Rwanda has not appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

It is reported that the Rwanda Utilities Regulatory Authority (RURA), the executive authority for the supervision and administration of services in the telecommunications sector, is independent from the government in the decision-making process.

Art. 16 of the "Regulations No. 001/R/TD-ICS/RURA/016 of 06/05/2016 Governing Telecom Network Security in Rwanda" mandates that subscriber information held by a telecommunication service provider or internet service provider—including voice, SMS, and call data records—must be processed, stored, and transmitted securely within the territory of Rwanda. The provision explicitly prohibits the transfer, storage, or processing of such subscriber information outside national borders.

Art. 15 of "Regulation No. 010/R/CR-CSI/RURA/020 of 29 May 2020 Governing Cybersecurity" stipulates that the networks, systems, and applications of licensed ICT companies must not be managed, hosted, accessed remotely, or located outside the territory of Rwanda, unless explicit authorisation is granted by the Regulatory Authority.

Art. 50 of Law No. 058/2021 stipulates that all personal data must be stored within the territory of Rwanda, unless prior authorisation for its transfer and storage has been granted by the National Cyber Security Authority (NCSA). In addition, Art. 48 provides that a data controller or data processor may disclose or transfer personal data to a third party located outside Rwanda only under the following conditions:
- authorisation has been obtained from the NCSA upon submission of evidence demonstrating the implementation of appropriate safeguards for the protection of personal data;
- the data subject has provided informed consent;
- the transfer is necessary for specific purposes as outlined in the Law.

Art. 111 of "Law No. 007/2021 of 05/02/2021 Governing Companies" mandates that companies maintain specific records at their registered office or at any other location within Rwanda, for a minimum period of ten years from the end of the financial year to which the records pertain. The company is required to retain the following documents: its incorporation instruments; the register of shares and debentures; the index of shareholders; accounting records along with supporting documentation; a register of directors' interests; minutes of all general meetings and shareholders’ resolutions; minutes of all meetings and resolutions of directors and board committees; certificates issued by directors in accordance with this Law; copies of all annual financial statements, auditors’ reports, and directors’ reports; the internal register of beneficial owners; and copies of all written communications distributed to shareholders or to all holders of a particular class of shares, including annual reports.
Law No. 007/2021 repealed the law of the same title enacted in 2018, which contained a comparable provision to the one referenced above, albeit under Art. 114.

Art. 17 of the "Ministerial Instructions No. 001/MINICT/2012 of 12/03/2012 Related to the Procurement of Information and Communications Technology Goods and Services by Rwanda Public Institutions" stipulates that all government information technology systems and applications which process, store, or provide access to critical government data and information must be hosted within the National Data Centre (NDC). In addition, Art. 18 provides that, in instances where government institutions host applications in their own data centres or server rooms, they are required to obtain disaster recovery (backup) services from the NDC.

Rwanda has not joined any free trade agreement committing to open transfers of cross-border data flows.

Law No. 058/2021 provides a comprehensive regime of data protection in Rwanda. The Law introduces principles related to lawfulness, fairness and transparency, purpose limitation and accuracy, and obligations related to data subject rights, registration as a data controller or data processor, pseudonymisation, sensitive data, data transfers, designation of a data protection officer, Data Protection Impact Assessments, and data breach notifications.

Art. 18 of the Regulation Governing Licensing of Multimedia Services Provision requires multimedia services to ensure that the recordings are kept for 90 calendar days in case the Regulatory Authority requests a copy of any recording. Multimedia services are defined as "media services such as data or text, visual image, audio, audio-visual, offered to the end users through an electronic device including but not limited to online newspaper, Internet radio, Internet TV, audio and VoD, IPTV and mobile TV".

Art. 40 of the Law relating to the Protection of Personal Data and Privacy requires companies to appoint a Data Protection Officer (DPO). The data controller and the data processor are required to designate a data protection officer if the processing of personal data is carried out by a public or private corporate body or a legal entity. The core activities of the data controller or the data processor consist of personal data processing operations which, by virtue of their nature, their scope or their purposes, require regular and systematic monitoring of data subjects on a large scale.
Additionally, under Art. 38 (3), the data controller and the data processor are to carry out personal Data Protection Impact Assessments (DPIA) in compliance with the principles of the processing of personal data. The DPIA is to be carried out in cases where the processing of personal data is likely to result in a high risk to the rights and freedoms of a natural person.

Art. 3 of the Interception of Communications Law provides for unrestricted access to personal data if it is done in the interest of national security. Furthermore, the Interception of Communications Law provides that an interception warrant must be issued by a national prosecutor designated by the Minister of Justice. Under Art. 7, communications service providers are required to ensure that their systems have the technical capability to intercept communications on demand. Security officials also have the power to “intercept communications using equipment that is not facilitated by communication service providers”, which effectively allows the authorities to hack into a telecommunications network without a provider’s knowledge or assistance.

Under the Guidelines for Siting and Sharing of Telecommunication Base Station Infrastructure (2011) and Law No. 24/2016 of 18/06/2016 Governing Information and Communication Technologies, Rwanda has established a regulatory obligation for passive infrastructure sharing to support the delivery of telecommunications services to end users.
According to Section 4.2.4, when requested by another licensee, each operator or service provider must disclose complete information on the location and technical specifications of their towers within a maximum of 10 working days. Furthermore, within an additional 10 working days, the operator must grant escorted access to the site upon request by another licensee seeking to assess the feasibility of infrastructure sharing.
Furthermore, pursuant to Art. 71 of Law No. 24/2016 licensed network operators must share the use of their electronic communications infrastructures on agreed upon terms and conditions.

Art. 30 of Regulation No. 18/R/SM-ICT/RURA/2024, concerning access to operators’ databases by the regulatory authority, stipulates that the authority shall be granted access to the SIM card registration database without a court order. Licensees must also permit authorised officers to access their systems, premises, facilities, and all relevant records and data, to facilitate inspections and ensure compliance with the Regulation. Also in this case, the law does not require a court order. This Regulation repeals Regulation No. 004/ICT/RURA/2018, which contained a similar provision under Art. 25.

In 2013, the Rwandan government and Korean Telecom (KT) entered into a 25-year agreement to establish a 4G wholesale network in the country. As part of the partnership, the Rwandan government acquired a 49% stake in KT Rwanda networks Ltd (KTRN), with the remaining 51% owned by Korean Telecom.