The case for treating critical digital systems as a governance priority
Cases that changed the conversation when civilian systems faced national crisis
Private platforms become nationally important when their failures cease to be a “corporate problem” and become a national problem.
Appears in the following cases:
Outages impact multiple sectors at once (payments, communications, government services), regulators convene industry players in crisis mode, and business continuity becomes a matter of public interest, not just internal SLAs.
The event that changed the conversation
In March 2024, submarine cable failures occurred simultaneously in 13 countries in West and Central Africa. Internet connectivity has fallen significantly, increasing reliance on payments, logistics, and government services. This was not a cyberattack. It was not a failure of governance. This was a technological disruption to privately owned, shared infrastructure. But its impact instantly spread across borders, affecting commerce, public services, and daily life in ways that no country was fully prepared for.
Two months later, a similar failure affected a major submarine cable system in East Africa, causing carriers to scramble to deploy redundancy measures, which in many cases were insufficient to absorb the load.
By July 2024, a CrowdStrike-related global IT failure had reached South Africa, disrupting banking channels and aviation services, proving once again that reliance on upstream third-party technology can quickly escalate into a national continuity incident.
In early 2025, Zambian regulators went beyond apologizing. Following Airtel’s network outage, the regulator ordered formal customer compensation under the Consumer Protection and Quality of Service Framework. It was a quiet but important signal. The days of disability being absorbed into press releases may be over.
Once an outage or maintenance schedule becomes a public interest event, the service has effectively stepped into significant territory of state dependence, whether or not the law catches up.
This last point is the most important. Both operators are acting responsibly when Safaricom pre-announces a maintenance period for M-Pesa and MTN Ghana announces six hours of MoMo downtime for upgrades. But these platforms inadvertently demonstrate something important: they are no longer private services aimed at public users. These are public utilities operated under private ownership. The logic of governance must be followed.
Defining “critical” without drama
The term “critical infrastructure” tends to provoke one of two counterproductive reactions. Technocrats ignore it as a political authority. Nationalists use it to justify protectionism. Neither response is beneficial for Africa.
A more useful definition is operational. That is, when a failure of a private system ceases to be a corporate accident and starts to become a national accident, that system becomes nationally important.
You know you’re there when a failure affects multiple sectors at the same time. When regulators convene industry stakeholders in emergency mode. When business continuity is no longer an internal SLA conversation, but a public interest issue.
Most importantly, as a regulator or board member, you realize that you have no contractual basis to demand answers, no audit rights to verify your recovery schedule, and no exit plan that will stand up to scrutiny.
We propose a simple specification test.
If the system causes a significant disruption to commercial or critical services within 24 to 72 hours of the failure. If there is no replacement that can absorb that volume within a few weeks. The breach would enable fraud or disruption on a national scale. and whether the policy produces public-interest outcomes.
I passed!
If three or more of these conditions are met, it means there is a serious possibility. 5 means systemically important.
This is not a special standard. This mirrors the framework already in operation in Europe, Singapore and Australia. What is different is the urgency of Africa’s timeline.
What Africa is already doing and why it matters
The encouraging news is that Africa is not starting from scratch. Across the continent, serious legislative and regulatory frameworks are already in motion.
The Ghana Cybersecurity Authority enforces critical information infrastructure provisions under the Cybersecurity Act 2020, including designation, registration, compliance auditing, and obligations of critical infrastructure owners.
Kenya has enacted critical information infrastructure and cybercrime management regulations that establish requirements for audits, inspections, and recovery plans.
South Africa’s Critical Infrastructure Protection Act 2019 provides for a declaration, recovery measures and establishes a Critical Infrastructure Council.
Nigeria has gazetted a National Critical Information Infrastructure Designation and Protection Order in 2024. Rwanda, Mauritius, and Morocco each have operational cybersecurity governance frameworks that explicitly address critical digital infrastructure.
These are not peripheral developments. These represent a shift across the continent in how legislators and regulators understand digital systems, from technical issues in IT departments to governance issues in boards and policy offices.
There are no gaps in sight. The gaps are in operations, such as in contracts, audits, incident disclosure standards, supplier accountability mechanisms, and exit readiness standards that translate legal frameworks into practical guarantees.
Governance designed before scale is impactful. Governance designed after scale manages outcomes.
The real question of governance
For regulators, the practical next steps are more obvious than many realize. The tiered designations of systemically important, sectorally important, and critical allow for appropriate oversight without regulatory overreach.
Download the Regulator’s Handbook: Managing Critical Digital Infrastructure. This is a 20-page operational guide for financial sector regulators, central bank supervisors, and policy makers who have a legal framework but need an enforcement architecture to match. Learn how to tier and designate critical operators without causing investment flight, how to create truly enforceable incident disclosure regimes, and how to extend accountability through supply chains you don’t directly oversee. All frameworks are stress tested against real African market conditions
Mandatory and measurable continuity standards, with the submission of evidence rather than guarantees, create an infrastructure of accountability where it is clear that incidents do not currently exist. Supply chain accountability bridges the gap exposed globally by the CrowdStrike scandal by extending obligations to critical upstream providers.
But governance challenges are not just regulatory issues. They are also placed in boardrooms of private businesses.
Boards of companies operating national payment platforms, dominant mobile networks, and carrier-neutral data centers will need to ask a different set of questions than they do today. Standard governance frameworks consider uptime, cyber risk, and compliance. The more nationally critical you become, the sharper your questions become.
What is the event that turns us from national champions to national crisis overnight? If a regulator demanded proof of our recovery capabilities tomorrow, would we be able to cleanly provide test results, audit trails, and dependency maps? Do our supplier contracts include the reporting and recovery responsibilities necessary to meet our obligations to the state? Have we tested recovery under realistic conditions, or have we just documented it?
Operators who ask these questions and proactively build what we call assurance packs, national incident operating modes, and realistic exit preparedness before they are forced to do so will shape regulation. Those who wait will be regulated after the fact in the aftermath of the next incident, with less influence on subsequent plans.
Download the Board Governance Playbook: Critical Digital Infrastructure. A 20-page practical guide for private sector boards and regulators covering designation readiness, incident governance, supplier accountability, and exit preparedness frameworks.
The window is open, but not indefinitely
The strategic question is not whether Africa should go digital. That question was solved a long time ago. The question is whether Africa will set the terms of its digital dependencies before the scale increases and it becomes difficult to change the terms.
Governance frameworks that are designed before critical platforms reach a scale where renegotiation becomes cost-prohibitive work. A governance framework designed around facts governs results. The differences between the two are not only technical. It’s strategic.
Africa has the legislative base, regulatory momentum and conference infrastructure to lead this dialogue. What is needed now is to transform frameworks into operational disciplines. This means early visibility and proportional application of measurable continuity standards, verifiable governance, exit readiness, and concentration risk without being anti-investment.
In the end, the question is whether Africa will be the builder of that dependency or inherit it by default.
read more
