Section 13 of the Access to Information Act mandates information holders to maintain information for a period of seven years from the date on which the information is generated by the institution or on which the information comes under its custody or control. If that information is exempted from disclosure, it may be kept for a longer period. Section 2 establishes that information holder means a public body and a relevant private body, and according to Section 3, this Act shall apply to information in custody or under the control of any information holder listed in the Schedule. Among the information holders to which the Act applies are the institutions and organisations, whether established by or under an Act of Parliament or otherwise, in which the Government hold shares or exercises financial or administrative control and persons in the service of those institutions and organisations, and organisations contracted by Government to do work for the Government and persons in the service of those organisations.
Furthermore, Section 17 of the Electronic Transactions and Cybersecurity Act establishes that where any written law requires that a document, record or information shall be retained, that requirement shall be satisfied if the document, record or information is held in electronic form. Such document, record or information shall be kept in electronic form for at least seven years.

Section 30 of the Data Protection Act stipulates that data controllers are obliged to undertake a data protection impact assessment (DPIA) where the envisaged processing is likely to give rise to significant risks to the rights of data subjects. The Act delineates categories of high-risk processing, including the use of automated processing systems, profiling, the large-scale processing of sensitive data or data relating to criminal convictions, and the large-scale monitoring of publicly accessible areas. The resulting DPIA report must be submitted to the Malawi Communications Regulatory Authority (MACRA) prior to the commencement of processing. Also, data controllers are required to review and, where necessary, update the DPIA when the nature or level of risk has changed.
In addition, Section 33 provides that, where a data controller or processor constitutes a public authority other than a court, or its core activities involve either large-scale monitoring or the large-scale processing of sensitive data, the Act requires the appointment of a data protection officer to discharge the responsibilities prescribed therein.

The Electronic Transactions and Cybersecurity Act of 2016 establishes a safe harbour regime for intermediaries for copyright infringements. Sections 25 to 30 of the Act protect an Intermediary service provider from liability to civil or criminal proceedings for any electronic information under its service provided that it neither initiated transmission of the message nor modified it and that it was not aware of the unlawful character of the stored information. Additionally, protection is provided if the intermediary service provider expeditiously removed or disabled access to the information when served with a takedown notice issued under the Act.

The Electronic Transactions and Cybersecurity Act of 2016 establishes a safe harbour regime for intermediaries beyond copyright infringements. Sections 25 to 30 of the Act protect an Intermediary service provider from liability to civil or criminal proceedings for any electronic information under its service provided that it neither initiated transmission of the message nor modified it and that it was not aware of the unlawful character of the stored information. Additionally, protection is provided if the intermediary service provider expeditiously removed or disabled access to the information when served with a takedown notice issued under the Act.

According to Sections 92-94 of the Communications Act of 2016, All SIM cards in Malawi need to be registered on a central database, and a customer’s national identity number needs to be verified when purchasing, replacing, or swapping a SIM card.

According to Section 52-53 of the Electronic Transactions and CyberSecurity Act of 2016, cryptography services or products are required to be registered by the Communications Authority. Additionally, the use, importation, and exportation of encryption programs and encryption products are subject to authorisation by the government.

It is reported that there is an obligation for passive infrastructure sharing in Malawi to deliver telecom services to end users. It is practised in both the mobile and fixed sectors based on commercial agreements.

Section 35 of the Communications Act mandates an electronic communications licensee (Network and Application Services) to maintain a shareholding by nationals of at least 20%.

It is reported that the government has a 20% share in Malawi Telecommunications Limited (MTL).

It is reported that Malawi does not require accounting separation for operators with significant market power (SMP) in the telecom market. However, functional separation is legally required.

Malawi has not appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

It is reported that the Malawi Communications Regulatory Authority (MACRA), the executive authority for the supervision and administration of services in the telecommunications sector, is independent from the government in the decision-making process.

Section 10 of the Public Procurement and Disposal of Public Assets (Participation by Micro, Small, and Medium Enterprises) Order seeks to promote MSMEs and the marginalised by way of preferences and reservations. The Order sets a minimum threshold of 15% for the procurement of goods and services and 10% for the procurement of works to be granted under a preference scheme to marginalised groups. To ensure compliance with this provision, the law requires procuring and disposing entities to submit annual procurement plans indicating the value and percentage of procurement contracts intended for award to MSMEs and quarterly progress reports.

Malawi is not a party to the World Trade Organization (WTO) Agreement on Government Procurement (GPA), nor does it have observer status.

Section 35 of the Communications Act mandates an electronic communications licensee (Network and Application Services) to maintain a shareholding by nationals of at least 20%.