South Africa has adopted national legislation based on or influenced by the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Commerce.

The Consumer Protection Act 68 of 2008 (CPA) provides a comprehensive framework for consumer protection that also applies to online transactions. Section 43 of the Act establishes specific requirements for online retailers and other suppliers of goods and services who conduct transactions with consumers over the Internet or other electronic channels.

According to Art. 5 of the Directive No. 1 of 2020, the National Payment System Act requires card issuers to be domestic clearing system participants domestic merchants use local card acquirers. A clearing system participant is defined as a bank, a mutual bank or a cooperative bank, a designated clearing system participant, or a branch of a foreign institution, as contemplated in the NPS Act, and a member of the payment system management body (Payments Association of South Africa is the payment system management body recognised by the South African Reserve Bank, in terms of the National Payment System Act, to organise, manage and regulate the participation of its members in the payment system). On the other hand, card issuer means a clearing system participant and a member of a card scheme that has entered into a contractual relationship with a cardholder, in terms of which a card is issued to effect a payment, withdraw cash or transfer funds. Lastly, card acquirer is defined as a clearing system participant and a member of a card scheme that enters into a contractual relationship with a merchant and the card issuer, for the purpose of accepting and processing card transactions.

South Africa does not implement any de minimis threshold, which is the minimum value of goods below which customs do not charge duties. However, it is reported that there is an informal threshold of USD 35.

According to Art. 29 of the Electronic Communications and Transaction Act, the Director-General of the department of communications must establish and maintain a register of cryptography and record the following particulars in respect of providers, such as a name and address of the cryptography provider, a description of the type of cryptography service or cryptography product other particulars as may be prescribed to identify and locate the cryptography provider or its products or services adequately. Moreover, according to Section 40 of the ECA, a foreign cryptographer must be registered with the Department of Communications as such prior to rendering cryptography services and supplying cryptography products in (or to persons in) South Africa. This registration obligation applies to foreign cryptography providers rendering their services or selling their products in South Africa.

The South African Bureau of Standards (SABS) implements a program for the issuance of Certificates of Compliance (CoCs) for Electromagnetic Interference/Compatibility (EMI/EMC) of electrical and electronic goods, including an annual non-refundable fee paid by manufacturers for each CoC, fees for registering factories, and fees for model name changes. The program also requires manufacturers to have EMI/EMC testing done at SABS verified third-party labs. If testing is required from an independent lab that is not SABS verified, the manufacturer must request that the lab be verified through SABS at the expense of the lab. Ultimately, the regulation is meant to ensure that all electronic equipment entering South Africa meets the required quality-performance standards. However, it is reported that some industry stakeholders have raised concerns that the five-fold increase in certification costs, the additional administrative burden, and the lack of resources in South Africa to support the procedure might extend time to market for quickly evolving and obsolescing information and communication technology products. South Africa still accepts test results from International Laboratory Accreditation Cooperation-certified labs, but SABS also conducts a comprehensive review of the test results to ensure that the product meets South African EMC standards. The protracted review can take up to 18 months to complete, during which time the product may become obsolete.
Section 3 of the National Regulator for Compulsory Specifications Act, 2008 (Act No. 5 of 2008) establishes the National Regulator for Compulsory Specifications (NRCS) and empowers it to regulate the compulsory specifications of any product or service in South Africa. In addition, Section 35 of the Electronic communications Act 36 of 2005 requires that the telecom authority approves digital products before they are used in the country.

Chapter 3 of the Electronic Communication Act governs digital content providers, services, and applications licensing. Relevant licenses include Electronic Communications Network Service (ECNS) licenses, which allow holders to operate a physical network, Electronic Communications Service (ECS) licenses, which allow for providing services over one's or another's network, and Value-Added Network Services (VANS) licenses, which are required for providing value-added network services, including internet service providers (ISPs), voice-over-internet-protocol (VoIP) providers, and application service providers. The Independent Communications Authority of South Africa (ICASA) is responsible for issuing and regulating ECS and VANS licenses. The regulatory framework for licenses does not establish any restrictions including discrimination against foreign suppliers, but Section 9 provides that holders of individual licenses must have a minimum of 30% of equity held by persons from historically disadvantaged groups.

The Films and Publications Act establishes that commercial online distributors have to register with the Film and Publications Board (FPB) as distributors. Commercial online distributor is defined as a "distributor in relation to films, games and publications which are distributed for commercial purposes using the internet". The Act penalizes failing to register with the FPB as a distributor with a fine of 150,000 rands (USD 9,300).
On 1 March 2022, a 2019 amendment came into force, which extended the mandate of the FPB to include online games, films, and publications. However, even before this amendment, all distributors, including commercial online distributors although not expressly mentioned in the Act, had to register with the FPB.
On the other hand, in November 2020, the FPB finalized revisions to the tariff structure that would require online streaming services to pay a licensing fee per film and per series season that they offer. The previous structure involved payment of a flat fee. It is reported that after some initial resistance, all major content distributors, including Google, Apple, Netflix, and the South African company MultiChoice, registered with the FPB and paid license fees.

According to Section 40 of the Regulation of Interception of Communications and Provision of Communication-related Information Act 70 of 2002, the buyers of SIM cards must provide valid identification (such as a passport or National ID card) and proof of residence for the SIM purchased in South Africa. The Act was amended in 2008 to include a requirement to register SIM cards in a central database.

South Africa has a safe harbour regime in place for intermediaries for copyright infringements. Chapter XI of the Electronic Communications and Transaction Act (25 of 2002) details the limitation of liability for intermediaries. Specifically, Sections 74-76 of Chapter XI provide a safe harbor for intermediaries, such as internet service providers (ISPs), while Section 77 provides information about take-down.

South Africa has a safe harbour regime in place beyond intermediaries for copyright infringements. Chapter XI of the Electronic Communications and Transaction Act (25 of 2002) details the limitation of liability for intermediaries. Specifically, Sections 74-76 of Chapter XI provide a safe harbor for intermediaries, such as internet service providers (ISPs), while Section 77 provides information about take-down.

The Protection of Personal Information Act, 2013 (Act 4 of 2013) (POPIA) was promulgated into law in November 2013, following the President's signature. With the exception of Section 58, of POPIA became fully enforceable in July 2021. Section 58 became enforceable only in February 2022. POPIA is wide in its application and impacts all persons processing personal information within the country.

According to Section 24 of Companies Act, 2008, there is a general rule for company records outlining that any documents, accounts, books, writing, records or other information that a company is required to keep in terms of the Act and other public regulation must be kept for 7 years or longer as specified in other public regulations.

Section 17 of the Protection of Personal Information Act (POPIA) requires companies to designate an information officer and, if necessary, deputy information officers to ensure compliance with the provisions of POPIA. The role of information officer is covered by default by the head of a company.

South Africa has not joined any free trade agreement committing to open transfers of cross-border data flows.