Data protection and cybersecurity: a framework lagging behind

West Africa is digitising faster than it is protecting itself. In just a few years, several of its states have lifted their cybersecurity scores among the best on the continent: Benin reaches 91.5/100 on the International Telecommunication Union's (ITU) 2024 Global Cybersecurity Index, up from 80.1 in 2020, and Ghana peaks at 99.3/100, one of the rare African countries ranked at Tier 1 ("role-modelling"). But this progress measures commitments and legal texts, not the real strength of defences. Behind the strong scores, an unfinished legal framework, under-resourced oversight authorities and fragmented regional cooperation leave the door open to a cybercrime that, for its part, knows no borders. The question is no longer whether to adopt laws, but how to bring them to life.
A two-speed region
The ITU's 2024 Global Cybersecurity Index (GCI) reveals a fractured West Africa. At the top, Ghana (99.3/100), Benin (91.5) and Togo (90.1) rank among the highest-rated countries on the continent. In the middle, Nigeria (82.4), Côte d'Ivoire (78.9) and Burkina Faso (70.4) show solid commitments. At the other end, Niger (41.9) and above all Mali (29.5) remain behind, with a still-embryonic cybersecurity framework. Between the region's first and last, the gap exceeds 69 points out of 100: two digital realities coexist within a single economic and customs area.
A decade of catching up, but a still-low threshold
The momentum is real and rapid. Across the continent, the average cybersecurity score rose from 21 in 2017 to 57 in 2024, almost a tripling in seven years. Benin gained more than 11 points since 2020, Senegal nearly doubled its score (from 35.9 to 67.3) and Mali, starting from a very low base (10.1 in 2020), tripled its own to reach 29.5. This acceleration reflects an institution-building effort: national strategies, dedicated agencies, laws adopted. But the end point remains modest. The African average of 57 stays about 9 points below the global average of roughly 66, and progress often starts from a level so low that it is not yet enough to guarantee effective protection.
This acceleration must be read for what it is: a catching-up of architecture, not a rise in resilience. Adopting a national strategy, creating an agency, passing a law, these are acts that can be decreed within a few months and that make the GCI score jump, because the index rewards the existence of these institutional building blocks. Building a seasoned incident-response team, training magistrates in digital evidence, equipping a protection authority so it can genuinely investigate complaints, all of this is counted in years and appears only imperfectly in the figure. The risk, for decision-makers, is to read in the rising curve a signal of security when it mainly measures the speed at which the foundations were laid. The real test will come later, when these institutions face a large-scale attack: that is where, and not in the ranking, the robustness of the system will be revealed.
What the GCI score really measures
To understand the index is to understand its limit. The GCI does not assess the actual security level of a country's information systems: it measures the commitment of states across five pillars, namely the legal framework, technical measures, organisational structures, capacity development and cooperation. A country can therefore post an excellent score because it has passed laws, created an agency and signed agreements, without its administrations or its firms being effectively protected against an attack. It is an index of intent and architecture, valuable for comparing trajectories, but it says nothing about the operational capacity to detect, contain and prosecute an intrusion.
A high cybersecurity score measures what a state has decided, not what it can defend. Between the law passed and the attack thwarted lies the entire space of implementation.
The gap between the law and the authority
It is at the continental scale that the gap between the text and its enforcement becomes most visible. By the end of 2024, 39 of Africa's 55 countries have a personal data protection law, a considerable advance. But only 34 have set up an operational data protection authority (DPA). The difference, at least five countries, is not trivial: a law without an authority to enforce it, interpret it and sanction its breaches remains largely a dead letter. And the count of existing authorities says nothing about their resources: many African DPAs operate with budgets and staffing wholly out of proportion with the volume of data they are supposed to supervise.
Here Benin stands out as a regional model. Its framework rests on the Digital Code (law 2017-20) and on a dedicated authority, the APDP, which exercises effective oversight of data processing. It is this combination, a robust law and an active authority, that partly explains its high GCI score. But the Beninese example is also revealing: it shows that the top of the regional ranking is measured by the existence of operational governance, not merely of a text in the Official Journal.
What a truly resourced authority produces was demonstrated by the regional giant itself. In 2024, the Nigeria Data Protection Commission imposed on a major Nigerian bank a fine of more than 500 million naira for failing to meet its data protection obligations. The event matters less for its amount than for what it signals: an authority that investigates, qualifies a breach and sanctions a powerful actor tips the law from the declaratory register into the enforceable one. As long as no sanction is handed down, a protection law remains a display; the day an authority sanctions, it becomes a legal risk that data controllers factor into their decisions. It is this shift, and not the passing of the law, that truly changes behaviour. Yet it requires investigative resources and an independence that most DPAs in the region still lack.
Malabo: a regional response struggling to take hold
Cybercrime ignores borders; the legal response, for its part, remains largely locked within them. The African Union Convention on Cyber Security and Personal Data Protection, known as the Malabo Convention, adopted in 2014, was meant to provide the common foundation for continental cooperation. It took nearly a decade to gather the ratifications needed for it to enter into force, which happened on 8 June 2023. As of 8 July 2024, only 16 states out of 55 had ratified it. In other words, fewer than a third of African countries are formally bound by the framework meant to organise mutual assistance against attacks that, for their part, move freely from one country to another.
This fragmentation carries a direct operational cost. Without a common ratified framework, the exchange of digital evidence, judicial mutual assistance and the prosecution of offenders operating from a third country become slow and uncertain. A fraud network hosted in a state not bound by Malabo can target the citizens of a neighbouring country in near-total impunity. The cybersecurity of a high-performing country is thus capped by the weakness of its neighbours, which makes regional cooperation not an add-on but a condition of effectiveness.
The customs analogy illuminates the stakes. ECOWAS took decades to build a space of free movement of goods and people, with its common rules and its mutual-assistance mechanisms; the movement of data and of the criminal flows that accompany them, for its part, happened in a few years, without the corresponding framework. The result is a dangerous asymmetry: fraudsters already operate at regional scale, while investigators remain confined within national procedures and mutual-assistance delays that are counted in months. Every border not covered by a common framework becomes a gateway of impunity, and a single weak link in the regional chain is enough for the whole system to lose credibility. Closing this gap is not a matter of sovereignty to defend, but of sovereignty to pool.
The cost of inaction is already measurable
Inaction is not neutral: it comes at a price. In its 2025 assessment of the cyberthreat in Africa, INTERPOL estimates the cost of cybercrime for the continent at around 3 billion dollars a year, with other sources putting forward wider ranges of 4 to 10 billion. Beyond the amount, the structure of the phenomenon is worrying: in West and East Africa, cyber offences account for up to 30% of reported crimes, and about two-thirds of the continent's countries report a medium-to-high share of cybercrime in their total crime. Digital is no longer an emerging risk: it has become a heavy component of insecurity as a whole.
The dynamic is explosive. According to Kaspersky data cited by INTERPOL, suspicious reports of online scams surged, in some African countries, by up to 3,000% in a single year. Phishing, investment fraud, identity theft: these attacks primarily target recently connected populations, poorly aware and weakly protected by a still-young framework. Facing this wave, 75% of the African countries surveyed themselves judge their legal framework and their prosecution capacity insufficient. The admission comes from the states themselves: the law and the justice system are running behind the threat.
Three-quarters of African countries acknowledge that their legal framework and their capacity to prosecute cybercrime must be strengthened. The lag is not an outside hypothesis: it is a finding that states make about themselves.
Mobile money, or cyber-risk at the scale of billions of transactions
Nowhere is the mismatch between usage and protection more spectacular than in mobile money. Sub-Saharan Africa has become the global heart of mobile money: according to the GSMA, the region concentrates in 2024 around 1.1 billion registered accounts and processed nearly 1,100 billion dollars in transactions, that is about 65% of global value and close to three-quarters of the global volume of operations. West Africa is one of its engines. This financial success, rightly hailed as a lever of inclusion, is also a gigantic exposure surface: hundreds of millions of users handle every day a payment instrument tied to their identity, their number and their financial history, often without the slightest culture of digital security.
The gap then becomes dizzying. On one side, financial flows counted in hundreds of billions of dollars and weighing heavily in the regional GDP; on the other, a data protection framework and a criminal prosecution capacity that, by the states' own admission, are not up to the task. It is precisely in this gap that SMS phishing, fake agents, account takeovers and investment fraud thrive. Mobile money illustrates the central thesis of this article at a massive scale: what West Africa lacks is not technological adoption but the governance that should frame it. The greater the transaction volume grows, the more the protection lag translates into real losses for the most modest households, who are also the most exposed new entrants.
The exposure surface widens faster than the defence
The West African paradox comes down to a single sentence: the region is connecting en masse at the very moment its protection framework remains unfinished. In Benin, the internet penetration rate reached 32.4% of the population in 2023, against only 11.3% in 2015, nearly a tripling in eight years. Every new internet user, every new online service, every digitised administrative database widens the exposure surface to cyber-risks. Yet experience shows that the maturity of defences progresses more slowly than the adoption of uses: risk rises first, protection catches up later. It is precisely in this interval that the most profitable attacks concentrate.
This surface is not limited to individuals: it now encompasses public registers themselves. In Nigeria, several investigations documented in 2024 the online sale of personal data drawn from official agencies, sometimes for just a few dozen naira, with resale sites recording hundreds of thousands of monthly visits. When identity, tax or electoral registers leak, it is not the privacy of one individual that is at stake, but trust in the entire digital state, and the raw material for cascading fraud. These incidents recall an obvious point too often forgotten in national strategies: public databases are critical infrastructure, on the same footing as a power grid, and their compromise has systemic effects.
What aggregate scores hide
Like any composite indicator, the GCI has a blind spot. A high score adds up commitments across five pillars, but it can mask major imbalances: a country strong on legal framework and weak on operational capacity will post the same overall grade as a country with the opposite balance. Two states with an identical score can therefore present radically different vulnerabilities. Likewise, the African average of 57 conceals a continent split in two, where a few champions pull the average up while a majority of countries remain below the resilience threshold. Relying on the overall figure is to risk believing a system protected when it is only partly so.
- The text is not the authority. A data protection law protects nothing as long as no properly resourced authority is there to enforce it: 39 African countries have a law, but only 34 an operational DPA.
- Commitment is not capacity. The GCI grades what states have decided to put in place, not their real ability to detect and contain an attack in real time.
- The average is not the reality. The continental 57/100 masks a gap of more than 69 points between Ghana and Mali within a single region.
- Adoption is not protection. The region concentrates nearly three-quarters of the global volume of mobile money, but its cybersecurity framework remains, by the states' own admission, behind.
Survey data, critical infrastructure to protect
As connectivity advances, data ceases to be a by-product of public action and becomes critical infrastructure in itself. Polls, household surveys, sectoral databases and administrative registers now concentrate sensitive personal information on a large scale: identities, incomes, health, location. Their collection, often digital and geolocated, and their hosting place a new responsibility on data producers. A poorly secured field survey is no longer merely a methodological risk: it is a potential breach in the privacy of thousands of households, and a failure to meet legal obligations that are now enforceable.
This is at the heart of CRAD's work, and the angle from which the firm approaches the question. The production of survey data now requires native compliance, built in from the design of the arrangement: gathering informed consent, minimising the data collected, securing storage and transfers, and, in Benin, declaring processing operations to the APDP. This is not an administrative constraint added after the fact, but a quality requirement on the same footing as the representativeness of the sample. Data collected outside the legal framework is weakened data, whatever its statistical rigour.
In practice, this compliance translates into concrete choices at every link in the chain. In the field, mobile collection encrypts data from the moment it is entered on the interviewer's tablet, before any transmission. Consent is gathered and timestamped, and the respondent knows what their answers will be used for. Pseudonymisation separates direct identities from analysis variables, so that a lost or stolen database does not immediately reveal who answered what. Hosting favours servers whose location and legal regime are under control, and access is logged and restricted to the strict minimum. None of these gestures is spectacular; their absence, however, turns a simple survey into a data protection incident. The difference between a compliant arrangement and an exposed one lies not in the available technology, but in the discipline of implementation, exactly the same gap that separates, at the state scale, the law passed from real protection.
The stakes go beyond the compliance of each study. Donors and states deploy monitoring and evaluation systems that churn through growing volumes of personal data, often without those systems being explicitly anchored to national protection frameworks. CRAD can help close this gap, by designing collection, processing and reporting chains that are compliant by construction, and by equipping commissioning parties to move from the law adopted to effective governance. It is precisely in this interval, between the text and its enforcement, that the credibility of any data-driven policy is decided.
This requirement also has an equity dimension that is rarely highlighted. The most surveyed populations, vulnerable households, beneficiaries of social programmes, women and rural youth targeted by development projects, are also those who least grasp the stakes of protecting their data and who would suffer most severely from a leak. Protecting survey data is therefore not only about complying with a legal obligation: it is about honouring a covenant of trust with the people who, by responding, make measurement possible. A development policy that neglects this covenant saws off the branch on which it sits, because the quality of future data depends on the trust granted today. Compliance is not the enemy of measurement: it is the condition of its durability.
Ultimately, West Africa's lag in data protection and cybersecurity is not a problem of texts: the laws exist, the scores are rising, the strategies are multiplying. It is a problem of implementation, resources and cooperation. The countries that will truly protect their citizens and their data will not be those that legislated fastest, but those that resourced their authorities, kept their commitments over time and agreed to cooperate across borders. Closing the gap means ceasing to confuse the law with the protection it promises.
Key takeaways
- Scores are rising fast: Benin moves from 80.1 to 91.5/100 on the ITU GCI between 2020 and 2024, and the African average from 21 (2017) to 57 (2024), but remains 9 points below the global average.
- The region is two-speed: from Ghana (99.3) to Mali (29.5), the gap exceeds 69 points out of 100 within a single economic area.
- The GCI score measures states' commitment across five pillars, not the real security of systems: it grades what is decided, not what is defended.
- The gap between text and enforcement is structural: 39 African countries have a data protection law, but only 34 an operational authority, and only 16 have ratified the Malabo Convention.
- Exposure is exploding: the region concentrates nearly three-quarters of the global volume of mobile money (around 1,100 billion USD in 2024), and the cost of cybercrime already reaches about 3 billion USD a year for Africa according to INTERPOL.
Recommendations for West African decision-makers
- Equip data protection authorities (DPAs) with budgets, staffing and sanctioning powers commensurate with the volumes they supervise, to turn adopted laws into effective protection rather than dormant texts.
- Ratify and transpose the Malabo Convention, in order to build a common foundation for judicial mutual assistance and the exchange of digital evidence, the only credible response to a crime that ignores borders.
- Invest in operational capacity, and not only in the legal framework: resourced incident-response teams (CSIRT/CERT), continuous training and regular exercises, to close the gap between the commitment score and real resilience.
- Secure as a priority mobile money and public registers, which have become critical infrastructure: regular audits, incident-notification obligations and operator accountability toward hundreds of millions of exposed users.
- Require native compliance (consent, minimisation, security, declaration to the authority) for all public and donor-funded arrangements that collect personal data, notably monitoring and evaluation systems.
- Put in place disaggregated outcome indicators (incidents detected, response times, complaints handled by the DPA) to steer cybersecurity by evidence, and not by the composite score alone, which masks internal imbalances.
Sources
- ITU, Global Cybersecurity Index 2024 (official report)
- World Bank Data360, ITU Global Cybersecurity Index, Overall Score (country data)
- World Bank, Individuals using the Internet (% of population), IT.NET.USER.ZS
- African Union, Convention on Cyber Security and Personal Data Protection (Malabo) and status
- INTERPOL, Africa Cyberthreat Assessment Report 2025 (PDF)
- INTERPOL, press release New report warns of sharp rise in cybercrime in Africa (2025)
- GSMA, State of the Industry Report on Mobile Money 2025 (2024 data)
- Africa Privacy Roundup 2024, review of data protection in Africa
- Data Protection Africa (ALT Advisory), tracking of laws and authorities by country
- Paradigm Initiative, Nigerian public agency data breach (2024)
- APDP Benin, legal framework (Digital Code, law 2017-20) via NADPA-RAPDP
- Ghana Ministry of Communications, Ghana ranked Tier 1 in ITU GCI





