According to Art. 11 of the Electronic Signature Proclamation No. 1072/2018, no person can operate as a certificate provider of electronic signatures unless they hold a valid license issued by the Root Certificate Authority (The Information Network Security Agency - INSA). As per Arts 10-12, only a business established in Ethiopia that wants to engage as a certificate provider may lodge an application to INSA.

The Electronic Transaction Proclamation under Art. 41 states that e-commerce operators at all levels are regarded as one form of a commercial entity and hence the laws that regulate other commercial activities apply, including the Commercial Code which requires a licence to operate. Furthermore, according to Art. 82.1 of the Commercial Code No. 1243/ 2021 and Arts. 5.1 & 22 of the Commercial Registration & Licensing Proclamation No. 980/2016, any Ethiopian or foreign person or company carrying out commercial activities within Ethiopia shall be registered and then licensed.

Art. 5 (1/e/) of Investment Regulation No. 474/2020 (which implements the Investment Proclamation No. 1180/2020) reserves some areas of investment including advertisement and promotion for joint investment with domestic investors only. According to Section 3.3 of the regulation, the scope of the law includes advertisements disseminated through the internet website being designed in Ethiopia or abroad. Previously there was a ban on foreign investment in the advertising sector.

The indicator "6.2.4 - Government Internet shut down in practice" of the V-Dem Dataset, which measures whether the government has the technical capacity to actively make internet service cease, thus interrupting domestic access to the internet or whether the government has decided to do so, has a score of 1 in Ethiopia. This corresponds to "The government shut down domestic access to the Internet numerous times this year."

It is reported that the Ethiopian government imposed a communications blackout on the Tigray region between November 2020 and July 2021 as Ethiopian and Tigrayan security forces fought. Similarly, government authorities imposed a nationwide internet shutdown for several weeks in July 2020, after mass violence followed the murder of prominent Oromo singer and activist Hachalu Hundessa.

Art. 51 of the Communication Services Proclamation orders telecommunications operators to register all SIM cards and to establish a National Subscriber Registry containing subscriber information as the Authority may request them for different purposes including national security.

The Computer Crime Proclamation No. 958/2016 adopts a safe harbor regime for intermediaries. According to Art. 16, unless an intermediary is directly involved in the dissemination or edition of the content data that is deemed criminal or unless it failed to take the necessary measures to remove or disable access to the content data after knowing the content is illegal, it will not be held liable.

The Ethiopian Electronic Transaction Proclamation defines intermediaries as "a person, who, on behalf of another person, sends, receives or stores such an electronic message or provides other services with respect to that electronic message". Art. 23 of this act states that an intermediary shall not be held liable for the information transmitted on condition that it does not a) monitor the online communication; b) initiate the transmission; c) select the receiver of the transmission; or d) select or modify the information contained in the transmission. Furthermore, Art. 24 states that an intermediary shall not be liable for the automatic, intermediate and temporary storage of that electronic record, in case the intention of such a storage of electronic record is to make the onward transmission of the electronic message more efficient to other recipients who requested for it. Art. 25 provides further protection for intermediaries that provide hosting service by not making them liable for damages arising from information stored if they are not aware of the harm or immediately act after becoming aware of the issue. This law also protects intermediaries like search engines under Art. 26.

Art. 29 (1) of the Electronic Signature Proclamation No. 1072/2018 requires that any certificate provider for electronic signatures shall keep custody of any information related to certificate issuance, suspension, revocation or related services for two years. Any certificate provider who fails to keep custody of the above information shall be punished with a fine up to 150,000.00 ETB (approx. 2900 USD). Art. 25 (3) states that the certificate provider shall retain the copy of subscribers’ encryption key at all times. Art. 18 (2) of the same law states that a certificate provider who wishes to terminate its certification service shall transfer its subscriber certificates and related records to another certificate provider or the authority. A certificate provider is a business entity that issues digital certificates, provide encryption services and time stamp services.

Under Art. 24 of the Computer Crime Proclamation No. 958/2016, all service providers must retain the computer traffic data disseminated through their computer systems or traffic data relating to data processing or communication services for one year. Service provider is defined as a person who provides technical data processing or communication service or alternative infrastructure to users by means of computer system.

Ethiopia has not joined any free trade agreement committing to open transfers of cross-border data flows.

Ethiopia does not have a legal regime for the protection of data other than some scattered provisions regarding the protection of individuals' right to privacy. There are 'right to privacy' provisions contained in the 1995 Constitution and other laws like the 2005 Criminal Code, the Computer Crime Proclamation No. 958/2016 and the Freedom of the Mass Media and Access to Information Proclamation No. 590/2008 that indirectly deal with privacy and protection of personal data. None of these laws define what personal data or sensitive data means and they do not establish a government authority that is charged with protecting personal data or regulating cross-border flow of data. There is, however, a draft legislation waiting approval from the parliament.

It is reported that the Ethiopian Communications Authority (ECA), the executive authority for the supervision and administration of services in the telecommunications sector, is independent from the government in the decision-making process.

According to Art 12.7 of Directive No. ONPS/02/2020, point of sale machine operators are not allowed to send domestic payment information outside Ethiopia for the purpose of authorisation, clearing and settlement. They can only send payment data made through the international card scheme to the financial institution or national switch. Similarly, automated teller machine operators cannot send any transaction outside Ethiopia for the purpose of processing, authorisation and switching (Art. 11.1).

The Ethiopian Communication Authority is mandated to limit the number and pre-conditions of new licenses to be given for investors based on Art. 6.7 and 19.2 of the Communications Service Proclamation No. 1148/2019. In other words, investors can only apply to be given a license when the government announces a call for bids. Based on these provisions, the government has only given out one license to a foreign investor so far. In June 2021, the Ethiopian Communications Authority (ECA) licensed the Global Partnership for Ethiopia (Safaricom) as the country’s second telecommunications provider even though it has not started its operations yet. Hence, the only telecom service provider in Ethiopia now is the government owned Ethio-telecom which has a monopoly of the market. The detailed procedures for getting a license are laid out in the Telecommunication Licensing Directive No. 792/2021.