Home/Services/NCSA & Data Protection Compliance Testing
SERVICE · KIGALI, RWANDA

Security testing for Rwanda's Data Protection Law and NCSA compliance

Law No. 058/2021 requires every organisation that holds personal data to put in place "appropriate technical and organisational measures" to protect it, under the supervision of the National Cyber Security Authority (NCSA). The law does not hand you a checklist of tests. Penetration testing is how you produce the evidence that those technical measures actually hold: led by an OSCP-credentialled practitioner.

Supports: Law No. 058/2021 | NCSA supervision | OSCP-credentialled practitioner | Evidence-led reporting
Book a Free Call

What the law and the NCSA require

01

Who must comply

Any organisation that processes personal data: government, healthcare, telecom, fintech, and private companies. Not only BNR-regulated banks.

02

The technical-measures obligation

The law requires "appropriate technical and organisational measures" to protect personal data. You have to be able to show those measures work.

03

Breach notification

A personal data breach must be notified within 48 hours, with a fuller report following within 72 hours. Knowing your exposure first makes that window survivable.

04

The evidence we provide

A manual penetration test and an evidence-led report that documents what an attacker could reach, and what you fixed. Concrete proof your controls were tested.

What Law No. 058/2021 and the NCSA require

Rwanda's Law No. 058/2021 governs the protection of personal data. It is supervised by the National Cyber Security Authority (NCSA), the data-protection supervisory authority. Registration of data controllers and processors is mandatory, and a Data Protection Officer is required where applicable. The compliance transition period ended on 15 October 2023, so the law is now in force and enforcement is active.

Two obligations matter most for security testing. First, controllers and processors must implement "appropriate technical and organisational measures" to protect personal data. Second, where a personal data breach occurs, the law sets a short notification window: notification to the supervisory authority within 48 hours (Article 43) and a fuller report within 72 hours (Article 44). The law does not prescribe a specific test or a fixed test cadence, which leaves each organisation to demonstrate that its technical measures are real and effective.

Who must comply: government, healthcare, telecom, fintech, any data holder

This is the part that surprises many organisations. The data-protection regime is not limited to banks supervised by the National Bank of Rwanda. It reaches any organisation that handles personal data about people in Rwanda:

If your organisation collects, stores, or processes personal data, the obligation to protect it with appropriate technical measures applies to you. Banks supervised by the BNR carry an additional, more prescriptive testing obligation, covered on our BNR-compliant penetration testing page.

How security testing demonstrates "appropriate technical measures"

The law asks you to protect personal data with appropriate technical measures, but it leaves you to prove those measures hold. A manual penetration test does exactly that. It attempts to reach the personal data the way an attacker would, across your applications, APIs, networks, and cloud, and documents what it found with proof-of-concept evidence, severity ratings, and prioritised fixes. That report is concrete evidence that you tested your controls, identified the gaps, and remediated them. It is not a substitute for registration, a Data Protection Officer, or a formal attestation; it is the technical layer that supports them. For the full scope of what manual testing covers, see our penetration testing service.

What we deliver

We run the engagement by hand, not as a repackaged scanner report, and we structure the output so it supports your data-protection programme:

How an engagement runs

Scoping

We map where personal data lives in your environment and agree rules of engagement, timeline, and the systems in scope.

Testing

Manual penetration testing by hand, with clear communication and immediate escalation of anything that exposes personal data.

Reporting

An evidence-led report: executive summary, technical findings, CVSS ratings, and prioritised remediation tied to your data-protection obligations.

Retest

Free retest on remediated findings and a clean report you can keep as evidence that your technical measures were tested and fixed.

Frequently asked questions

Does Rwanda's Data Protection Law require penetration testing?
Law No. 058/2021 requires every data controller and processor to put in place "appropriate technical and organisational measures" to protect personal data. It does not name a specific test or a fixed test cadence. Penetration testing is one of the clearest ways to produce evidence that those technical measures actually work, which is why it supports a data-protection programme rather than being a standalone legal mandate.
Who must comply with Law No. 058/2021 in Rwanda?
Any organisation that processes personal data: government bodies and agencies, hospitals and clinics, telecom operators, fintechs and banks, insurers, schools, NGOs, and private companies. If you collect, store, or handle personal data about people in Rwanda, the law applies to you, not only to BNR-regulated banks.
Who is the supervisory authority for data protection in Rwanda?
The National Cyber Security Authority (NCSA) is the supervisory authority for personal data protection in Rwanda. Registration of data controllers and processors is mandatory, and a Data Protection Officer is required where applicable. The compliance transition period ended on 15 October 2023, so the law is in force and enforcement is active.
What is the data breach notification timeline under Law No. 058/2021?
Where a personal data breach occurs, the law sets a short window: notification to the supervisory authority within 48 hours (Article 43), followed by a fuller report within 72 hours (Article 44). Meeting those windows is far easier when you already understand your exposure, which is part of what security testing gives you before an incident happens.
How does penetration testing help demonstrate "appropriate technical measures"?
The law asks you to protect personal data with appropriate technical measures, but it leaves you to show that those measures hold. A manual penetration test attempts to reach the personal data the way an attacker would and documents what it found, with proof-of-concept evidence and prioritised fixes. That report is concrete evidence that you tested your controls, found the gaps, and remediated them.
Does IMIZI Cyber register us with the NCSA or certify our compliance?
No. We are not an accredited or registered NCSA auditor and we do not issue compliance certification. We provide the technical security testing and the evidence-led report that supports your data-protection programme. Registration, your Data Protection Officer, and any formal attestation sit with your organisation and the relevant authority.

For banks supervised by the National Bank of Rwanda, the regime is more prescriptive: see our BNR-compliant penetration testing page. For the full scope of our manual testing across web, network, mobile, API, and cloud, see our penetration testing service.

Holding personal data in Rwanda?

Tell us where your personal data lives and what you need to protect. We reply within 24 hours, and a scoped proposal follows within 48 hours of the scoping call.

Book a Free Call WhatsApp us
Chat on WhatsApp Chat with us