Electronic Communications and Transactions Act 25 of 2002 (ECTA)

The Electronic Communications and Transactions Act 25 of 2002 (ECTA) aims to ‘enable and facilitate electronic communications and transactions in the public interest.’

It calls for the creation of a national e-strategy and electronic transactions policy, and addresses the facilitation of electronic transactions, e-government services, authentication service providers, consumer protection, the protection of personal information, the protection of critical databases, domain name authority and administration, the appointment and powers of ‘cyber inspectors’, and cyber crime.

ECTA is aimed at all organisations that use electronic transactions, particularly Small, Medium and Micro Enterprises (SMMEs), and has been enforced since November 2002.

Data messages and electronic signatures

Arguably the most significant part of ECTA is that, in making provision for the recognition and regulation of e-commerce, it gives data messages (e.g. email, SMS) the same legal standing as their paper equivalents, and makes electronic signatures legal. Before ECTA’s enactment, e-signatures had no formal legal recognition and although they were commonly accepted it was considered legally dubious to conduct a transaction electronically.

ECTA also stipulates that in certain circumstances (for example where legally required for wills and property transactions), an ordinary electronic signature is not considered adequate, and an advanced electronic signature (AES) verified by an accredited authentication service must be used. The Act names the South African Post Office Limited as a preferred authentication service provider.


The term ‘data message’ is defined in the Act as ‘data generated, sent, received or stored by electronic means and includes (a) voice, where the voice is used in an automated transaction; and (b) a stored record’.

The term ‘electronic signature’ is defined in the Act as ‘data attached to, incorporated in, or logically associated with other data and which is intended by the user to serve as a signature’.


The Act mandates imprisonment of up to a year or an unspecified fine for offences relating to false accreditation, for hindering or impersonating cyber inspectors, for failing to take remedial action within the time period required by a cyber inspector, for hacking or interfering with data, or for producing or supplying devices or computer programs that could be used to hack or interfere with data.

Imprisonment for up to five years or an unspecified fine is mandated for the use of devices or computer programs to hack or interfere with data, for denial of service attacks, and for ransom attacks.

ECTA and ISO27001

Organisations looking to seek compliance with the ECTA need to have a robust Information Security Management System (ISMS) in order to manage their ECTA compliance effectively. Information security is a broad approach that addresses the security of information in all forms and covers paper documents, physical security and human error as well as the handling of digital data.

In order to achieve an effective cyber security posture, organisations must realise that hardware and software solutions alone are not enough to protect them from cyber threats and that a broader information security approach is needed. The three fundamental domains of effective information security are people, process and technology.

ISO27001 is the internationally recognised best-practice Standard that lays out the requirements of an ISMS and forms the backbone of every intelligent cyber security risk management strategy. Other standards, frameworks and methodologies need ISO27001 in order to deliver their specific added value.

Organisations with multiple compliance requirements often seek certification to ISO27001 as its comprehensive information security approach can centralise and simplify disjointed compliance efforts; it is often the case that companies will achieve compliance with a host of legislative requirements simply by achieving ISO27001 certification.

The latest version of the Standard, ISO27001:2013, is simple to follow and has been developed with business in mind. It presents a comprehensive and logical approach to developing, implementing and managing an ISMS, and provides associated guidance for conducting risk assessments and applying the necessary risk treatments. In addition, ISO27001:2013 has been developed in order to harmonise with other standards, so the process of auditing other ISO standards will be an integrated and smooth process, removing the need for multiple audits.

Further, the additional external validation offered by ISO27001 certification is likely to improve an organisation’s cyber security posture while providing a higher level of confidence to customers and stakeholders – essential for securing certain global and government contracts.

How ISO27001 can help you comply with South African data protection legislation

How ISO27001 can help you comply with South African information security legislation

Written by cyber security expert Alan Calder, this free guide details how to leverage ISO27001 as a single framework for creating a cyber secure enterprise while supporting adherence to POPI and many other cyber security laws.

Enter your name and email address below to read our free guide on complying with cyber security legislation in South Africa:

Why IT Governance?

IT Governance is a specialist in the field of information security and IT Governance, and has led more than 140 successful certifications to ISO27001 around the world.

IT Governance has created ISO 27001 packaged solutions to give South African organisations online access to world-class expertise. Each fixed-priced solution is a combination of products and services that will enable you to implement ISO 27001 at a speed and budget appropriate to your individual needs.

Get started today >>