According to the Bangui Agreement, ratified by 17 French-speaking States, including Mali, applicants resident outside the territory of the Member States must file through an agent selected in one of those Member States (Section III, Art. 8). The professional status of agent accredited to the African Intellectual Property Organization (OAPI) is governed by the Regulations on the profession of Authorised Agent before the OAPI.

Mali is a party to the Patent Cooperation Treaty (PCT).

Malawi has not adopted national legislation based on or influenced by the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Signatures.

According to Section 52-53 of the Electronic Transactions and CyberSecurity Act of 2016, cryptography services or products are required to be registered by the Communications Authority. Additionally, the use, importation, and exportation of encryption programs and encryption products are subject to authorisation by the government.

Section 96 of the Communications Act requires a licensee to use approved types of equipment for connection to an electronic network. The Communications Authority may, at the request of any licensee, manufacturer or supplier of equipment, conduct type approval tests and issue type approval certificates with respect to electronic communications equipment intended for use in Malawi. The Communication (Type Approval) Regulations, which provides for a list of approved, prohibited and exempted electronic equipment, is, however, in draft form, presently at the consultation stage.

Sections 52 and 53 of the Electronic Transactions and Cybersecurity Act of 2016 require cryptography services or products to be registered with the Communications Authority. Furthermore, the use, importation, and exportation of encryption programs and products are subject to government authorisation. Section 67 of the Act mandates that encryption service providers disclose the technical characteristics of their encryption methods and the source code of the software used to the Authority. Non-compliance with these regulations constitutes a criminal offence, punishable by imprisonment and a fine.

According to Section 18 of Payment Systems (E-money) Regulations, the Reserve Bank shall prescribe limits on transaction values and balance limits on e-money accounts for individual subscribers and agents. E-money accounts for corporate bodies shall be exempted from transaction and balance limits. In addition, for purposes of the Regulation, 'transaction limits' are established as the limits for the total value of transactions originating from a mobile money account and involving a transfer of e-value out of that account. According to the second annexe of the regulations, the maximum transaction limits are:
- K750,000.00 (approx. USD 737) per day for personal subscriber accounts;
- K20,000,000.00 (approx. USD 19,700) per day for agents; or
- K100,000,000.00 (approx. USD 98,300) per day for merchants.
In addition, the account balance limits are:
- K1,000,000.00 (approx. USD 980) on personal subscriber accounts;
- K25,000,000.00 (approx. USD 24,600) on agent accounts; or
- K100,000,000.00 (approx. USD 98,300) for merchants.

It is reported that the de minimis threshold, that is the minimum value of goods below which customs do not charge duties, is USD 60, below the 200 USD threshold recommended by the International Chamber of Commerce (ICC).

The law in Malawi provides for local presence requirements for payment systems operators. Section 14 of the Payment Systems Act requires all systems operators (i.e. non-bank financial institutions, mobile payment system operators, remittance service providers, card issuers, or other persons as licensed or authorised by the Reserve Bank) to have a registered office in the country.

The Electronic Transactions and Cybersecurity Act of 2016 provides a comprehensive consumer protection framework that applies to online transactions. Consumer protection for online purchases is provided in Part V of the Act of 2016. Among others, the Act binds the supplier to deliver the goods or to provide the services immediately upon conclusion of the contract; mandates the supplier to make available security procedures and privacy policy in respect of payment, payment information, and personal information of the consumer; and gives rights to the consumer to withdrawal from a contract concluded by electronic means without giving reasons and without penalties.

Malawi has not signed the United Nations (UN) Convention on the Use of Electronic Communications in International Contracts.

Malawi has adopted national legislation based on or influenced by the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Commerce.

The Data Protection Act establishes a comprehensive regime for data protection in Malawi. It repeals the data protection provisions contained in the Electronic Transactions and Cyber Security Act, 2016, and designates the Malawi Communications Regulatory Authority (MACRA) as the national data protection authority. The Act applies to the processing of personal data within Malawi, including by entities outside the country that offer goods or services to, or monitor the behaviour of, individuals in Malawi. It excludes processing undertaken solely for personal or household purposes, as well as the mere transmission of data through Malawi. The Act imposes obligations on data controllers and processors, including mandatory registration for those of significant importance. These entities are required to comply with the Act within six months of its commencement, while others are granted a 24-month grace period. MACRA is empowered to investigate potential or actual violations of the Act.

Section 13 of the Access to Information Act mandates information holders to maintain information for a period of seven years from the date on which the information is generated by the institution or on which the information comes under its custody or control. If that information is exempted from disclosure, it may be kept for a longer period. Section 2 establishes that information holder means a public body and a relevant private body, and according to Section 3, this Act shall apply to information in custody or under the control of any information holder listed in the Schedule. Among the information holders to which the Act applies are the institutions and organisations, whether established by or under an Act of Parliament or otherwise, in which the Government hold shares or exercises financial or administrative control and persons in the service of those institutions and organisations, and organisations contracted by Government to do work for the Government and persons in the service of those organisations.
Furthermore, Section 17 of the Electronic Transactions and Cybersecurity Act establishes that where any written law requires that a document, record or information shall be retained, that requirement shall be satisfied if the document, record or information is held in electronic form. Such document, record or information shall be kept in electronic form for at least seven years.

Section 30 of the Data Protection Act stipulates that data controllers are obliged to undertake a data protection impact assessment (DPIA) where the envisaged processing is likely to give rise to significant risks to the rights of data subjects. The Act delineates categories of high-risk processing, including the use of automated processing systems, profiling, the large-scale processing of sensitive data or data relating to criminal convictions, and the large-scale monitoring of publicly accessible areas. The resulting DPIA report must be submitted to the Malawi Communications Regulatory Authority (MACRA) prior to the commencement of processing. Also, data controllers are required to review and, where necessary, update the DPIA when the nature or level of risk has changed.
In addition, Section 33 provides that, where a data controller or processor constitutes a public authority other than a court, or its core activities involve either large-scale monitoring or the large-scale processing of sensitive data, the Act requires the appointment of a data protection officer to discharge the responsibilities prescribed therein.