Art. 5 (1. e) of Investment Regulation No. 474/2020 (which implements the Investment Proclamation No. 1180/2020) reserves some areas of investment, including advertisement and promotion for joint investment with domestic investors only. According to Section 3.3 of the regulation, the scope of the law includes advertisements disseminated through the internet website being designed in Ethiopia or abroad. Previously, there was a ban on foreign investment in the advertising sector.

According to Art. 82.1 of the Commercial Code No. 1243/2021 and Arts. 5.1 & 22 of the Commercial Registration & Licensing Proclamation No. 980/2016, any Ethiopian or foreign person or company carrying out commercial activities within Ethiopia shall be registered and then licensed.

The importation of telecommunication equipment requires authorisation by the government. The Communication Services Proclamation No. 1148, under Art. 23, gives broad powers to the Ethiopian Communication Authority to regulate the importing of any telecommunication equipment to the country. It is prohibited to manufacture, import, or distribute radiocommunications and telecommunications equipment that requires the Authority’s technical efficacy assurance without obtaining prior approval of the Authority.

Proclamation 808/2013 mandates the Information Network Security Agency (INSA) to control the import and export of information technologies, build an IT testing and evaluation laboratory centre and regulate cryptographic products and their transactions.

According to Art. 3 of the Telecom Fraud Offences Proclamation, the import, assembly, sale, manufacturing, or even use of any telecom equipment (which includes any apparatus and software used for telecom services) without a prior permit from the government is prohibited. Failure to comply with this rule is a crime punishable with imprisonment and a fine.

Ethiopia is reported to experience regular logistical delays due in part to inefficiencies in the customs process, which significantly affect the import process. In addition, monopolistic conditions in the multimodal transport market and insufficient infrastructure make it difficult for private-sector logistics companies to operate. Logistics costs usually represent between 22% and 27% of the final cost of the product, and transport and freight costs are 60% higher than in neighbouring countries. Customs administrative difficulties are compounded by the fact that Ethiopia is landlocked, and more than 90% of its foreign trade depends on a single port in Djibouti, which suffers from inadequate infrastructure and inefficient customs procedures.

The legal framework on standards does not allow for self-certification for radio transmission, electromagnetic interference (EMI) or electromagnetic compatibility (EMC) through a Supplier Declaration of Conformity (SDoC) for both domestic and foreign business. However, Article 23.5 of the Communications Proclamation No. 1148/2019 states that the Authority may conduct a stakeholder consultation to permit the importation and use of radiocommunication and telecommunications equipment that has been approved by internationally recognised testing bodies that the Authority may designate by a Directive.

According to Art. 41 of the Electronic Transaction Proclamation, e-commerce operators are regarded as one form of commercial entity. Hence, the laws that regulate other commercial activities apply, including the Commercial Code, which requires a licence to operate.

Art. 51 of the Communication Services Proclamation orders telecommunications operators to register all SIM cards and to establish a National Subscriber Registry containing subscriber information, as the Authority may request them for different purposes, including national security.
According to Art. 7 of Directive No. 799/2021 on SIM card registration, all new SIM card users must be identified and registered in the official database of their telecommunications provider. Users are required to provide their full name, driver's license or passport, nationality, date of birth, gender, physical address, postal address, a recent photograph, and any available biometric data. Additionally, an identification card of the person procuring the service must be submitted.

Section 16.6 of Directive No. 832/2021 mandates that the processing of consumers' personal data in the realm of telecommunications services must be confined to servers or data centres located within Ethiopia.

Art. 22 of the "Personal Data Protection Proclamation No. 1321/2024" establishes a strict data localisation requirement, mandating that all personal data collected or obtained in Ethiopia must be stored on servers or data centres located within the country. Moreover, the law states that the Ethiopian Communications Authority is empowered to designate certain categories of personal data as critical, which must be processed exclusively within Ethiopia. In addition, any cross-border transfer of sensitive personal data requires prior authorisation from the Authority. Complementing this, Arts. 18 to 21 regulate international data transfers more broadly. Art. 18 permits transfers only if the receiving jurisdiction ensures an appropriate level of protection. Art. 19 outlines the criteria for assessing adequacy, including the nature of the data, the purpose and duration of processing, the legal framework of the destination country, and its professional and security standards. If adequate protection is lacking, the Authority may still authorise limited transfers under Art. 19.3, provided the data subject’s rights are not compromised. Art. 20 allows transfers based on explicit informed consent, contractual necessity, legal obligations, or public register disclosures. Art. 21 empowers the Authority to demand evidence of effective safeguards and to prohibit or suspend transfers if data subjects’ rights and freedoms are at risk.

Ethiopia has not joined any free trade agreement committing to open transfers of cross-border data flows.

The Personal Data Protection Proclamation No. 1321/2024 establishes a comprehensive framework for data protection in Ethiopia. It sets out the rights of data subjects and principles governing data processing, and it establishes an independent supervisory authority, the Ethiopian Communications Authority. Also, the Proclamation imposes restrictions on data transfers to third-party jurisdictions and introduces requirements to appoint a data protection officer, report data breaches, and conduct a data protection impact assessment (DPIA). In addition, various existing laws and regulations address aspects of data privacy, including the Constitution of the Federal Democratic Republic of Ethiopia (1995), which recognises a right to privacy, legislation regulating the financial sector, and provisions imposing sanctions for breaches of privacy-related obligations. These legal instruments confer powers on several authorities to safeguard privacy, such as the Communication Services Proclamation No. 1072/2018.

Under Art. 24 of the Computer Crime Proclamation No. 958/2016, all service providers must retain the computer traffic data disseminated through their computer systems or traffic data relating to data processing or communication services for one year. Service provider is defined as a person who provides technical data processing or communication service or alternative infrastructure to users by means of computer system.

Art. 29 .1 of the Electronic Signature Proclamation No. 1072/2018 requires that any certificate provider for electronic signatures shall keep custody of any information related to certificate issuance, suspension, revocation or related services for two years. Any certificate provider who fails to keep custody of the above information shall be punished with a fine up to 150,000.00 ETB (approx. 2900 USD). Art. 25 (3) states that the certificate provider shall retain a copy of the subscribers’ encryption key at all times. Art. 18 (2) of the same law states that a certificate provider who wishes to terminate its certification service shall transfer its subscriber certificates and related records to another certificate provider or authority. A certificate provider is a business entity that issues digital certificates and provides encryption services and time stamp services.