In August 2020, the Independent Broadcasting Authority (IBA) stated that online broadcasters would have to apply for licenses from the authority and be subject to its regulations. The statement followed an investigation into whether Prime TV could operate exclusively online. Legal experts criticised the IBA's assertion that Zambian law (through the Zambia Information and Communications Technology Association Act) designates the Zambia Information and Communications Technology Authority (ZICTA) as the sole regulator with authority over the Internet. The IBA once again urged online broadcasters to register with it in March 2021. However, reportedly, no broadcasters have registered because there is still no framework for applying for licences.

Section 66 of the Information and Communication Technologies Act prohibits the use, supply, sale, offer for sale, lease or hire of any electronic communications equipment or electronic communications apparatus, including radiocommunications equipment, used or to be used in connection with the provision of electronic communications unless subjected to approval test to ascertain conformance with the technical standards formulated by the Authority.
It is reported that test certificates from foreign laboratories are accepted if the laboratories are accredited.

Section 34 of Act No. 4 of 2021 requires a person who intends to provide cryptography services to apply for registration to the National Root Certification Authority and to pay the prescribed fee. It is reported that the registration requirements might make it easy for the regulator and other government agencies to access information held by encryption service providers, including decryption keys and encrypted data. Under Section 34, a person who provides a cryptography service without registration is liable for a fine of ZMW 150,000 (approx. USD 8,300) or imprisonment of up to five years. Moreover, per Section 83, the Minister may, by statutory instrument, prescribe procedures for service providers to inform the competent public authorities of alleged illegal activities or information provided by recipients of their service and communicate to the competent authorities, at their request, information enabling the identification of recipients of their service. Section 85 permits the use of encryption, regardless of the encryption algorithm selected, encryption key length chosen, or implementation technique or medium used, in the manner provided for under the law. Further, section 86 of the Act provides that the Act should not be construed as requiring the use of any form of encryption that “limits or affects the ability of the person to use encryption without a key escrow function, or limits or affects the ability of the person who uses encryption with a key escrow function not to use a key holder.” Section 89 punishes the use of encryption to obstruct or impede a law enforcement officer or interfere with their performance of any functions under the Act, with a fine of up to ZMW 60,000 (approx. USD 2,700), imprisonment for a term not exceeding two years, or both.
Act No. 4 of 2021 repealed and replaced Act No. 21 of 2009. Sections 22 and 23 of Act No. 21 established a register of all cryptography providers. A person could only provide cryptographic services or products if they were registered with the Communications Authority. Section 89 of Act No. 21 made it an offence to use encryption to hinder or obstruct a law enforcement officer or to interfere with the performance of a law enforcement officer of any function under the Act.

The Data Protection Act permits the interception of communication in order to prevent bodily harm, loss of life, or damage to property, detection of a crime, or for the purposes of determining location in cases of emergency. Additionally, public authorities can access personal data held by private organisations where the interests of national security, defence, and public order are concerned (Section 53). The legal bases are not exhaustive. However, it is reported that it does not entail that those public authorities have discretion, as any access to such information must be authorised by a particular piece of legislation.

Section 38 of the Cyber Security and Cyber Crimes Act requires electronic communication service providers to use electronic communication systems that are technically capable of supporting lawful interceptions, install hardware and software facilities and devices that enable interception, provide services capable of rendering real-time and full-time monitoring facilities for the interception of communications, and provide call-related information in real-time or as soon as possible upon call termination. Further, service providers are required to provide interfaces for the transmission of intercepted communication to the Central Monitoring and Coordination Centre. The penalty for non-compliance is a fine of ZMW 150,000 (approx. USD 7,100), imprisonment for up to five years, or both. It is reported that this high penalty compels service providers to render interception assistance even when they receive dubious oral orders that lack judicial backing or any evidence justifying the interception.

The Electronic Communications and Transactions Act, 2021 establishes a safe harbour regime for intermediaries for copyright infringements. According to Part X of the Act, service providers are not liable for infringing material that is transmitted, routed, or stored on their networks or platforms, provided that they do not modify the data; adhere to conditions for access to the data; do not have actual knowledge of the infringing material; and remove or disable access to the data upon receiving a takedown notice. This safe harbour provision also applies to hyperlink providers and hosting service providers. In addition, the Act establishes a “notice and takedown” procedure but does not impose a general obligation on service providers to monitor unlawful activities on their platforms or hold them liable for the use of location tools.

The Electronic Communications and Transactions Act, 2021 establishes a safe harbour regime for intermediaries beyond copyright infringements. According to Part X of the Act, service providers are not liable for infringing material that is transmitted, routed, or stored on their networks or platforms, provided that they do not modify the data; adhere to conditions for access to the data; do not have actual knowledge of the infringing material; and remove or disable access to the data upon receiving a takedown notice. This safe harbour provision also applies to hyperlink providers and hosting service providers. In addition, the Act establishes a “notice and takedown” procedure but does not impose a general obligation on service providers to monitor unlawful activities on their platforms or hold them liable for the use of location tools.

It is reported that anonymous communication through digital media is compromised by SIM card registration requirements instituted in 2012. The government drew the mandate to introduce SIM Card registration from Section 12 of the ICT (Registration of Electronic Communication Apparatus) Regulations 2011. The registration requires an original and valid identity card, such as a national registration card, to be presented in person to the mobile service provider. While the government indicated that the registration requirements were instituted to combat crime, investigative reports from 2012 found that subscriber details may be passed directly to the Secret Service for the creation of a mobile phone user database.

Service providers and technology companies are required by law to assist the government in the lawful interception of communications. The law gives the government significant powers to compel service providers to monitor communications. According to Section 9 of the Cyber Security and Cyber Crimes Act, a cyber inspector may in the performance of the inspector’s functions, with a warrant—(a) monitor and inspect a computer system or activity on an information system, where such activity or information is not in public domain or is not accessible to the public; (b) enter and inspect the premises of a cyber security service provider if there is reasonable ground to believe that the licensee has contravened the provisions of this Act; and (c) audit critical information infrastructure".

According to Art. 34 of the Electronic Communications and Transactions Act 2021, cryptography service providers must register with the National Root Certification Authority. This requirement has been retained from the Electronic Communications and Transactions Act of 2009. Providing cryptography services without registration is classified as a criminal offence, punishable by imprisonment for up to five years, a fine of up to ZMW 150,000 (approximately USD 7,100), or both.

According to Section 10 of the Cyber Security and Cyber Crimes Act 2021, when a data retention notice is issued requiring an electronic communications service provider to retain internet connection records, the notice will specify the exact data to be retained. The service provider is not obligated to retain data beyond what is detailed in the retention notice.
Section 39 of the Cyber Security and Cyber Crimes Act 2021 mandates that an electronic communications service provider must obtain from subscribers information including the person's full name, residential address, and identity number as stated in their identity document before entering into a service contract.

According to Art. 46 of the Data Protection Act, a Data Protection Impact Assessment (DPIA) by a data controller is required in circumstances where the processing is on a large scale and relates to sensitive personal data or personal data relating to criminal convictions.

Section 22 of the Cyber Security and Cyber Crimes Act requires a controller of a critical information infrastructure to annually appoint an information technology auditor to audit the critical information infrastructure. The Authority is also empowered to order that an audit be conducted at any time.

All internet and mobile service providers in Zambia are privately owned, with the exception of Zambia Telecommunications Company Limited (ZAMTEL), which was nationalised in 2012 under former president Michael Sata. Sata’s predecessor, Rupiah Banda, had previously privatised the company, but the state reversed this sale, restoring ZAMTEL to 100% government ownership. Despite ZAMTEL's smaller share in the mobile market, it has historically held a larger share of fixed-line subscriptions and is the only mobile operator offering landline telephone services. As of May 2018, MTN is the dominant mobile service provider with a 44% market share, followed by Airtel with 39.7% and ZAMTEL with 15.9%.

It is reported that Zambia does not mandate accounting separation for operators with significant market power (SMP) in the telecom market. However, functional separation is an obligation.