According to Art. 2 of the Regulation Governing Cybersecurity, the is a licensing scheme for all ICT infrastructure and services, which include data, system, equipment, networks and applications.

According to Art. 53 of Law No 24/2016 of 18/06/2016 Governing Information Communication and Technologies, the government powers over telecommunications networks in the name of preserving “national integrity.” These powers include the ability to “suspend a telecommunications service for an indeterminate period, either generally or for certain communications.”

It is reported that there have been many cases of blocking web content. The website of Soft Power News, a Ugandan digital media company, was reported to be blocked in January 2018 and remained inaccessible until May 2019. In addition, in August 2019, the Rwanda Utilities Regulatory Authority (RURA) blocked several Ugandan news sites, including the state-owned New Vision and the websites of the Daily Monitor, the Observer, Soft Power News, and the Independent, reciprocating the Uganda Communications Commission’s (UCC) blocking of two Rwandan news sites, the New Times and Igihe. Both countries agreed to unblock the websites shortly afterward. In late 2020, numerous independent news outlets and opposition blogs that had been blocked for years reportedly remained inaccessible. Furthermore, in May 2021, the websites of New Vision, the Daily Monitor, ChimpReports, Nile Post, and the Independent were reported to be inaccessible to some users in Rwanda. The incident took place amid rising diplomatic tensions with Uganda. Rwanda Utilities Regulatory Authority (RURA) generally does not provide explanations when local and international news sites are blocked. Website owners have no avenue of appeal when their sites are blocked.

Under Art. 210 of the Law Governing Information Communication and Technologies, every licensed electronic communications service provider must register the full personal details of all subscribers or sim-card holders, who are using their networks or services. The Regulatory Authority determines regulations relating to the registration process and follows up the registration.

Art. 6 of the Regulation No. 004/R/ICT/RURA/2018 Governing SIM Cards Registration in Rwanda establishes that the activation of the licensee’s SIM Card is subject to the registration of personal information of individual subscribers wishing to use that SIM Card. Personal information shall include the following: full name, date of birth, identity card number, registered telephone number, and sex. Article 7 states that a non-citizen shall register his SIM Card by presenting an original travel document recognized in Rwanda. The registration shall be done manually and is subject to the physical presence of the applicant.

Art. 8 of Law No 18/2010 absolves intermediaries and telecommunications network service providers of liability for the contents of documents or electronic messages transmitted through their networks by an individual. This liability applies to the creation, publication, and dissemination of electronic messages on the network, and the use of such electronic messages in contravention of the law.
Furthermore, under Art. 10 of the same law, telecommunications operators and intermediaries are not liable for providing access to information, transmission or its retention, as long as they do not initiate the transmission of the information or select the addressee and cannot modify the electronic communication. Under Art. 11, an intermediary or a certification authority shall not be liable for the automatic, intermediate, and temporary storage of that electronic record, in case the intention of such storage of electronic record is its onward transmission to other recipients who requested for it.
Additionally, under Art. 12, an intermediary that provides a service comprising the storage of electronic messages shall not be liable for damages arising from information stored if it is not aware that the information or the activity relating to the information infringes any person. Under Article 13, an intermediary shall not be liable for damages incurred when it links its services with other different websites containing electronic messages or activities that do not fulfill legal requirements. Arts. 188-192 of the Law Governing Information Communication and Technologies outlines the limits to liability to electronic service and network providers, limits of caching, hosting, and relating to information local tools.

Art. 8 of Law No 18/2010 absolves intermediaries and telecommunications network service providers of liability for the contents of documents or electronic messages transmitted through their networks by an individual. This liability applies to the creation, publication, and dissemination of electronic messages on the network, and the use of such electronic messages in contravention of the law.
Furthermore, under Art. 10 of the same law, telecommunications operators and intermediaries are not liable for providing access to information, transmission or its retention, as long as they do not initiate the transmission of the information or select the addressee and cannot modify the electronic communication. Under Art. 11, an intermediary or a certification authority shall not be liable for the automatic, intermediate, and temporary storage of that electronic record, in case the intention of such storage of electronic record is its onward transmission to other recipients who requested for it.
Additionally, under Art. 12, an intermediary that provides a service comprising the storage of electronic messages shall not be liable for damages arising from information stored if it is not aware that the information or the activity relating to the information infringes any person. Under Article 13, an intermediary shall not be liable for damages incurred when it links its services with other different websites containing electronic messages or activities that do not fulfill legal requirements. Arts. 188-192 of the Law Governing Information Communication and Technologies outlines the limits to liability to electronic service and network providers, limits of caching, hosting, and relating to information local tools.

Art. 3 of the Interception of Communications Law provides for an unrestricted access to personal data if it is done in the interest of national security. Further, the Interception of Communications Law provides that an interception warrant must be issued by a national prosecutor designated by the Minister of Justice. Under Art. 7, communications service providers are required to ensure that their systems have the technical capability to intercept communications on demand. Security officials also have the power to “intercept communications using equipment that is not facilitated by communication service providers,” which effectively allows the authorities to hack into a telecommunications network without a provider’s knowledge or assistance.

In addition, under Regulation No. 004/R/ICT/RURA/2018 issued by Rwanda Utilities Regulatory Authority (RURA), the Authority has unfettered access to SIM card databases managed by operators, while other “authorized” individuals or institutions may also be granted access. It is reported that the ability to communicate anonymously is compromised by mandatory SIM card registration requirements in place since the publication of the Regulations on SIM Card Registration of 2013, replaced by Regulation No. 004/R/ICT/RURA/2018.

Annex 2 (Part 16.5) of the Regulation Governing Licensing in Electronic Communication in outlines that Network and performance related data must be retained by the licensee for a minimum of one year, and all financial records must be retained by the Licensee for a minimum of five years.

Art. 40 of the Law relating to Protection of Personal Data and Privacy requires companies to appoint a Data Protection Officer (DPO). The data controller and the data processor are required to designate a data protection officer if the processing of personal data is carried out by public or private corporate body or a legal entity, and the core activities of the data controller or the data processor consist of personal data processing operations which, by virtue of their nature, their scope or their purposes, require regular and systematic monitoring of data subjects on a large scale.
Additionally, under Art. 38 (3), the data controller and the data processor are to carry out personal Data Protection Impact Assessments (DPIA) in compliance with the principles of the processing of personal data. The DPIA is to be carried out in the case where the processing of personal data is likely to result in a high risk to the rights and freedoms of a natural person.

Art. 18 of the Regulation Governing Licensing of Multimedia Services Provision requires multimedia services to ensure that the recordings are kept for 90 calendar days in case the Regulatory Authority requests a copy of any recording. Multimedia services are defined as "media services such as data or text, visual image, audio, audio-visual, offered to the end users through an electronic device including but not limited to Online newspaper, Internet radio, Internet TV, Audio and VoD, IPTV and Mobile TV".

Rwanda has not joined any free trade agreement committing to open transfers of cross-border data flows.

Rwanda's data protection is regulated by the Law No. 058/2021 of 13 October 2021 Relating to the Protection of Personal Data and Privacy.

Art. 48 of the Law relating to Protection of Personal Data and Privacy outlines a set of conditions required to be met by a data controller or data processor in order to transfer personal data outside Rwanda. These include:
- Authorization from the Supervisory Authority;
- Consent by the data subject;
- Performance of a contract;
- Public interest grounds;
- Defense claim;
- Protection of vital interests of data subject;
- Legitimate interests by the data controller;
- Performance on international instruments ratified by Rwanda.
Art. 50 clarifies the first condition stating that all personal data must be stored in Rwanda unless the company has a valid registration certificate authorising it to store personal data outside Rwanda, which is issued by the National Cyber Security Authority.

Art. 15 of the Regulation Governing Cybersecurity states that "All networks, systems and applications of the licensee shall not be managed, hosted, remotely accessed or located outside of the Republic of Rwanda unless explicitly authorized by the Regulatory Authority." This requirement applies to all ICT infrastructure and services, which include "data, system, equipment, networks and applications" (Art. 2).