It is reported that importers face difficulty in obtaining foreign exchange, particularly those that import goods for domestic sale. The National Bank of Ethiopia (NBE) administers a strict foreign currency regulatory regime. Furthermore, while larger firms, state-owned enterprises, and manufacturing industries are reported to have not faced major problems in obtaining foreign exchange, the remaining firms face burdensome delays in arranging trade-related payments. An importer must apply for an import permit and obtain a letter of credit for the total value of the imports before an order can be placed.

It is reported that the national standards for payment security deviate from international standards as there is no clearly prescribed standard that financial institutions need to apply. The laws that regulate the banking or payment systems in Ethiopia do not refer to international standards such as ISO/IEC, EMV, payment tokens or 3D Secure. Furthermore, neither the National Digital Payment Strategy nor the Revised Bank Risk Management Guideline of the National Bank of Ethiopia explicitly states that the above-mentioned international standards are applied locally.

It is reported that the de minimis threshold, that is the minimum value of goods below which customs do not charge duties, is USD 25, below the 200 USD threshold recommended by the International Chamber of Commerce (ICC).

According to Art. 82.1 of the Commercial Code No. 1243/2021 and Art. 22.1 of the Commercial Registration & Licensing Proclamation No. 980/2016, any Ethiopian or foreign person or company carrying out commercial activities within Ethiopia shall be registered and then licensed in the country. In addition, according to Art. 40 of the Commercial Registration and Licensing Proclamation No. 980/2016, any foreign chamber of commerce may open its branch office in Ethiopia upon presenting a certificate of legal personality issued in the country of registration, memorandum, and article of association submitted there and their detailed activities in Ethiopia and upon approval getting registered with the Ministry. However, foreign investors who invest in Ethiopia and from an association, that association shall be registered by the authority that is legally established to administer investment at the federal level.

Ethiopia lacks a comprehesive framework for consumer protection that applies to online transactions.

Ethiopia has not signed the United Nations (UN) Convention on the Use of Electronic Communications in International Contracts.

Ethiopia has not adopted national legislation based on or influenced by the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Commerce.

According to Art. 3 of the Telecom Fraud Offences Proclamation, the import, assembly, sale, manufacturing, or even use of any telecom equipment (which includes any apparatus and software used for telecom services) without a prior permit from the government is prohibited. Failure to comply with this rule is a crime punishable with imprisonment and a fine.

Ethiopia has not joined any free trade agreement committing to open transfers of cross-border data flows.

Ethiopia does not have a comprehensive regime in place for all personal data, but it has sectoral regulations. These include, for instance, laws regulating the financial sector and others, which confer authority on various bodies to safeguard privacy. Notably, the Communication Services Proclamation No. 1148/2019 establishes the Ethiopian Communication Authority, which is tasked with promoting data privacy. Moreover, the Constitution of the Federal Democratic Republic of Ethiopia of 1995 enshrines the right to privacy.
In a significant development, it was reported that in April 2024, the Ethiopian Parliament approved Proclamation No. 1321/2016 concerning the Personal Data Protection Bill. If enacted, this legislation will introduce comprehensive provisions for data subject rights, data processing principles, and the establishment of an independent supervisory authority. Additionally, the Bill will impose restrictions on the transfer of data to third-party jurisdictions and introduce requirements such as the appointment of a DPO, the reporting of data breaches, and the performance of DPIAs.

Under Art. 24 of the Computer Crime Proclamation No. 958/2016, all service providers must retain the computer traffic data disseminated through their computer systems or traffic data relating to data processing or communication services for one year. Service provider is defined as a person who provides technical data processing or communication service or alternative infrastructure to users by means of computer system.

Art. 29 .1 of the Electronic Signature Proclamation No. 1072/2018 requires that any certificate provider for electronic signatures shall keep custody of any information related to certificate issuance, suspension, revocation or related services for two years. Any certificate provider who fails to keep custody of the above information shall be punished with a fine up to 150,000.00 ETB (approx. 2900 USD). Art. 25 (3) states that the certificate provider shall retain a copy of the subscribers’ encryption key at all times. Art. 18 (2) of the same law states that a certificate provider who wishes to terminate its certification service shall transfer its subscriber certificates and related records to another certificate provider or authority. A certificate provider is a business entity that issues digital certificates and provides encryption services and time stamp services.

The Computer Crime Proclamation No. 958/2016, and the Electronic Transaction Proclamation 1205/2020 establish a safe harbour regime for intermediaries for copyright infringements. According to Art. 16 of the Computer Crime Proclamation, intermediaries are shielded from liability unless they are directly involved in disseminating or editing criminal content data, or fail to take necessary measures to remove or disable access to illegal content data upon becoming aware of its existence. Additionally, Art. 23 of the Electronic Transaction Proclamation specifies that intermediaries cannot be held liable for transmitted information provided they do not monitor online communication, initiate transmissions, select receivers, or modify transmitted information.
Furthermore, Art. 24 absolves intermediaries from liability for the temporary storage of electronic records if such storage aims to facilitate efficient transmission of electronic messages to recipients who requested them. Moreover, Art. 25 extends protection to hosting service providers, relieving them of liability for damages resulting from stored information if they are unaware of any harm or take immediate action upon becoming aware of it.

"The Computer Crime Proclamation No. 958/2016, and the Electronic Transaction Proclamation 1205/2020 establish a safe harbour regime for intermediaries beyond copyright infringements. According to Art. 16 of the Computer Crime Proclamation, intermediaries are shielded from liability unless they are directly involved in disseminating or editing criminal content data, or fail to take necessary measures to remove or disable access to illegal content data upon becoming aware of its existence. Additionally, Art. 23 of the Electronic Transaction Proclamation specifies that intermediaries cannot be held liable for transmitted information provided they do not monitor online communication, initiate transmissions, select receivers, or modify transmitted information.
Furthermore, Art. 24 absolves intermediaries from liability for the temporary storage of electronic records if such storage aims to facilitate efficient transmission of electronic messages to recipients who requested them. Moreover, Art. 25 extends protection to hosting service providers, relieving them of liability for damages resulting from stored information if they are unaware of any harm or take immediate action upon becoming aware of it.

Art. 51 of the Communication Services Proclamation orders telecommunications operators to register all SIM cards and to establish a National Subscriber Registry containing subscriber information, as the Authority may request them for different purposes, including national security.
According to Art. 7 of Directive No. 799/2021 on SIM card registration, all new SIM card users must be identified and registered in the official database of their telecommunications provider. Users are required to provide their full name, driver's license or passport, nationality, date of birth, gender, physical address, postal address, a recent photograph, and any available biometric data. Additionally, an identification card of the person procuring the service must be submitted.