It has been reported that import duties are applied inconsistently; for instance, local customs officials have attempted to charge importers duties based on their perception of the value of an import, regardless of the actual purchase price. This may limit the volume of ICT products that can be imported.

In Rwanda, a Simplified Type Approval Regime is issued following a third-party certification from Conformity Assessment Bodies recognised by the Regulatory Authority; as such, there is recognition of test reports and certificates.
Under Art. 17 of Regulation No. 011/R/STD-ICT/RURA/020 of 29/05/2020, Governing Importation, Supply and Type Approval for Electronic Communication Equipment, the Electronic Communications Equipment (ECE) that possesses the appropriate Certificate of Compliance from either a National Regulatory Authority or a Conformity Assessment Body recognised by the Regulatory Authority confirming compliance with the required standards may be eligible for Simplified Type Approval Regime.
Additionally, under Art. 35, any test report from an accredited testing laboratory is only accepted by the regulatory authority if it is in compliance with ISO/IEC 17025 and/or certified by an accreditation body that is a member of ILAC.

According to Art. 53 of Law No. 24/2016 of 18/06/2016 Governing Information Communication and Technologies, the Rwandan government holds the authority to suspend telecommunications services indefinitely—either in general or in relation to specific communications—when deemed necessary to preserve national integrity. In practice, this has translated into reported cases of online blocking targeting independent media platforms and news websites. Among the affected outlets are 15 online radio stations and websites, including The Rwandan, Rugali, and Le Prophète. Since 2019, reciprocal restrictions with Uganda have resulted in the continued blocking of several Ugandan news sources by the Rwanda Utilities Regulatory Authority (RURA), including Daily Monitor, The Observer, and The Independent. While most international news platforms remain accessible, the website of Agence France-Presse exhibited signs of disruption in 2024.

According to Art. 2 of the Regulation Governing Cybersecurity, there is a licensing scheme for all ICT infrastructure and services, which include data, systems, equipment, networks and applications.

The Regulations Governing the Licensing of Multimedia Services impose licensing requirements for online newspapers, internet radio services, internet TV services, video-on-demand (VoD) services, IPTV, mobile TV services, and other related multimedia services.

Art. 15 of "Regulation No. 010/R/CR-CSI/RURA/020 of 29 May 2020 Governing Cybersecurity" stipulates that the networks, systems, and applications of licensed ICT companies must not be managed, hosted, accessed remotely, or located outside the territory of Rwanda, unless explicit authorisation is granted by the Regulatory Authority.

Art. 50 of Law No. 058/2021 stipulates that all personal data must be stored within the territory of Rwanda, unless prior authorisation for its transfer and storage has been granted by the National Cyber Security Authority (NCSA). In addition, Art. 48 provides that a data controller or data processor may disclose or transfer personal data to a third party located outside Rwanda only under the following conditions:
- authorisation has been obtained from the NCSA upon submission of evidence demonstrating the implementation of appropriate safeguards for the protection of personal data;
- the data subject has provided informed consent;
- the transfer is necessary for specific purposes as outlined in the Law.

Art. 111 of "Law No. 007/2021 of 05/02/2021 Governing Companies" mandates that companies maintain specific records at their registered office or at any other location within Rwanda, for a minimum period of ten years from the end of the financial year to which the records pertain. The company is required to retain the following documents: its incorporation instruments; the register of shares and debentures; the index of shareholders; accounting records along with supporting documentation; a register of directors' interests; minutes of all general meetings and shareholders’ resolutions; minutes of all meetings and resolutions of directors and board committees; certificates issued by directors in accordance with this Law; copies of all annual financial statements, auditors’ reports, and directors’ reports; the internal register of beneficial owners; and copies of all written communications distributed to shareholders or to all holders of a particular class of shares, including annual reports.
Law No. 007/2021 repealed the law of the same title enacted in 2018, which contained a comparable provision to the one referenced above, albeit under Art. 114.

Art. 17 of the "Ministerial Instructions No. 001/MINICT/2012 of 12/03/2012 Related to the Procurement of Information and Communications Technology Goods and Services by Rwanda Public Institutions" stipulates that all government information technology systems and applications which process, store, or provide access to critical government data and information must be hosted within the National Data Centre (NDC). In addition, Art. 18 provides that, in instances where government institutions host applications in their own data centres or server rooms, they are required to obtain disaster recovery (backup) services from the NDC.

Rwanda has not joined any free trade agreement committing to open transfers of cross-border data flows.

Law No. 058/2021 provides a comprehensive regime of data protection in Rwanda. The Law introduces principles related to lawfulness, fairness and transparency, purpose limitation and accuracy, and obligations related to data subject rights, registration as a data controller or data processor, pseudonymisation, sensitive data, data transfers, designation of a data protection officer, Data Protection Impact Assessments, and data breach notifications.

Art. 18 of the Regulation Governing Licensing of Multimedia Services Provision requires multimedia services to ensure that the recordings are kept for 90 calendar days in case the Regulatory Authority requests a copy of any recording. Multimedia services are defined as "media services such as data or text, visual image, audio, audio-visual, offered to the end users through an electronic device including but not limited to online newspaper, Internet radio, Internet TV, audio and VoD, IPTV and mobile TV".

Art. 40 of the Law relating to the Protection of Personal Data and Privacy requires companies to appoint a Data Protection Officer (DPO). The data controller and the data processor are required to designate a data protection officer if the processing of personal data is carried out by a public or private corporate body or a legal entity. The core activities of the data controller or the data processor consist of personal data processing operations which, by virtue of their nature, their scope or their purposes, require regular and systematic monitoring of data subjects on a large scale.
Additionally, under Art. 38 (3), the data controller and the data processor are to carry out personal Data Protection Impact Assessments (DPIA) in compliance with the principles of the processing of personal data. The DPIA is to be carried out in cases where the processing of personal data is likely to result in a high risk to the rights and freedoms of a natural person.

Art. 3 of the Interception of Communications Law provides for unrestricted access to personal data if it is done in the interest of national security. Furthermore, the Interception of Communications Law provides that an interception warrant must be issued by a national prosecutor designated by the Minister of Justice. Under Art. 7, communications service providers are required to ensure that their systems have the technical capability to intercept communications on demand. Security officials also have the power to “intercept communications using equipment that is not facilitated by communication service providers”, which effectively allows the authorities to hack into a telecommunications network without a provider’s knowledge or assistance.

Art. 30 of Regulation No. 18/R/SM-ICT/RURA/2024, concerning access to operators’ databases by the regulatory authority, stipulates that the authority shall be granted access to the SIM card registration database without a court order. Licensees must also permit authorised officers to access their systems, premises, facilities, and all relevant records and data, to facilitate inspections and ensure compliance with the Regulation. Also in this case, the law does not require a court order. This Regulation repeals Regulation No. 004/ICT/RURA/2018, which contained a similar provision under Art. 25.