Regulation 5 of the Communications (Subscriber Identity Module Registration) Regulations mandates that licensees must retain the subscriber information obtained during registration. According to Regulation 2, a licensee is defined as an entity licensed by the Authority to provide and facilitate communication services, commonly referred to as a network operator or service provider. Subscriber information encompasses the personal details of a subscriber that are recorded and stored by a licensee. Regulation 14 further requires licensees to maintain a record of subscriber details that have been electronically verified by the National Identity and Civil Registry.
In addition, under Regulations 10 and 23, licensees are required to retain records of any deactivation, deregistration, and SIM swap information. SIM swap information must be kept in a traceable database for a period prescribed by the Authority.
According to Regulation 15:
- When the subscriber is a company, the licensee must retain details of both the company and its authorised representative.
- When the subscriber is a company employee, and the company is under contract with the licensee, the licensee must retain details of both the company and the employee.
- When the subscriber is an institution, the licensee must retain details of both the institution and its representative.
- When the subscriber is a child, the licensee must retain details of both the child and the parent or guardian.
- When the subscriber is a visitor, the licensee must retain the visitor's personal details.
- When the subscriber is a foreigner, the licensee must retain the foreigner's personal details.
- When the subscriber is a refugee, the licensee must retain details of the refugee.
- When the subscriber is a diplomat, the licensee must retain the diplomat's personal details.

Section 58 of the Data Protection Act obligates every data controller to appoint one or more Data Protection Officers. Moreover, Section 20 sets out a reciprocal security obligation on both data controllers and their data processors to secure data in their possession or control 'by adopting appropriate, reasonable, technical and organisational measures to prevent loss, damage, or unauthorised destruction, and unlawful access to, or unauthorised processing of data'.

A basic legal framework on intermediary liability for copyright infringement is absent in Lesotho's law and jurisprudence.

A basic legal framework on intermediary liability beyond copyright infringement is absent in Lesotho's law and jurisprudence.

Regulation 7 of the Communications (Subscriber Identity Module Registration) Regulations of 2021 requires licensees (entities licensed by the Lesotho Communications Authority to provide and facilitate communications services) to register subscriber information. Licensees must capture, register, and retain the personal information of subscribers who request SIM registration and activation, following the registration specifications, at no cost to the subscriber.

Type approval procedures are regulated by the Lesotho Communications Authority (LCA). It is reported that the conformity requirements are similar to those of the European Union (Declaration of conformity according to EU directive 2014/53/EU). The homologation process in Lesotho does not require local laboratory testing or contact with local representatives.

Lesotho has not appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

According to the Lesotho Telecommunications Act, the Lesotho Communications Authority (LCA), the executive authority for the supervision and administration of services in the telecommunications sector, is independent from the government in the decision-making process.

Section 52 of the Data Protection Act of 2012 provides that the transfer of personal information abroad is permitted when the laws of the destination country are substantially similar to the information protection principles in Lesotho or when other conditions are met, including the data subject consent to the transfer, the use of binding corporate rules, or the necessity of the transfer for the performance of a contract between the data subject and data controller.

Lesotho has not joined any free trade agreement committing to open transfers of cross-border data flows.

It is reported that Lesotho procurement laws and policies require that entities have to first register as legal entities, apply for trading licenses, and register with the Lesotho Revenue Authority for tax purposes in order to apply for public procurement.

Lesotho is a party to the Patent Cooperation Treaty (PCT).

Lesotho has a copyright regime under the Copyright Order of 1989. However, the exceptions do not follow the fair use or fair dealing model, therefore limiting the lawful use of copyrighted work by others. Art 20 lists the exceptions, which include personal and teaching purposes, borrowing expressions of folklore for creating an original work of an author or authors inspired by folklore, among others.

Lesotho has not signed the World Intellectual Property Organization (WIPO) Copyright Treaty.

Lesotho has not signed the World Intellectual Property Organization (WIPO) Performances and Phonograms Treaty.