Angola has yet to experience a real democratic movement at all. What exists instead is a formal democratic Constitution that permits to entrench an increasingly authoritarian system of power, sustained by the absence of real political democratic alternation, weakened institutions and a systematically shrinking civic space. This system is usually referred to as an anocracy, combining elements typical of democracies with dictatorial practices. These systems are inherently unstable and prone to arbitrariness.
Within this context, the proposed cybersecurity legislation must be read not as neutral regulation but as an instrument of authoritarian consolidation. It forms part of a broader legislative package designed to expand state control over the digital sphere and to criminalise dissent under the language of security, reinforcing a model of governance that substitutes surveillance and coercion for accountability.
This is the second article examining the legislative package that the Angolan government has submitted to the National Assembly to regulate cyberspace. And, as with the so-called Law Against False Information, there is no way to soften the criticism.
A Legislative Threat to Constitutional Guarantees
Keep up with the latest headlines on WhatsApp | LinkedIn
If approved in their current form, these laws represent a serious threat not to a democratic process--since one has yet to meaningfully exist--but to the basic constitutional guarantees that still formally underpin Angola's legal order. This is not an ideological stance or a partisan opinion. It is a technical assessment, grounded in a close reading of the legal texts and their foreseeable consequences.
No one disputes that, in an era of digital transformation, states must update their legal frameworks on cybersecurity. Protecting citizens, institutions and the economy is a legitimate objective. The problem arises when this necessity is used as a pretext to expand executive power, criminalise expression and weaken fundamental rights.
That is precisely the risk these laws introduce.
At the heart of the cybersecurity bill lies an architecture of control that generates disproportionate risks for privacy, freedom of expression and the integrity of civic space. The central question is whether there is a gap between the declared ambition to protect "the core values of the democratic state governed by the rule of law" and the extensive powers of surveillance and coercion that the law actually creates.
The answer is unambiguous: the bill establishes an excessive and disproportionate set of mechanisms that constrain digital freedom.
A closer look at the institutional design of the cybersecurity law--its strategic core--reveals why. How power is distributed, concentrated and exercised by newly created bodies defines the balance between state security and individual liberty.
In Angola's case, the proposed structure shows a troubling trend towards the centralisation of authority and an unprecedented breadth of application.
The bill creates a National Cybersecurity Centre (CNC) as the central authority of the new system. Under Article 12, the CNC is entrusted with regulatory, rule-making, supervisory, inspection and sanctioning powers. This accumulation of roles--effectively legislator, investigator, police authority and enforcer--within a single body is deeply problematic.
Combining supervisory powers, inspection authority and sanctioning competence in the same institution, without robust and independent checks and balances, creates a significant risk of abuse. An entity that defines the rules, investigates alleged violations and imposes penalties lacks the separation of powers essential to accountability and to protecting citizens and businesses from arbitrary decisions.
Equally troubling is the scope of the law, which extends across almost the entire digital ecosystem of the country. Article 8 subjects a wide range of public and private actors to the National Cybersecurity System. This grants the state unprecedented visibility into digital activity.
The most expansive provision, however, lies in Article 2(4)(f), which applies the law to "any other entities that use data communication networks and information systems". This catch-all clause transforms what could have been sector-specific regulation into a potentially universal surveillance framework, extending state control beyond critical infrastructure to encompass, in theory, any organisation, business or individual connected to the internet.
The architecture of the law is therefore not neutral. It is pre-calibrated for surveillance, creating the conditions under which civil liberties become structurally vulnerable.
Silencing Dissent
In democratic societies, the most critical safeguard for privacy is the requirement of judicial authorisation for the interception of communications. Angola's proposal dangerously weakens this protection.
Article 15(1)(f) obliges critical infrastructure operators to provide communications deemed to contain criminal content or content threatening state security "by judicial or administrative decision". The inclusion of "administrative decision" is alarming. It allows an executive authority, without independent judicial scrutiny, to authorise access to private communications.
This provision circumvents a cornerstone of the rule of law, designed precisely to protect citizens from executive overreach. By allowing administrative authorisation to suffice, the bill subordinates the fundamental right to privacy to security criteria defined and enforced by the same authority, opening the door to politically motivated surveillance.
Judicial oversight is a pillar of liberal constitutionalism. Its marginalisation transfers to the executive the power to decide when fundamental rights may be suspended in the name of security, eliminating a crucial layer of accountability.
Freedom of expression is further threatened by the deliberate ambiguity of key legal concepts. Acts that threaten "state security" are not defined with the precision required by democratic legal standards. The definition of "cyber threat" is itself excessively vague, encompassing any action--malicious or accidental--that has the potential to compromise system security.
In the hands of a single, powerful authority like the CNC, endowed with unchecked regulatory and sanctioning powers, this vagueness becomes a political instrument. Investigative journalism exposing corruption, online mobilisation or peaceful protest could easily be framed as security threats by an authority operating within an authoritarian logic.
Sign up for free AllAfrica Newsletters
Get the latest in African news delivered straight to your inbox
Beyond direct surveillance and censorship, the law's design produces a chilling effect: self-censorship. Extensive registration requirements and strict incident-reporting obligations create a climate of permanent scrutiny.
This is not a theoretical risk. Cybersecurity providers may hesitate to publish vulnerability research that embarrasses the state. Digital platforms may pre-emptively remove controversial content to avoid regulatory attention. The chilling effect will spread across the digital ecosystem, suffocating both innovation and civic debate.
Taken together, these risks escalate from individual rights violations to structural threats to Angola's constitutional order. They undermine the separation of powers and entrench a security-first logic in which freedom becomes conditional and revocable.
The bill claims to protect constitutional values while preserving personal data. Yet its concrete mechanisms contradict that claim. The combination of a centralised authority with coercive powers, vague legal definitions and weakened judicial oversight produces a framework in which individual liberties are clearly subordinated to executive power.
The promised balance does not materialise. Instead, what emerges is a system where security is defined unilaterally by the state and enforced without meaningful restraint.
Seen alongside the law against so-called false information, the cybersecurity bill represents a clear step towards deeper authoritarian entrenchment. It does not modernise governance. It modernises control.
In a country that has yet to experience a genuine democratic movement, these laws are not safeguards. They are warning signs.
