How Nigeria, Kenya and South Africa rewrote the continent’s digital rulebook in 2025

In 2025, African governments rewrote the continent’s digital rulebook at an unpecedented pace. Across artificial intelligence (AI), crypto markets, telecoms, fintech, digital taxation, data regulation, and digital lending, lawmakers and policymakers introduced sweeping new frameworks that will define how innovation evolves over the next decade. Some of these laws aim to protect consumers after years of regulatory gaps. Others seek to position countries as digital-economy hubs amid global technological acceleration. But nearly all have ignited fierce contests for power, raised questions about implementation capacity, and sparked anxieties that regulation may begin to suffocate the very sectors it seeks to shape.

TechCabal’s coverage of 2025 offers a panoramic view of this continent-wide regulatory awakening. Nowhere was the momentum more intense than in Nigeria, where lawmakers pushed through or attempted to push through more technology-related bills than any other African country this year. Yet the trend was visible across the region: Kenya formalised its first licencing regime for crypto and stablecoins, tightened data rules, and launched an AI strategy; South Africa advanced a national AI framework, modernised empowerment rules for telecoms, and strengthened cybersecurity obligations.

These reforms signal a clear continental trajectory: African states want more control, more structure, and more visibility into fast-growing digital sectors. But the rush to regulate is accompanied by an equally strong concern: could this new era of big laws slow innovation before it fully takes off?

Nigeria’s bid to reshape the digital economy

No single document captured 2025’s regulatory ambition more than Nigeria’s Digital Economy Bill. The draft law would empower the National Information Technology Development Agency (NITDA) with authority over virtually every pillar of the digital economy: AI, cloud services, platforms, cybersecurity, digital public infrastructure, data-driven services, and even open-data governance. Supporters see the bill as an overdue attempt to centralise Nigeria’s fragmented digital-policy landscape and create modern, globally aligned standards.

Proponents argue that stronger NITDA powers could accelerate policy responses and better align innovation with national development priorities, particularly in digital public-infrastructure efforts such as identity, payments, and data-exchange frameworks. They believe that Nigeria, an economy where the digital sector contributes over 11.18% of GDP, requires a coherent governance backbone to catch up with global peers.

But critics argue that the bill risks consolidating too much power in a single agency. The Central Bank of Nigeria (CBN), the Securities and Exchange Commission (SEC), the Nigerian Communications Commission (NCC), and the Nigeria Data Protection Commission (NDPC) already claim overlapping mandates in fintechs, crypto companies, etc. Giving NITDA regulatory primacy across undefined “digital economy” areas could deepen jurisdictional clashes, raise compliance costs, and produce years of legal ambiguity. Startups worry about a future in which innovation requires navigating multiple layers of approvals from agencies that are not yet aligned.

In early November 2025, lawmakers promised to take the bill through third reading before transmitting it to the president before the end of the year. If signed, implementation would unfold through a series of NITDA regulations between 2026 and 2029. The real battles, over interpretation, enforcement, and jurisdiction, are likely yet to come.

Overhauling a 22-year-old telecoms law

In April 2025, Nigeria began updating one of its oldest tech laws: the Nigerian Communications Act (2003). With 5G, IoT, satellite connectivity, cybersecurity threats, and platform-driven markets reshaping the telecommunications landscape, most stakeholders agree the law is overdue for revision.

The NCC’s proposed overhaul aims to modernise quality-of-service rules, tighten consumer-protection mechanisms, and create space for innovation through regulatory sandboxes. The new framework also prioritises competition enforcement and improved reporting by operators. These signals suggest a regulator attempting to become more agile and better equipped for a networked, hyper-digital era.

Still, industry concerns persist. Smaller ISPs fear more burdensome reporting obligations and potentially costly licencing requirements. Stakeholders warn that if the NCC expands its scope too far into digital-platform oversight, regulatory overlaps with NITDA or the NDPC could weaken enforcement coherence. With consultations ongoing, the new law is unlikely before 2026—but the debates of 2025 underscored the reality that telecoms regulation can no longer be separated from the wider digital-economy debate.

EVs, cross-border digital rules, and the implementation gap

Nigeria’s Electric Vehicle Bill, with fines of up to ₦500 million for unlicensed importers, illustrates how governments are extending oversight into new growth areas. But with limited charging infrastructure and power-grid weaknesses, analysts fear the sector could be over-regulated before it scales.

South Africa’s 2025 tech-policy shifts

In 2025, South Africa moved to modernise its telecoms empowerment rules and strengthen its cybersecurity and online safety ecosystem.

An amended ICT policy direction sought to “modernise” Broad-Based Black Economic Empowerment (B-BBEE), South Africa’s transformation framework that uses a scorecard and codes of good practice to expand Black ownership, control, skills, and participation in the economy, and links these outcomes to access to state and certain private-sector opportunities, by introducing an Equity Equivalent Investment Programme (EEIP) as an alternative to the strict 30% local ownership requirement for some licences. This represents a pivotal shift: global players like Starlink, cloud providers, and satellite-internet companies may find it easier to enter the market through approved investment commitments rather than share-equity transfers.

But the reform has sparked heated debate. Supporters say it opens South Africa to new digital infrastructure and foreign investment. Critics warn it risks diluting empowerment goals and giving global tech giants a lighter compliance route. The tension between transformation and global competitiveness remains a defining feature of South Africa’s digital-policy landscape.

Alongside existing laws like the Protection of Personal Information Act (POPIA), South Africa’s data protection law, and the Cybercrimes Act, 2025 saw strengthened cybersecurity and online safety regulations. Authorities introduced updated obligations for platforms to protect users, improve breach-notification protocols, and implement stronger security-by-design measures.

These reforms raise the compliance bar for digital businesses operating in South Africa, especially foreign platforms that historically treated African markets with lighter governance. Robust cyber-resilience is no longer optional.

Kenya’s broader digital-regulation wave

Kenya’s digital-policy activity in 2025 extended far beyond the crypto sector, touching taxation, data rights, telecoms regulation, and the country’s long-term AI strategy. One of the most consequential developments emerged from the 2025 Finance Bill, which proposes removing Section 59A(1B) of the Tax Procedures Act, the clause that currently shields businesses from having to hand over customers’ personal or commercially sensitive data to the Kenya Revenue Authority. Eliminating this protection would give KRA wider access to banking, fintech, and platform data in the name of closing tax loopholes, sparking intense debate about privacy, proportionality, and how far the state should go in integrating tax enforcement with digital platforms.

Telecoms regulation also entered a new chapter as Kenya tightened its SIM-registration rules. The regulator had to issue a November 18, 2028, press statement stressing that, despite a broad legal definition of biometrics, operators would not be required to collect DNA or other intrusive identifiers. The revised framework still raises the bar on identity verification, stiffens penalties for non‑compliance, and adds new administrative obligations, increasing the operational load on telcos and mobile‑money operators at the heart of Kenya’s digital economy as the country pursues stronger identity assurance.

At the same time, data-protection enforcement intensified. The Office of the Data Protection Commissioner issued a fresh wave of penalties and investigations in 2025, including sanctions against digital lenders and probes into major health-data breaches. A new Data Protection (Amendment) Bill seeks to strengthen user rights and better align the regulatory regime with rapidly evolving digital-economy practices. As a result, fintechs, health-tech firms, cloud providers, and online platforms all face a rising compliance bar and greater scrutiny over how they handle personal data.

Kenya also moved aggressively to shape its AI future. The launch of the National Artificial Intelligence Strategy 2025–2030 laid out a vision for building skills, infrastructure, ethical frameworks, and safety mechanisms to guide AI development. A draft AI Code of Practice and a forthcoming Robotics and AI Bill are expected to require registration for certain AI systems, impose transparency and documentation standards, and integrate risk-management obligations into existing legal frameworks. Together, these initiatives position Kenya as a country seeking not only to adopt AI but to govern it, to become one of Africa’s leading AI hubs while embedding accountability into the technology’s expansion.

The race to regulate AI

Artificial intelligence dominated global tech-policy debates in 2025, and African governments moved quickly to stake their claims in the emerging AI landscape. Nigeria and South Africa adopted two markedly different approaches: Nigeria leaned toward a centralised, regulatory model, while South Africa pursued a more values-driven, developmental path.

Yet across the continent, concrete AI regulation remained limited. Fewer than 10 African countries were estimated to have any AI-specific rules in place, and only a small number introduced new AI-focused laws or bills in 2025. Nigeria stood out as one of the few to move beyond strategy into a formal AI oversight bill. In contrast, several others relied on policy frameworks, voluntary codes of practice, or existing data-protection laws instead of passing dedicated AI legislation.

Nigeria: A forceful, centralised AI regime

Nigeria’s AI Bill remains one of the most ambitious and contentious pieces of technology legislation ever proposed in the country. The bill seeks to establish a National AI Council with sweeping authority over registration, licencing, approval, and restriction of AI systems. Mandatory registration for “anyone developing, importing, distributing or using AI” became its most controversial provision.

Supporters argue that strong oversight is necessary to prevent misuse, align with global AI-safety trends, and create investor confidence in a regulated environment. They believe Nigeria should not wait for AI harms to emerge before establishing a legal baseline.

Opponents warn that such broad licencing requirements could cripple innovation. With definitions still vague and administrative capacity limited, startups fear long approval queues, unpredictable enforcement, and compliance burdens that could divert resources away from product development. For SMEs using low-risk AI tools, mandatory licencing could be impossible to navigate. Critics worry the bill risks turning everyday software development into a compliance minefield.

Recommended read: Nigeria pushes for paperless governance with digital signature bill

South Africa: A principles-based AI framework

South Africa took a different approach. Its National AI Policy Framework advanced from concept to the process of developing a comprehensive policy in 2025, laying the foundation for a future AI Act built on five pillars: talent, infrastructure, ethics, fairness, and safety. Rather than imposing immediate binding rules, the framework signals expectations for responsible AI development and deployment.

The document emphasises human-centred AI, risk management, and alignment with socio-economic goals. By giving firms and investors a clearer sense of the direction of travel, without imposing rigid compliance regimes, South Africa aims to support innovation while preparing for a future legal regime.

Still, critics say the framework is too high-level and lacks actionable detail. Without strong enforcement capacity or detailed regulations, companies may treat it as aspirational rather than mandatory. Much depends on whether the forthcoming AI Act provides concrete obligations and whether the government can operationalise them.

Read: Ahead of April review, South Africa’s AI policy faces pressure to deliver.

Crypto regulation: From grey zones to licencing regimes

Another area of sweeping change in 2025 was crypto and digital-asset regulation, as African governments moved to tighten oversight after years of volatility, hacks, collapses, and fraud. In Nigeria, the shift was particularly dramatic. The Investments and Securities Act (ISA) 2025 repositioned many digital assets under the authority of the Securities and Exchange Commission, treating them as part of the country’s capital markets ecosystem. Under the new regime, everything from token issuance to custody, advertising, promotions, disclosures, and market conduct now falls under securities-grade supervision. Nigeria’s updated crypto guidelines and the rollout of the Asset Registration and Issuance Portal reinforced this approach, making clear that the era of loosely regulated digital-asset activity is over.

Supporters of the Nigerian model argue that it introduces much-needed professionalism to a sector long plagued by scams and speculative excess. They see it as a step toward integrating crypto more closely with formal finance and encouraging institutional participation. 

But critics say the heavy compliance burden, prospectuses, trustees, strict capital and custody requirements, risks suffocating early-stage innovation. Licencing processes remain slow, fees are high, and several global exchanges have opted to restrict access for Nigerian users rather than undergo an arduous approval process. The concern is that regulation intended to reduce risk may instead drive crypto activity offshore or into informal channels.

Kenya, meanwhile, took a different but equally consequential path, passing one of the most comprehensive crypto laws on the continent. The Virtual Asset Service Providers (VASP) Act, signed into law in October 2025, formally recognised crypto trading as legal but tightly regulated. Under the Act, exchanges, wallet operators, brokers, stablecoin issuers, and tokenisation platforms must all obtain authorisation and comply with stringent anti-money laundering, reserve, and capital adequacy rules. Oversight is shared between the Central Bank of Kenya and the Capital Markets Authority, creating a dual-regulator environment with high expectations for compliance.

A 12-month transition period is currently in effect, but the pressure is already being felt across Kenya’s digital-asset ecosystem. Better-capitalised companies are preparing to leverage early compliance as a competitive advantage, hoping to dominate a more formalised market. Smaller firms, however, face difficult decisions—some may merge to survive, while others could exit altogether. As in Nigeria, Kenya’s approach signals that the age of informal crypto innovation is ending, replaced by a structured environment in which only the strongest, best-resourced players are likely to thrive.

Nigeria’s fintech, payments, and the mega-regulator debate

Nigeria’s fintech ecosystem, one of Africa’s most dynamic, faced significant regulatory turbulence in 2025. The proposed National Fintech Regulatory Commission Bill seeks to create a specialised body overseeing licencing, sandboxes, innovation support, and cross-border “passporting.” The bill has been pitched as a way to streamline regulation and reduce fragmentation.

But critics say it risks adding yet another layer to an already complex regulatory web involving the Central Bank of Nigeria (CBN), Securities and Exchange Commission (SEC), National Insurance Commission (NAICOM), and National Information Technology Development Agency (NITDA). A “regulator of regulators,” they argue, may create more bottlenecks than solutions.

Meanwhile, the CBN’s new ATM and PoS rules seek to improve uptime and security by imposing stricter obligations on banks and agents. Super-agents warn that implementation may be unrealistic in low-income areas, raising fears of agent attrition.

Digital lending: When loan apps finally met the law

Nigeria also cracked down heavily on digital lending in 2025. New FCCPC rules introduced fines of up to ₦100 million (or 1% of annual turnover), prohibited harassment and data scraping, and required detailed disclosures. Lenders must register, undergo audits, and meet strict data-management and conduct standards.

Dozens of loan apps paused operations as they navigated a 90-day compliance window. Consumers welcomed the reforms after years of abusive practices, but lenders worry about reduced credit availability for low-income borrowers, potentially pushing them toward informal lenders.

Emerging Pattern

Across the continent, the pattern is similar: ambitious laws are being passed faster than institutions can implement them. Many frameworks, AI, crypto, digital economy, and data protection depend on elaborate subsidiary regulations and multi-agency coordination.

The real test, however, lies not in legislating but in execution.