing financial statutes. This is the established, functioning sandbox today, and it is distinct from the AI-specific Innovation Crucible sandbox proposed in the Strategy. Health, employment and consumer contexts are governed by their own rules plus the data protection regime.
Regional and international alignment
Zimbabwe's Strategy explicitly aligns with the African Union Continental Artificial Intelligence Strategy, endorsed by the AU Executive Council in July 2024, which promotes a development-focused, ethics-led approach and encourages member states to adopt national strategies. The AU instrument leans heavily on data protection and governance laws as the near-term vehicle for AI regulation. At the sub-regional level, the SADC Model Law on Data Protection, developed under the ITU and European Commission HIPSSA project, influenced Zimbabwe's data law and contains provisions on automated processing. The Strategy also draws on the UNESCO Recommendation on the Ethics of Artificial Intelligence (2021): Zimbabwe completed a UNESCO-supported AI Readiness Assessment Methodology (RAM) report in 2025, which recommended developing the national strategy. Notably, Zimbabwe has neither signed nor ratified the AU Malabo Convention on Cyber Security and Personal Data Protection, having instead legislated domestically.
Examples
A fintech deploying an AI credit-scoring model in Zimbabwe operates under two regimes today, not one. It must register and license as a data controller with POTRAZ and appoint a DPO under SI 155 of 2024, and its automated lending decisions engage section 25 of the Cyber and Data Protection Act on decisions based solely on automatic processing. If it wants to test a novel product, it can apply to the Reserve Bank of Zimbabwe Fintech Regulatory Sandbox, which has operated since March 2021 under existing financial-sector statutes.
A health provider using AI diagnostics that analyse patient images or records is processing health and potentially biometric data. Under section 12 of the Act, this generally requires written consent from the data subject, subject to defined exceptions such as public health or medical treatment, and processing of health data is tied to supervision by a health professional. The national strategy envisages AI in healthcare, but the binding constraint today is the data protection regime, not an AI law.
A startup joining a government programme illustrates the policy layer. The Strategy launched the AI Grand Challenge, an annual competition whose first challenge focuses on food security, and proposes the Innovation Crucible sandbox to let startups test AI products under temporary regulatory flexibility. These are policy initiatives that offer access and funding, but participation does not change a firm's underlying legal duties under data protection and sector law.
Common misunderstandings
"Zimbabwe has an AI law." It does not. It has a national AI Strategy, which is policy. Binding obligations come from data protection law, the Constitution and sector regulation.
"The National AI Strategy creates compliance duties for companies." The Strategy guides government and proposes future frameworks and bodies. It does not by itself impose enforceable duties on private firms.
"No AI law means AI is unregulated." Incorrect. If your system processes personal data you are regulated by the Cyber and Data Protection Act and must likely license with POTRAZ, and constitutional and sector rules also apply.
"POTRAZ is an AI regulator." POTRAZ is the Data Protection Authority and the telecoms regulator. It regulates personal data processing, which captures much AI, but it is not a dedicated AI oversight body. The proposed AI oversight body in the Strategy is not yet established in law.
"Zimbabwe is bound by the AU Malabo Convention." Zimbabwe has neither signed nor ratified the Malabo Convention. It built its own data law instead, and aligns with the separate AU Continental AI Strategy as policy.
Risks and boundaries
The biggest boundary is legal status. Zimbabwe's AI-specific governance is largely aspirational. The National AI Strategy, the proposed AI governance, ethics and regulatory framework, the proposed oversight body, the Innovation Crucible sandbox and Project Pangolin are commitments and plans, not enacted law, and timelines may slip. Anyone relying on these as if they were binding rules is misapplying them.
The proposals for a dedicated Zimbabwe AI regulatory authority have been floated in commentary and the Strategy's governance pillar, but the exact legal form, powers and timing remain undefined. Treat any specific body name as provisional until legislation appears.
There is a real readiness and rights concern. Zimbabwe scored 3.69 out of 100 on the 2024 Global Index on Responsible AI, indicating weak responsible-AI structures. Civil society has flagged that broad data and surveillance laws, and AI-enabled smart-city monitoring, can operate without strong independent oversight. The same Cyber and Data Protection Act that protects personal data has been criticised for provisions that can chill expression. AI governance claims should therefore be tested against actual safeguards, not policy language.
Finally, this article explains regulation and governance; it is not legal advice. Licensing thresholds, exemptions and deadlines under the Act and SI 155 carry penalties, so verify your specific position with current POTRAZ guidance and qualified local counsel.
What to do next
Start by mapping whether your AI processes personal data of people in Zimbabwe. If it does, treat the Cyber and Data Protection Act and SI 155 of 2024 as your live compliance baseline: confirm whether you must register and obtain a data controller licence from POTRAZ, appoint a qualified Data Protection Officer, and document your lawful basis, especially for any genetic, biometric or health data under section 12.
Audit your automated decisions against section 25. Where a decision based solely on automated processing has legal or significant effects on a person, build in consent or another lawful basis, plus human review and an appeal route. This is both current good practice and close to where future AI rules are heading.
If you operate in financial services, engage the Reserve Bank of Zimbabwe Fintech Regulatory Sandbox for novel AI products rather than assuming the proposed AI sandbox is available. For other sectors, identify your lead regulator and its existing rules.
Watch three triggers that would change your plan: publication of a binding AI governance, ethics and regulatory framework or bill; the legal establishment of a dedicated AI oversight body with defined powers; and the opening of the Innovation Crucible sandbox. Align internal governance now to recognised reference points, the AU Continental AI Strategy and the UNESCO Recommendation on the Ethics of AI, so that you can adapt quickly and credibly when binding obligations arrive.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Zimbabwe have an AI law in 2026?
No. Zimbabwe has a National Artificial Intelligence Strategy 2026 to 2030, which is policy. There is no dedicated AI statute, and no horizontal AI law with binding duties or risk tiers.
What governs AI in Zimbabwe in the absence of an AI law?
Mainly the Cyber and Data Protection Act [Chapter 12:07] enforced by POTRAZ, the right to privacy in section 57 of the 2013 Constitution, and sector regulation such as the Reserve Bank of Zimbabwe fintech rules. Consumer and criminal provisions also apply.
Who regulates AI and data in Zimbabwe?
POTRAZ is the Data Protection Authority and also the telecoms regulator. It enforces the Cyber and Data Protection Act, which captures most AI processing of personal data. There is no separate statutory AI regulator yet, though the Strategy proposes oversight bodies.
Does Zimbabwe regulate automated decision-making?
Yes, indirectly. Section 25 of the Cyber and Data Protection Act addresses decisions based on automatic data processing, protecting people from decisions with legal or significant effects taken solely by automated means unless they consent or it is authorised by law.
Do I need a licence to run an AI system that uses personal data?
Probably. SI 155 of 2024 requires data controllers to register and obtain a licence from POTRAZ and to appoint a Data Protection Officer. Existing controllers were required to apply by 12 March 2025, and processing without a licence is an offence.
How does Zimbabwe align with the African Union approach?
Zimbabwe's Strategy aligns with the AU Continental Artificial Intelligence Strategy endorsed in July 2024, which is development-focused and relies on data protection and governance law. Zimbabwe has not signed or ratified the AU Malabo Convention.
What is the Innovation Crucible?
It is a national AI regulatory sandbox proposed in the Strategy to let startups test AI products under temporary regulatory flexibility. It is a proposal and is distinct from the existing Reserve Bank of Zimbabwe fintech sandbox.