Ethiopia is reported to experience regular logistical delays due in part to inefficiencies in the customs process, which significantly affect the import process. In addition, monopolistic conditions in the multimodal transport market and insufficient infrastructure make it difficult for private-sector logistics companies to operate. Logistics costs usually represent between 22% and 27% of the final cost of the product, and transport and freight costs are 60% higher than in neighbouring countries. Customs administrative difficulties are compounded by the fact that Ethiopia is landlocked, and more than 90% of its foreign trade depends on a single port in Djibouti, which suffers from inadequate infrastructure and inefficient customs procedures.

The legal framework on standards does not allow for self-certification for radio transmission, electromagnetic interference (EMI) or electromagnetic compatibility (EMC) through a Supplier Declaration of Conformity (SDoC) for both domestic and foreign business. However, Article 23.5 of the Communications Proclamation No. 1148/2019 states that the Authority may conduct a stakeholder consultation to permit the importation and use of radiocommunication and telecommunications equipment that has been approved by internationally recognised testing bodies that the Authority may designate by a Directive.

According to Art. 41 of the Electronic Transaction Proclamation, e-commerce operators are regarded as one form of commercial entity. Hence, the laws that regulate other commercial activities apply, including the Commercial Code, which requires a licence to operate.

Art. 51 of the Communication Services Proclamation orders telecommunications operators to register all SIM cards and to establish a National Subscriber Registry containing subscriber information, as the Authority may request them for different purposes, including national security.
According to Art. 7 of Directive No. 799/2021 on SIM card registration, all new SIM card users must be identified and registered in the official database of their telecommunications provider. Users are required to provide their full name, driver's license or passport, nationality, date of birth, gender, physical address, postal address, a recent photograph, and any available biometric data. Additionally, an identification card of the person procuring the service must be submitted.

Section 16.6 of Directive No. 832/2021 mandates that the processing of consumers' personal data in the realm of telecommunications services must be confined to servers or data centres located within Ethiopia.

Art. 22 of the "Personal Data Protection Proclamation No. 1321/2024" establishes a strict data localisation requirement, mandating that all personal data collected or obtained in Ethiopia must be stored on servers or data centres located within the country. Moreover, the law states that the Ethiopian Communications Authority is empowered to designate certain categories of personal data as critical, which must be processed exclusively within Ethiopia. In addition, any cross-border transfer of sensitive personal data requires prior authorisation from the Authority. Complementing this, Arts. 18 to 21 regulate international data transfers more broadly. Art. 18 permits transfers only if the receiving jurisdiction ensures an appropriate level of protection. Art. 19 outlines the criteria for assessing adequacy, including the nature of the data, the purpose and duration of processing, the legal framework of the destination country, and its professional and security standards. If adequate protection is lacking, the Authority may still authorise limited transfers under Art. 19.3, provided the data subject’s rights are not compromised. Art. 20 allows transfers based on explicit informed consent, contractual necessity, legal obligations, or public register disclosures. Art. 21 empowers the Authority to demand evidence of effective safeguards and to prohibit or suspend transfers if data subjects’ rights and freedoms are at risk.

Ethiopia has not joined any free trade agreement committing to open transfers of cross-border data flows.

The Personal Data Protection Proclamation No. 1321/2024 establishes a comprehensive framework for data protection in Ethiopia. It sets out the rights of data subjects and principles governing data processing, and it establishes an independent supervisory authority, the Ethiopian Communications Authority. Also, the Proclamation imposes restrictions on data transfers to third-party jurisdictions and introduces requirements to appoint a data protection officer, report data breaches, and conduct a data protection impact assessment (DPIA). In addition, various existing laws and regulations address aspects of data privacy, including the Constitution of the Federal Democratic Republic of Ethiopia (1995), which recognises a right to privacy, legislation regulating the financial sector, and provisions imposing sanctions for breaches of privacy-related obligations. These legal instruments confer powers on several authorities to safeguard privacy, such as the Communication Services Proclamation No. 1072/2018.

Under Art. 24 of the Computer Crime Proclamation No. 958/2016, all service providers must retain the computer traffic data disseminated through their computer systems or traffic data relating to data processing or communication services for one year. Service provider is defined as a person who provides technical data processing or communication service or alternative infrastructure to users by means of computer system.

Art. 29 .1 of the Electronic Signature Proclamation No. 1072/2018 requires that any certificate provider for electronic signatures shall keep custody of any information related to certificate issuance, suspension, revocation or related services for two years. Any certificate provider who fails to keep custody of the above information shall be punished with a fine up to 150,000.00 ETB (approx. 2900 USD). Art. 25 (3) states that the certificate provider shall retain a copy of the subscribers’ encryption key at all times. Art. 18 (2) of the same law states that a certificate provider who wishes to terminate its certification service shall transfer its subscriber certificates and related records to another certificate provider or authority. A certificate provider is a business entity that issues digital certificates and provides encryption services and time stamp services.

Section 40 of the Personal Data Protection Proclamation stipulates that a data controller or processor engaged in the large-scale processing of personal data—particularly sensitive data or information related to public authorities—must designate or appoint a data protection officer. In addition, Section 47 mandates the conduct of data protection impact assessments for processing activities that are likely to significantly affect the rights and freedoms of data subjects. Such activities include automated processing producing legal effects, large-scale processing of sensitive personal data, systematic monitoring of public spaces, or any other processing requiring prior consultation with the supervisory authority.

The Computer Crime Proclamation No. 958/2016, and the Electronic Transaction Proclamation 1205/2020 establish a safe harbour regime for intermediaries for copyright infringements. According to Art. 16 of the Computer Crime Proclamation, intermediaries are shielded from liability unless they are directly involved in disseminating or editing criminal content data, or fail to take necessary measures to remove or disable access to illegal content data upon becoming aware of its existence. Additionally, Art. 23 of the Electronic Transaction Proclamation specifies that intermediaries cannot be held liable for transmitted information provided they do not monitor online communication, initiate transmissions, select receivers, or modify transmitted information.
Furthermore, Art. 24 absolves intermediaries from liability for the temporary storage of electronic records if such storage aims to facilitate efficient transmission of electronic messages to recipients who requested them. Moreover, Art. 25 extends protection to hosting service providers, relieving them of liability for damages resulting from stored information if they are unaware of any harm or take immediate action upon becoming aware of it.

"The Computer Crime Proclamation No. 958/2016, and the Electronic Transaction Proclamation 1205/2020 establish a safe harbour regime for intermediaries beyond copyright infringements. According to Art. 16 of the Computer Crime Proclamation, intermediaries are shielded from liability unless they are directly involved in disseminating or editing criminal content data, or fail to take necessary measures to remove or disable access to illegal content data upon becoming aware of its existence. Additionally, Art. 23 of the Electronic Transaction Proclamation specifies that intermediaries cannot be held liable for transmitted information provided they do not monitor online communication, initiate transmissions, select receivers, or modify transmitted information.
Furthermore, Art. 24 absolves intermediaries from liability for the temporary storage of electronic records if such storage aims to facilitate efficient transmission of electronic messages to recipients who requested them. Moreover, Art. 25 extends protection to hosting service providers, relieving them of liability for damages resulting from stored information if they are unaware of any harm or take immediate action upon becoming aware of it.

It is reported that there is no obligation for passive infrastructure sharing in Ethiopia to deliver telecom services to end users, and it is not practised in the mobile sector and in the fixed sector based on commercial agreements.

Ethio-Telecom is the incumbent telecom provider and it remained the only provider until recently with the coming into force of the Proclamation No. 1148/2019. The company is fully state-owned.