Key Provisions and Implications of Ethiopia’s IT Products Security Clearance Proclamation

September 23 2024

Corporate & Commercial Law, , Fintech, ICT & Data Privacy, ,

The Information Technology Products Security Clearance and Control Proclamation No. 1310/2023 (hereinafter, the “Proclamation”) was necessitated for the protection of Ethiopia’s information technology infrastructure and the citizens of Ethiopia from emerging threats in cyberspace.[1] The Proclamation aims to regulate the importation, exportation, usage, and handling of Information Technology (IT) products with due risks to national security. In doing so, it also acknowledges the positive contribution of IT products to the nation’s growth and development.[2] DABLO Law Firm presents an overview of the key provisions below:

Prohibited and Restricted IT Products

IT products are defined as any technology devices, designs, algorithms, methods, services, or applications that can infiltrate, disrupt, intercept, destroy, mislead, distort, steal, and falsify electronic data or signals.[3] They are categorized into two classes as per the Proclamation:

Prohibited IT Products: These are products whose import, export, and usage in the country have been prohibited by law since they pose a critical threat to the information security of Ethiopia.[4]

Restricted IT Products: are products that have potential information security risks and can only be imported, exported, or used with the appropriate security clearance permit.[5] The restricted products will similarly be subjected to a more rigorous system of controls, and any importer, exporter, or user as such, must follow the regulatory requirements prescribed by the Proclamation.

The list of both prohibited and restricted products shall be updated annually by the Information Network Security Administration (INSA) in collaboration with the relevant government organ, particularly the National Intelligence and Security Service (NISS). Such a list shall be publicly published through INSA’s website among other means.[6]

Security Clearance Permit System

In order to engage in any regulated activities (such as the importation, exportation, manufacture, sale, and use of restricted products), a Security Clearance Permit shall be obtained from INSA.[7] The permit application process will be governed by specific directives to be issued by INSA.[8] There exist different types of permits that vary in nature:[9]

Pre-import permit
Import permit
Export permit
Manufacturing, sale, and other permits

To obtain a Security Clearance Permit, applicants have to present due form identification, prove legal capacity, present residence or proper work permit or visa (in the case of foreign applicants), and present other technical requirements related to the product.[10] A Security Clearance Permit is valid for a fixed term and renewable annually on condition that the terms established by INSA have been met.[11] Any variation of the conditions of granting the permit, such as deterioration or loss of the product, needs to be immediately reported to INSA within 8 hours after coming to know the existence of such an occurrence. Moreover, neither a Security Clearance Permit nor a product can be transferred or lent to a third party without prior notice to and permit from INSA. The grantee is also required to hold the Permit while using the product.[12]

Mechanism for Inspection and Control

The Proclamation gives INSA the mandate to establish a strong inspection and control mechanism tracing the circulation and utilization of prohibited and restricted products including, among others:

Customs Checkpoints: The authority will work with the relevant stakeholders to monitor products through various essential entry and exit points of the country to prevent the entry or export of prohibited or restricted IT products.[13]
Product Auditing and Evaluation: INSA regularly audits and evaluates IT products imported into Ethiopia through the security clearance system.[14]
Technological Platforms: INSA will employ modern technological platforms for tracking the import, export, and usage of IT products.[15]
Investigation and Seizure: Inspectors appointed by INSA are vested with the power to inspect IT products, to seize the products that are manufactured, possessed, sold, or distributed without a permit or in violation of the law, and to co-operate with police agencies for investigation purposes and enforcement of the law. When urgency is shown and national security is in jeopardy, an inspector may enter any premise and search or seize any product without a court order, provided he/she notifies the nearest court within 48 hours. The inspector, in collaboration with the relevant law enforcement agency, could also stop and inspect any vehicle and seize a product whenever there is a reasonable suspicion of illegal possession of a restricted or prohibited product.[16]

The Proclamation provides that INSA, together with the Customs Commission, shall seize and forfeit prohibited or restricted products if a product is found to violate the law. The seized product shall be kept in storage and may be used or disposed of in accordance with the procedures to be determined by INSA.[17]

Penalties and Criminal Liability

The Proclamation has put in place stringent penalties upon violations in relation to illegal import, export, or use of prohibited or restricted IT products:

Engaging in activities with prohibited or restricted products without a valid permit is punishable with rigorous imprisonment from 3 to 5 years and a fine of 50,000 to 100,000 Ethiopian Birr. The penalty may rise to a rigorous imprisonment of up to 10 years and fines of as high as 500,000 Birr where the violation was made with a large quantity of products or in an organized manner.[18]
For violations committed negligently and if they do not result in direct harm to national security, the penalties are lesser. These carry up to 3 years of simple imprisonment and fines of up to 50,000 Birr.[19]
Infringement of permit conditions - such as failing to report loss of product, or transferring a product without authorization - is punishable by 1 to 3 years of simple imprisonment, or a fine from 5,000 to 50,000 Birr.[20]
Grievance Mechanism

The Proclamation provides a grievance redressal mechanism. Any person affected by any decision taken under the Proclamation may file a complaint to INSA, which has to set up a complaint-handling department and issue directives laying down in detail the grievance redressal procedure. If the complainant is not satisfied with the decision of the INSA, he/she may approach a court of competent jurisdiction.[21]

Grace Period for Transition

Entities or individuals who were already in possession of the restricted or prohibited products prior to the enactment of the Proclamation are given a one-year grace period to obtain a security clearance permit.[22] Failure to observe this may lead to penalties or forfeiture of the products in question.

Conclusion

The Proclamation establishes a regulatory framework for controlling the importation, exportation, and usage of IT products in Ethiopia, especially those that pose potential risks to national security. The categorization of prohibited and restricted products, the introduction of security clearance permits, and the outline of penalties for violations are worth observing. Individuals, businesses, and other stakeholders shall take due note and remain vigilant for future directives and updates issued by the INSA with regard to the implementation of the Proclamation.

[1] Information Technology Products Security Clearance and Control Proclamation, 2023, Proclamation No. 1310/2023, Federal Negarit Gazette, Year 30, No 18, preamble, para. 2

[2] Id., para.1

[3] Id., Art. 2(1)

[4] Id., Art. 2(4)

[5] Id., Art. 2(5)

[6] Id., Art. 4

[7] Id., Art. 5(2)

[8] Id., Art. 6(3)

[9] Id., Art. 6(2)

[10] Id., Art. 7

[11] Id., Art. 8 and Art. 9

[12] Id., Art. 9

[13] Id., Art. 14(1),(6) and (7)